Trying to decide whether to use an on-line Password Manager or Apple's Password App in settings, in Sonoma? If I use Apple's, does it automatically have to be in the cloud, which I would rather it not be. I don't use iCloud. I use my own cloud.
Or, maybe just creating a password protected .dmg file on my computer, with a password protected numbers file is the better way to go.
Opinions please?
MacBook Air (M2, 2022)
The Apple password manager is called Keychain, and Keychain optionally supports iCloud Keychain for synchronization across macOS and devices.
iCloud Keychain works for passwords, and passkeys.
On Mac, Keychain also supports secure notes, and also provides access to the trust store and to locally-added certificates.
macOS Sequoia has some substantial updates arriving imminently here, as well.
If you need support for non-Apple computers and non-Apple devices, a third-party password manager might be a better choice.
Check the third-party apps for their security and their responsiveness to any incidents that may have arisen, too. Some have been better than others.
Trying to decide whether to use an on-line Password Manager or Apple's Password App in settings, in Sonoma?
I went with Apple's one. Does all I need. Your needs might be different. What is undeniable is the convenience of having all my passwords on all my devices.
If I use Apple's, does it automatically have to be in the cloud, which I would rather it not be.
If you want to sync across devices it will have to be in the cloud somewhere. So, if you use an "online Password Manager" as mentioned in your query, that will also be in the cloud. Apple's syncs via iCloud. I'm confident that this will be more secure than one I might cook up myself.
Or, maybe just creating a password protected .dmg file on my computer, with a password protected numbers file is the better way to go.
Maybe, or maybe not. Not much good if you want to sync across devices, nor if you want your Mac to input passwords for you. Again, it's down to your requirements, and only you know those.
Quacks wrote:
Thank you, and good to know. I have some things in keychain like passwords for wifi & TM, but no websites. Have all that written down as I don't save it in Safari either.
If by “don’t save it in Safari”, you mean “don’t save it in Keychain”, sure. Because to be clear, Safari and Apple apps and most other third-party apps use Keychain.
Some browser apps such as those from Google Chrome and Mozilla Firefox do have their own password stores, separate from Keychain.
This is why I'm asking all my questions. Big leap for me, to do the password manager thing.
Passwords take effort. Picking unique and robust passwords, avoiding the doom that is password re-use, detecting and reporting compromised passwords, detecting and avoiding phishing websites, and just transcribing those passwords for input. Password managers automate that.
Usually, I'm considered an early adopter, but not when it comes to my passwords.
So keep using that notebook, with all its familiarity and that’s no small benefit, and with its inherent security issues such as with phishing, and with its inability to store passkeys.
I have the most critical security details stored (duplicated) outside of Keychain, in what amounts to a notebook.
randomstop wrote:
So you are able to remember something like:
vGXBU!TfCkDr!$E*&lEuaXz9#vXlusy!Rh@sMTL@GXSeI3b
for each of your financial accounts?
There's a better way to generate complex passwords that are easy to remember but hard for anyone to guess. Take a quote or phrase that you can remember, for example, "Now is the time for all good men to come to the aid of the party". Use the first letter from each word: Nittfagmtcttaotp". Perhaps change the o to a zero. Nittfagmtctta0tp. Add a special character or two. Nitt%fagmtctta0tp. It really cuts down on what you need to remember.
IdrisSeabright wrote:
randomstop wrote:
So you are able to remember something like:
vGXBU!TfCkDr!$E*&lEuaXz9#vXlusy!Rh@sMTL@GXSeI3b
for each of your financial accounts?
Though I suspect it was not intended here, don’t re-use passwords, as services can and do get breached.
There's a better way to generate complex passwords that are easy to remember but hard for anyone to guess. Take a quote or phrase that you can remember, for example, "Now is the time for all good men to come to the aid of the party". Use the first letter from each word: Nittfagmtcttaotp". Perhaps change the o to a zero. Nittfagmtctta0tp. Add a special character or two. Nitt%fagmtctta0tp. It really cuts down on what you need to remember.
That works.
One of the musically-inclined folks of my acquaintance was drumming various favorite songs’ percussion with their keyboard keys. They had no idea what their password was, but they could “play” it.
