How to use iCloud Keychain to audit your passwords

Reports of a massive 100 million account data leak at T-Mobile should encourage any Apple user to double-check password and account security. Here’s how to do that using Keychain.

iCloud Keychain to the rescue

Apple’s built-in password manager is called iCloud Keychain. It securely stores your saved account information such as account names and passwords across all your signed-in devices. It will automatically enter this information for you when you access an app or service.

It’s a useful tool to help manage better security habits. Many prefer to use cross-platform services such as LastPass, Dashlane, or 1Password for this task, though these services may themselves be vulnerable to attack.

Apple has iterated its password management tool since it was introduced. As of iOS 14, it now alerts you about the following security weaknesses:

• Weak passwords: When you use a password that is widely used or easy to guess. Passwords are seen as easy to guess when they use words found in a dictionary or make use of common character substitutions, keyboard patterns, or sequences such as 1,2,3,4. You’ll also be told to change your password if you are using the same one to access multiple sites.
• Leaked passwords: When a password has appeared in a data leak, such as the one recently revealed at T-Mobile. This system makes use of a continuously updated and curated master list of passwords known to have leaked. The password manager uses strong cryptographic techniques to check your passwords against lists of breached passwords in such a way as your own passwords are never shared.
• Here is more information on how this works.

How to use iCloud Keychain

You set the system up in Settings>iCloud>iCloud Keychain on iOS devices, or System Preferences>Apple ID>iCloud>iCloud Keychain on Macs. Just toggle the feature to On.

Once you enable it, the keychain will gather your passwords across all your devices as you access websites and services during use.

How to check your password security

To check password security on iCloud Keychain follow, these steps:

On a Mac

• Open Safari.
• In the Safari menu, open Preferences and then choose Passwords.
• You’ll need to sign in to access your passwords using Touch ID, your Mac password, or by authenticating with your Apple Watch.
• You’ll be presented with a list of sites that use a weak or exposed password, signified by a yellow warning triangle.
• Double tap that triangle to find the reason the password is flagged and to find a link to the site concerned where you can change it to something more secure.
• You can also tap Details to reach this information.
• Tap Remove to delete a password.

On an iPad or iPhone

The system is better on iOS, as it does a better job of making the information that you find visible. To check the state of your passwords on iPhones or iPads:

• Open Settings>Passwords.
• You’ll need to login using your passcode or Touch/Face ID.
• You will find an alphabetized list of your passwords, with a section called Security Recommendations at the top.
• The Security Recommendations section helpfully informs you of how many risks it has found.
• Tap it and you’ll find a toggle to switch off the compromised password detection system, which I suggest you don’t use.
• You will also find an extensive list of all your most compromised passwords, what the problem is, and why you should fix it.
• Tap any item in the list to find out more about that password, with a link that takes you directly to the website where you can make a change to it to resolve the problem.

NB: Deleting a password in iCloud Keychain does not actually delete your account – you need to do that yourself on the relevant site.

What else Apple is doing

Apple in 2020 made a collection of resources for password management development available to the open source community. This includes collections of websites known to share a sign-in system, links to the parts of some websites where users change passwords, and information concerning idiosyncrasies in the passwords some services permit.

The company also provides the Sign-in With Apple system, which can use Face ID and/or Touch ID and your Apple ID to create highly secure logins.

Starting with iOS 15, Apple will also build Google Authenticator into the system, which means you will be able to generate verification codes for additional sign-in security. If a site offers two-factor authentication, you will be able to set up verification codes under Passwords in Settings and these should autofill when you sign in to the site.

Apple is also putting a new Passkey system together that can be used to replace passwords with biometric (Touch/Face ID) authentication.

Apple does take security seriously (most of the time), and like most big tech companies is now working to develop an infrastructure that replaces passwords with other forms of login access. We are, however, not there yet, and the latest data breach should be reason enough for any enterprise user to confirm their passwords remain secure.

Please follow me on Twitter, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.