Keychain has just made all my passwords open! How is iCloud keychain meant to work?

Discussion in 'iOS 7' started by mpt-matthew, Apr 19, 2014.

  1. mpt-matthew macrumors regular

    Aug 11, 2010
    So, I decided to reset my Apple ID because of the recent, events.
    I know Apple was supposedly not compromised, but I used that same password for a lot of things, and had someone gained access to my iCloud they could have remotely bricked all my iOS devices (nightmare!)

    I was also going to reset my passwords for some other accounts, and use the auto-generated keychain passwords.
    My main concern to doing this is if I lose access (or don't have access) to my computer, and need a password (e.g. to logon on another computer).

    So I knew Keychain had gone onto iCloud, so I activated it on my computer and iPhone.
    I presumed this would mean if I wanted to access a password on my iPhone I could go into safari password, enter my Apple ID (like entering username for iPhone), and view my passwords.

    HOWEVER! Much to my surprise, no password is required.
    All of my passwords, for every account are stored open for anyone with access to my phone to see!!!

    I do appreciate my phone should have a lock. But I don't lock it on a day to day basis because it's a pain and I'm not too likely to lose it.

    I wasn't warned at all about this. Wasn't advised to set a password!

    Am I doing something wrong?? Or does this necessitate having a password (which after a day everyone will know)... or upgrade for fingerprint?!

    Either way, something this sensitive should be kept under lock and key.
  2. Xenc, Apr 19, 2014
    Last edited: Apr 19, 2014

    Xenc macrumors 65816


    May 8, 2010
    London, England
    I was under the impression that you are prompted for your Apple ID when trying to access Keychain. What steps are you taking to see your passwords?

    Why would everyone know your passcode after a day? You could always set a complex passcode.

    Like your iPhone!
  3. KUguardgrl13 macrumors 68020


    May 16, 2013
    Kansas, USA
    I think OP is talking about autofill in the Safari settings. I'm not sure that has anything to do with Keychain, actually.

    Personally I don't use it on my phone outside of wifi passwords. Too many risks. I used to just have a shortlist of passwords memorized and used two-step verification when possible, but now I use 1Password. A pain in the butt when an app gets logged out of, but it's more secure.
  4. Belmont31R macrumors 6502

    Nov 23, 2012
    I see a list of the sites I have a password saved to but if you click on an individual site/username I'm promoted for the 4 digit Keychain pass code before the actual password is revealed.
  5. orangebluedevil macrumors 6502

    Jun 28, 2010
    Your iPhone passcode is required. Just like your Mac password is required on OS X.

    Case closed.
  6. mpt-matthew thread starter macrumors regular

    Aug 11, 2010
    My point is my keychain, or iPhone password are NOT required!
    I thought they should be. But as i am at the moment, without a password or any security i can access this list!

    My second point, is apple have said this list is separate from the keychain list. But since it was blank before i activated iCloud keychain, and now it isn't blank, i beg to differ. All the passwords in there are exactly the same as those on my computer keychain. A lot of them I have never accessed on my phone.

    My third point regarding the phone password. Is if i access the phone many times a day, a complex password is difficult to enter each time. A number password is much more convenient.
    However, it's not hard to watch someone enter a number password into their phone. I've seen it loads of times.
  7. joe-h2o macrumors 6502a

    Jun 24, 2012
  8. mpt-matthew thread starter macrumors regular

    Aug 11, 2010

    Ok, is it just me that thinks it wouldn't be an issue for the settings menu to ask for my iCloud password before disclosing my plain text passwords??

    For example I can let someone use my computer (e.g. a friend), with knowledge that it they want to view my passwords in plain text (and take them away to use somewhere else), they are required to enter my password before viewing them on keychain.
  9. joe-h2o macrumors 6502a

    Jun 24, 2012
    No, your issue is that you do not lock your phone because it is "inconvenient" and you are "unlikely to lose it" (your words), and that you want other people to be able to use it, but you also want to use iCloud keychain.

    In other words, you're leaving your wallet out on your living room table with the PIN for your bank card written inside.

    You're intentionally defeating the security that is in place then complaining that you want it to be somewhere else in the system.

    Set a passcode. Make it long if you are worried about people watching you. Or just shield it from view if you enter it.
  10. The Mad Hatter macrumors 6502a

    The Mad Hatter

    Oct 12, 2004
    I'm a firm believer in setting a passcode to access my phone, but it would be nice to be able to setup a second (like you can with restrictions) for password access on a 'vanilla' iOS install (my iPhone is JBn, and have my settings locked down with another passcode).
  11. Xenc, Apr 21, 2014
    Last edited: Apr 21, 2014

    Xenc macrumors 65816


    May 8, 2010
    London, England
    It should be prompting you for either your Apple ID or your iCloud Keychain passcode. Perhaps try resetting the Keychain?

    You're seeing passwords from your Mac and other devices as iCloud is designed to share data between them all.

    In regards to friends peeking over your shoulder when typing in your passcode, you could try covering the screen with your other hand or tilting the phone away. Fingerprint unlock on the 5S does make everything much simpler, though!

    There's a separate password for iCloud Keychain, which sort of covers what you describe.
  12. C DM macrumors Sandy Bridge

    Oct 17, 2011
    Seems like the flaw there is that the PIN is written inside. A solution of not leaving the wallet is certainly one, but a solution of not writing a PIN that would be visible/understandable by someone else is another. In the case of Keychain, it shouldn't be just available without anything, whether or not the phone is unlocked.

    As far as analogies go, just because you let someone inside your house, doesn't mean that they should automatically should have access to a safe that you have, right? The solution of simply not ever letting anyone inside your house because of that makes a rather silly argument over having a safe that is closed and can only be opened by you.
  13. spencers macrumors 68020


    Sep 20, 2004
    I've noticed this recently as well. My phone doesn't have a passcode, etc.

    I can simply go to Settings -> Safari -> Auto-Fill, and I can see any passwords I've saved in plain view.

    There really needs to be some sort of mask on this setting!
  14. whsbuss macrumors 68040


    May 4, 2010
    SE Penna.
    Really? When I setup my keychain on both my Mac and iPhone it required me to set a passcode. I'm not sure how you got around this?
  15. orangebluedevil macrumors 6502

    Jun 28, 2010

    I understood your point. My point is you are wrong. When you click in the Settings to get to the area to see your passwords, you must enter your keycode/password before you can view the passwords in plain text.


    This. He/She does not seem to understand this point.
  16. aristobrat macrumors G5

    Oct 14, 2005
    ^^^^ is how it works on my iPhone too.

    Tapping on:
    Passwords & AutoFill,
    Saved Passwords

    ... brings me to a screen titled Passwords, which lists all of the websites I have saved passwords for.

    Every time I press to view a password, it requires me to enter my passcode. Every time. If I type in my passcode to view a password, then go back a screen and try to look at another password, I have to enter my passcode again, even though I just did less than 5 seconds ago.
  17. KUguardgrl13 macrumors 68020


    May 16, 2013
    Kansas, USA
    I will vouch that if you don't have a passcode set and you use autofill in Safari, it has your passwords in plain text for anyone to see. I'd post a screenshot, but 1. that's stupid, and 2. I deleted them as soon as I saw them since I no longer use that feature.

    It should be like when you make purchases in the App Store or like any admin level changes on a Mac. Keychain Access on my MBP prompts me for my password when I want too view a password. If I don't want to have a passcode on my iPhone, my passwords shouldn't have that one level of security protecting them.

    So I can understand OP's frustration, but the only thing to do currently is either have a passcode, not have a passcode and allow easy access to your passwords, or not use autofill.

Share This Page