But I long ago switched to a password manager, as that also avoids other related issues including entering a real password into a well-crafted phishing website, oh, and websites can be coded to capture text input before you press return.
And a password manager deals with passkeys and (as Apple has done) can also be integrated with two-factor messages, which my ever-fallible memory won’t, and isn’t.
And of course, the obligatory XKCD 936. (detailed explanation, and included some of the related debates)
Quacks wrote:
Thank you! Maybe I will wait for Sequoia. Mostly want on my MacBook Air M2, not on iPhone and syncing across devices. What are your thoughts on bank passwords in a password manager, or best to keep separate?
I’ve been using Keychain for most of twenty years.
When iCloud Keychain became available, I enabled that.
Given I’m not trying to sync passwords to Windows or Android or otherwise, that Keychain is Apple specific has not been an issue.
You’re probably already using Keychain, too. Launch Keychain Access, and look around.
MrHoffman wrote:
One of the musically-inclined folks of my acquaintance was drumming various favorite songs’ percussion with their keyboard keys. They had no idea what their password was, but they could “play” it.
That's cool!
But I long ago switched to a password manager, as that also avoids other related issues including entering a real password into a well-crafted phishing website, oh, and websites can be coded to capture text input before you press return.
And a password manager deals with passkeys and (as Apple has done) can also be integrated with two-factor messages, which my ever-fallible memory won’t, and isn’t.
That is also the route I have taken. But, Yer_Man said they preferred to rely on memory for certain passcodes.
And of course, the obligatory XKCD 936. (detailed explanation, and included some of the related debates)
Very important information!
Thank you! Maybe I will wait for Sequoia. Mostly want on my MacBook Air M2, not on iPhone and syncing across devices. What are your thoughts on bank passwords in a password manager, or best to keep separate?
Thank you, and good to know. I have some things in keychain like passwords for wifi & TM, but no websites. Have all that written down as I don't save it in Safari either. This is why I'm asking all my questions. Big leap for me, to do the password manager thing. Usually, I'm considered an early adopter, but not when it comes to my passwords.
fyi...I only have Apple devices so not an issue.
Quacks wrote:
Thank you for your help. Bank passwords too or best to keep those out of any password manager & cloud?
Wherever possible, enable multi-factor authentication. That will help protect your accounts even if passcodes are compromised.
You might also want to consider enabling Stolen Device Protection on your iPhone if you have one:
About Stolen Device Protection for iPhone - Apple Support
IdrisSeabright wrote:
randomstop wrote:
So you are able to remember something like:
vGXBU!TfCkDr!$E*&lEuaXz9#vXlusy!Rh@sMTL@GXSeI3b
for each of your financial accounts?
There's a better way to generate complex passwords that are easy to remember but hard for anyone to guess. Take a quote or phrase that you can remember, for example, "Now is the time for all good men to come to the aid of the party". Use the first letter from each word: Nittfagmtcttaotp". Perhaps change the o to a zero. Nittfagmtctta0tp. Add a special character or two. Nitt%fagmtctta0tp. It really cuts down on what you need to remember.
I am too old and lazy to go through those exercises for each of my financial accounts.
Why do you think that entrusting bank account logins to a password manager is a bad idea?
randomstop wrote:
I am too old and lazy to go through those exercises for each of my financial accounts.
Why do you think that entrusting bank account logins to a password manager is a bad idea?
I don't think it's a bad idea. It's what I do. It was Yer_Man who said they committed theirs to memory. My only point was that complex passcodes can be made easy to remember without significantly increasing their vulnerability.
I have to change a password for a government website far more often than I would like. I also don't have easy access to a password generator at work. Since the password can't contain any dictionary words (it recognized French, too!), I use this technique to create passwords. They are saved in my browser, and I rarely have to type it, but when I do, I can do it fairly easily and don't need to write it down (really bad security). Obviously, it helps if you have a good memory for quotations.
Thank you for your help. Bank passwords too or best to keep those out of any password manager & cloud?
Bank passwords too or best to keep those out of any password manager & cloud?
Bank passwords I remember only. They're not written down anywhere.
So you are able to remember something like:
vGXBU!TfCkDr!$E*&lEuaXz9#vXlusy!Rh@sMTL@GXSeI3b
for each of your financial accounts?
Password Manager or Apple's?
