iCloud Keychain vs 1Password

We have used 1Password for years. However, recent upgrades have been more about corporate users, and the introduction of a subscription model. In addition, synchronisation is only be via 1Passwords servers in version 8 rather than by Apple’s iCloud. Given the LastPass fiasco, use of third party servers seems problematic.

Has anyone any comments on the use of iCloud Keychain vs 1Password? Keychain may not support all the functionality of 1Password, however it does seem to eliminate some risks. It may also simplify the future use of passkeys.

I used 1Password for years but moved to iCloud Keychain a while ago. Haven’t had any problems. Works well. And it’s free…

Thanks @Richard.

One unexpected prerequisite was to ensure every login (username and password) included a URL. It makes sense for autofilling. However, when we first started using a password manager, autofilling was not a thing. We just looked up the login details in the password manager and copied them into the browser fields.

In short, about half of my 400+ 1Password Login records do not include URLs. These are predominantly old logins that have not been used, or have been little used, for quite some time.

In addition, some logins are not really logins, but just password records. For example, we once had a safe. I had stored the combination as a password in a login record. I obviously missed this when I imported the records into 1Password from my previous password manager. There are other similar examples.

Then there are all the other items in 1Password, such as

  • Identities (eg. Driving licence details, medicare card number etc.)
  • Software licences
  • Password details
  • Secure notes
  • Debit and credit card details
  • Bank account details
  • and more.

They can stay in 1Password for now. However, I need to identify a longer term solution. Many others suggest transferring these details to password protected records in Notes.

I’m not worried about using 1Password’s own cloud offering.

I still use Barebones Yojimbo (since 2007 actually) for storing software licence codes and web site passwords, plus tag organised web archives, pdfs and text notes.
V4 works fine on Monterey.

But maybe I am just a Neanderthal creature that’s been time shifted to 2023…

edit: whilst you can open the sqlite db that Yojimbo uses in an editor application, the password items are encrypted, but not the software serial numbers.

My total risk of being hacked already relies upon Apple’s security.
I have a lot of faith in the 1Password servers too, however they do add an additional risk. In the modern parlance, I am just tryng to minimise my attack surface. (I have been wanting to use that term)

Thanks @JimWOz , however I see merit in reducing my attack surface. See my reply to @FaultyTaco. (Now I have used “attack surface” twice.)

Is the good old “password book” hidden in the bottom of your desk drawer on the way back into fashion by any chance ? (with a duplicate buried in the corner of the garden in case of fire or a stray ordinance strike, of course) :stuck_out_tongue_winking_eye:

Last I knew there was no way to hack into one of those electronically from outside.

Encrypted pass keys with keyed logins prohibited (as available for ssh connections) is what I use for external access to NAS or Linux SMB servers.

But we all have countless web login passwords so these must be kept secure by a method each user is comfortable with.

The Keychain Access app has Secure Notes, which I use. I also have an encrypted disk image with a plain text file in it, where I’ve traditionally stored most of my software licence keys and other sensitive stuff that doesn’t have a URL associated with it. The only downside for me with the disk image is that I can only read it on a Mac, so it’s no good for iOS. iCloud Keychain does everything I need now though, so I’m slowly transferring everything to the keychain now.

The less often discussed thing about security is the danger of losing everything if you are somehow locked out of your stuff by, say, a flood or fire that destroys all your gear. If everything is encrypted you could lose access to all those important photos of your cat for example. As suggested here by Rene Ritchie, it’s worth thinking about the worst case outcome - would it be worse to lose access or worse for the data to be exploited by a bad actor - and protecting against that, rather than encrypting everything just because you can.

This is all good info to keep in mind…

I still use Wallet, which is available on the app store. Its an Acrylic Software product and a short trial is on the site, otherwise it can be purchased from the app store.

https://www.acrylicapps.com/wallet/mac/ you will get a warning when you follow the link, they havent updated their certificates in a long time. I bought Wallet at a time when everyone was pushing 1Password, which I also had a licence for, for a year or two, but I found Wallet less fussy and more intuitive.

I’ve taken to using Keychain more, of late, but when it generates a password, it doesnt seem to allow the use of special characters and many sites these days won’t accept a Keychain generated pass. So I use Wallet to deal wth that, its password generator is excellent. And I use Dropbox to sync between macOS and iOS devices. Its not automatic so you have to remember to sync when you add a new pass. etc.

There is a role for hardcopy password storage. I have bought a number of purpose designed books for people who struggle with recalling passwords and who are not technically up to using a software password manager app. For examples, just google:
Internet Address & Password Logbook.
The best solution is always a solution that you can master yourself.

Each keychain password record includes a notes field, however it appears that each record must also include a URL. So this is not a suitable solution for records that do not have an associated URL, such as passwords for some apps, or other information such as driving license details.

Password protected notes in the standalone Notes app can be used to store these details, but this seems a bit clunky.

I used 1Password from way back when and have upgraded to the family plan with the annual subscription. I’ve used the dropbox sync method, Apple iCloud and now the 1Password subscription. The fact that it also works across my home machines and devices as well as my work laptop with a Chrome plugin (and no resident app required since I can’t install anything) means I also use it for work purposes now too. All of this still wins my vote.

As much as I love Apple, it would be nice if they allowed some of their magic to work outside their own eco system, although I understand why some of this isn’t desirable or possible. If I could have only one thing, I’d love a Cloud version of iMessage.

Yes, but I wasn’t referring to Passwords. Secure Notes are a separate keychain item that contain a field that accepts text, images and various other files, plus a title and access controls.

Yep, I remember seeing them in the past, however as far as I can see those Secure Notes are not supported in the iCloud Keychain and they are not accessible in on the iPhone or on the iPad. Do you know of a way to access them on Apple devices other than Macs?

It is strange that Apple has not included a messages app in iCloud.com

Some of their documentation suggests messages are available in iCloud, however I could not see them today

Use both, and Password1 for many years.

Like others, I’ve found iCloud Keychain now largely replaces it, and I find myself rarely using it. I only store passwords on Password1 if created on another OS (hence the password is not yet in keychain). Apart from that I could live without Password1 now.

I see that LastPass has suffered a serious security breach…

The LastPass breach has exposed a few weaknesses in their security and in their processes…

1Password provided a blog article yesterday describing why 1Password security is better than that of other password managers.

It does sound impressive, but I suppose LastPass security sounded impressive too, until we were finally told they had been breached months after it happened.

I believe security is never an absolute. It can be better or worse, but never perfect.