Apple's Keychain: The solution and the problem with password managers

Apple's Keychain: The solution and the problem with password managers

Summary: One thing Apple is doing right — partly — is the password manager functionality built into Keychain in iOS 7 and Mavericks. Nobody does it completely right, and right now it's probably impossible to do so. But there is a way to make it all work.

SHARE:

Everyone should be using a password manager. I use Lastpass, but there are other respected ones. Now Apple is baking the password manager directly into the operating system. This would be great if only they weren't being so Apple about it.

In iOS 7 and OS X 10.9 (Mavericks) Apple created iCloud Keychain, a password manager which stores credentials in the user's iCloud storage, and APIs for iOS and Mac developers to use for their programs to support it. But it's Apple-only. To see why that's a problem, here's some more about password managers.

Ideally, it would be good if passwords went away, but that's like saying world peace would be good  — ain't going to happen any time soon. So if we are going to have to live with passwords we need to use them securely. There are two main things end users do wrong with passwords: They use weak passwords and they reuse passwords on multiple sites. A secure user would have unique, strong passwords (like "34cZoHdMk4XI") for every login they have.

This is where password managers show both their strengths and their weaknesses: they allow us to use passwords responsibly by having unique, strong passwords for each logon we have. They can even integrate two-factor authentication to make the login even stronger. But because the passwords themselves become unusable directly by humans (who could actually remember all those passwords?), it's necessary for the password manager to work everywhere you might need it. Nobody really does this well, and in some ways it's impossible to do.

If you're on some arbitrary friend's computer working at a location where you can't install software, or using a system for which your password manager has no client, you can't get at the password manager easily. This problem shows up most painfully on mobile devices.

As a general rule, third party password managers can't fill userids and passwords into mobile apps, not even on Android. The OS doesn't permit it. There are good reasons for this which I won't go into, but they don't negate the fact that it's a problem. The way Lastpass (and, I imagine, the others) handle the problem is threefold:

First, they provide their own web browser integrated with their Lastpass client (Lastpass's is based on Dolphin; RoboForm also has addons for Dolphin and Firefox for Android). The custom browser usually works well enough and Lastpass tells me they're happy with it, but I run into problems fairly regularly, usually where Dolphin isn't rendering a page in a way that's readable on my phone.

The solution there is the second method: use another browser, probably a better-supported one like Chrome, and use the Lastpass app to access the usernames and passwords from your password database, a secure cloud storage for your usernames and passwords. You can copy these values to the clipboard so as to paste them into the app or browser. Likewise on a conventional computer you can access your Vault through a web browser. This works, but slowly, in multiple steps, and it's a big pain.

A third method, used by Lastpass on Android, is to provide a Lastpass-aware keyboard as an Android input method. This keyboard has a Lastpass key on it that can call up the list of logins from the Vault (their password database) appropriate for the app or site. I have been trying, without success, to get this working. In fairness to Lastpass, my support request is still pending, but it's not going to make much of a difference if I get it working because the keyboard is primitive. I use Swype and love it, and having to juggle multiple keyboards is just too much to keep track of. To me it's an overall loss in efficiency. Lastpass knows this; they are trying to work with the major third party software keyboard companies to provide for integration.

There's sort of a fourth method, implemented by 1Password, to encourage app authors to put a button on their login screens which switches over to 1Password and searches for the appropriate login. But that's all it does. It can't switch back to the app or auto-fill fields, so the user has to copy the credentials to the clipboard, manually go through the home screen back to the app and paste them. Lame.

Nobody gets it right. Apple's approach hints at the right way to do it, but it doesn't go far enough. Here's the right way to do it: Operating systems need, as Apple's do, to treat the password manager as an important, trusted part of the operating system with appropriate access to applications where necessary. But the password managers need to be pluggable, with defined interfaces so that all can do the things they need to do, such as fill username, password and other form fields, like credit card numbers.

There's no reason why an OS vendor like Apple shouldn't be able to make their own, but if it were to conform to the same interfaces then the user could choose a third party alternative. Perhaps Apple doesn't want this because it would make it easier for their users to use non-Apple products.

The pluggable password manager approach should work well on any operating system, including Windows. Even a really cloud-oriented OS, like Chrome OS, should be able to handle it.

These programs need to be trustworthy. A special code signing system could be created where password managers need to be certified and approved for installation in the OS. Such a system could also provide for user override to install any old password manager, with clear warnings, if the OS vendor wants to allow it. Android might, iOS never would.

The main reason my proposal probably won't happen is that mobile OS vendors, mainly Apple and Microsoft, are very concerned with controlling the basic user interface elements of the OS. It's the same reason why Apple and Microsoft don't allow installable keyboards.

It's cool that there are so many different and competitive ecosystems these days: Android, Windows, OS X, iOS, Chrome, even Kindle is really separate, and there are others. Passwords are one of the top problems with all this diversity.

Topics: Security, Android, Apple, Cloud, Google, iOS, Microsoft, Mobile OS, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

19 comments
Log in or register to join the discussion
  • Password Manager

    Larry,
    Take a look at Steve Gibson's SQRL proposal, which removes usernames and passwords entirely. He takes your suggestion two steps further by also providing a solution for compromised log-in databases i.e. Adobe and being able to log-in with some anonymity not providing email addresses.
    John Cary
    • It's on my to-do list

      I've only glanced at SQRL (https://www.grc.com/sqrl/sqrl.htm), but I'll give it more scrutiny soon. In any case, nothing to eliminate passwords can possibly be a practical solution for many years. Seriously.
      Larry Seltzer
    • single factor?

