iCloud Keychain: safe and secure
iCloud Keychain can be a very convenient and secure mechanism for sharing your accounts and passwords between devices. The following is a step-by-step instruction guide on how to effectively use iCloud Keychain.
Auto-Generate: Probably iCloud Keychain's most attractive feature. Usually these are "throw away" accounts online that I really don't intend to use much. If you are creating a password for an account where you expect a significant relationship, you might want to follow these instructions about how to manually create a new, secure password.
To create a new password, do the following:
- Run Keychain Access
- Select iCloud Keychain
- Manually click the "+" button to create a new password.
- Fill in your account identifier
- Click the black key icon to bring up password assistant.
- Choose the "memorable" password option. Unfortunately, the very strong, auto-generated passwords that iCloud Keychain offers to use in Safari (and immediately deletes) are not available in Keychain Access. Instead, you must use the less secure "memorable" option. You can make it more secure by manually changing it to include an uppercase character. Otherwise it will usually not be accepted online.
- Copy the password to the clipboard (so you can paste it in Safari)
- Save the password in Keychain Access
- Use that account and password to log in to your online service. Hopefully, Safari will now save your credentials for future use so they can be automatically filled in next time.
- Log out of your online service.
- Go back to the login page of your online service and make sure that Safari will automatically fill in your account and password. If not, at least you have the entry in Keychain Access that you manually created.
- Before doing anything else, backup the password you just created in Keychain Access
Backup Preparation
Having a keychain backup is critical because no one really knows whether or not Apple saves them in iCloud or just copies them through. If there are any problems, the only option is to delete your iCloud Keychain, including all saved passwords. You can't rely on Time Machine to back up your iCloud Keychain because it is synced to iCloud. If you restore it, your passwords will probably just be immediately deleted. You also can't rely on iCloud because iCloud Keychain is completely (but silently) non-functional in some fairly common configurations. I spent many months trying, and failing, to get it to work with multiple boot partitions for example. As with anything else in iCloud, there is little or no notification of failure.
Do this once:
- Run Keychain Access
- Got to Keychain Access > File > New Keychain
- Choose a convenient location for the backup keychain. This is a file you will need to access from the Finder each time you need to create a password, so make sure it is easy to find and open. Make sure it is in a location that will be backed up via Time Machine.
- Give the keychain a meaningful name like "iCloud backup" or something similar and click "Create..."
- Give the keychain an easy-to-remember password and click "OK". Normally, when you change the password on your account, it will automatically update the password for your Login and iCloud Keychains. This won't happen with your backup keychain, so make sure it is something secure that you will not forget. If you do forget, hopefully you will detect that before you need it and you will be able to create a new backup keychain using the passwords in your iCloud Keychain
- The backup keychain will be automatically added to Keychain Access. You can't leave it there or it will totally confuse Keychain Access and Safari. Select the backup keychain in Keychain Access and press the Delete key. Choose "Delete references'. You don't want to delete the backup keychain you just went to so much trouble to create.
Backup a password
Each time you add a new password to iCloud Keychain, you need to back it up using your backup keychain. If you don't do this, your password will be stored only in your iCloud Keychain, maybe synced to other devices, and certainly deleted if there is any problem with your iCloud Keychain in the future.
After you have successfully created a manual password in iCloud Keychain and used that password to login via Safari, use the following procedure to backup both the manual entry and the internet entry that Safari created:
- Go to the Finder, locate your backup keychain, and double-click it to open it in Keychain Access
- Find the new entry you created in your iCloud Keychain, and hopefully the autologin entry Safari created, and manually copy each to the clipboard one at a time.
- Then, select your backup keychain and paste the new entry. You will have to enter the password to your backup keychain. You will also have to copy and paste each password individually. You can't do more than one at a time.
- When complete, select the backup keychain and press the Delete button. Choose "Delete references'. You don't want to delete the backup keychain you just went to so much trouble to create.
Using this procedure, you will have memorable, safe, and secure passwords that can be used online. They will be synced to any other device via iCloud Keychain. They will be backed up in both another keychain file and in Time Machine. Feel free to deviate from these instructions at the risk of losing your passwords.