      I read some more. Correct me if I'm wrong, but this is single factor authentication, i.e. a client certificate. If someone gets my computer or phone they can impersonate me on any SQLR site, right?
      Larry Seltzer
    • KeyChain App

      Hi Larry,

      Thanks for the great article.

      After years of using LastPass myself, I recently discovered an excellent app called LoginBox. It's not a regular password manager as it only let you manage web sites login, but it does the whole login process automatically and works much better than the other password managers I tried for that.

      https://itunes.apple.com/app/id554782625?mt=8

      Gil
      johnblogs
  • Proprietary system not good

    Apple has a bad habit of making think too proprietary. All it takes is one bad-apple employee too cause a lot of damage. Also proprietary systems could change at any time forcing you to adapt or be stranded. In general, the best password manager is one that encrypts data, keeps the as local as possible, and does not depend on proprietary systems.
    Sean Foley
    • don't argue about bad apple employee

      That is true anywhere. The proprietary issue is you are locked into apple. Keychain won't run outside of an apple machine. That is a user decision.
      Luke Skywalker
    • I don't think that's true

      I would assume that Apple can't, in the normal course of things, access the contents of your iCloud Keychain without your password. All encryption and decryption in all these password managers takes place on the client end and all iCloud ever sees is ciphertext.
      Larry Seltzer
  • Nobody Gets it Right...

    But to add insult to injury... LastPass charges money for its Android app. Call me spoiled, but I love the automation of LP's desktop app -- and that one is free!

    But back to Android, considering that one has to copy and paste or go through some other hoops to populate ID's and passwords anyway -- I just keep a password-protected spreadsheet with a listing of three columns:

    1. Website name (in hypertext)
    2. ID;s
    3. Passwords

    Not much more effort than LP android.
    ReadandShare
    • I like your method

      I keep the exact same spreadsheet, and I have a very strong password on it that I use on nothing else, same with my LP master password.
      You're being unfair to LP. They do have to make a living.
      Larry Seltzer
      • Unfair to LP?

        Unfair? Not really. I have a collection of paid apps on my Android tablet. My problem with LP's Android app is twofold:

        1. It doesn't do much more than my free, current password-protected spreadsheet.

        2. I will be more than happy to pay a one-time fee once the Android app approaches the functionality and ease of use of its desktop counterpart -- similar to all the other paid Android apps on my tablet. A monthly payment? No, not for me.

        In the meantime, I hope the encryption on my Kingsoft Office desktop and tablet versions is robust. I have a long password, but I am unsure exactly the type of encryption used.
        ReadandShare
        • while I admire your strict adherence to principles...

          $1/month? Seems a little harsh to fault them for that. Like Larry said, they do need to make a living. And LP does offer a few things your spreadsheet doesn't, like sharing individual sites with another user, Yubikey support, etc. These features may not matter to you personally, but I'd disagree with your point 1. in a general sense. As Gallagher once said to me in a strip club, "I'd buy that for a dollar!"
          frylock
  • Are people really that comfortable

    storing all their passwords with a cloud based service? That's about the last thing I can to do, considering all the NSA revelations this past few months.
    Sam Wagner
    • Yes, I have no problem with it

      The service only ever sees encrypted data and they don't have access to your master password. In fact, when you set up Lastpass, a big part of the process is when they warn you that if you lose your master password they can't get it back for you.
      https://lastpass.com/support.php?cmd=showfaq&id=375
      Larry Seltzer
      • I suppose since it is encrypted it's not so bad.

        As long as the user makes sure the password for the password manager is a particularly strong one.
        Sam Wagner
    • that is a valid concern

      With any cloud-based solution you are placing a certain amount of trust in them. For example, how do you know they are adequately encrypting their store, or that they don't have a backdoor key? It's one price of convenience. If that price is too high, you could use a local-only solution like KeyPass (which has the added advantage of being open source so you can verify their encryption methods).
      frylock
  • Is it that big a deal?

    I use 1Password with client-side encryption and store the data in dropbox. This means I have my passwords on my Mac, Windows PC, and iOS devices. Sure I have to use the iOS clipboard to copy logins/passwords to apps that I'm using, but this is generally a once off (unless I choose to change the password.) I rarely, if ever, use Safari to log in to a website on my iOS. Most services I need are app based anyway.

    The iCloud Keychain is a good idea and its nice to know its available, but I'm happy with how I've got things setup now.
    Spartan-Runner
    • a once-off?

      So you're having the app save the password? Not best practice.
      Larry Seltzer
  • wish apple would support iCloud Keychain on Safari for Windows

    IF they did that it would be a compelling reason to use their service. Without that, well, I'm not that much of an apple fanboi.
    impala_sc
  • Keychain is great if you only own Apple devices

    I'm actually a really big fan of that recent changes to the keychain in OSX Mavericks but still use RoboForm for password management because I use Windows computers and an Android tablet at work. For me the Keychain cant replace RoboForm because of the wide variety of platforms I use daily.
    ComputerPhil