Is iCloud Keychain/Apple Password Manager Safe & Reliable?
Apple remains the top provider of smartphones worldwide while also providing an array of innovative computers, tablets, and apps. It seems logical that Apple would also offer its own proprietary password manager, and they do. But is Apple password manager safe? Let’s explore this question in more detail while reviewing the benefits, drawbacks, and alternatives to this default password management option.
What does the Apple password manager do?
The Apple password manager, known as iCloud Keychain, is an option built into every Mac, iPhone, and iPad which can be used to generate random passwords, store passwords and usernames, store credit card numbers, and autofill information when you return to the same website. Apple uses AES 256-bit encryption to encode information, and passwords can automatically be synced to other compatible devices. The latest version of the Apple password manager also includes a 2-factor authentication (2FA) option, where the system generates a periodically updated code as a secondary identifier during login.
No additional app is needed to use iCloud Keychain on an Apple device since it’s pre-loaded on the iOS and macOS operating systems. You can access it by going to the Passwords and Keychain menu in the Settings app. When you buy a new Apple device, you’ll be prompted to set up the password manager unless you’ve already created an iCloud account. If you elect to use the iCloud Keychain, the logins you save will be listed alphabetically in the Settings menu.
Want to learn more about using Dashlane Password Manager at home or at work?
What is iCloud Keychain?
iCloud Keychain is the official name for the Apple password manager. The concept of a digital keychain to keep passwords and other important information in one location originated with the macOS operating system, then spread to iOS as Apple mobile devices were introduced. Unlike browser-based password managers that signal their presence with sudden pop-up messages, the iCloud Keychain was intended to remain invisible during everyday use, and many Apple owners remain unaware of its existence on their devices. In keeping with the digital keychain concept, the Apple password manager allows you to store passwords, usernames, internet accounts, credit card numbers, expiration dates, and personal notes. With the upcoming release of iOS 17, it will also allow you to share passwords with family and friends using the Family Passwords feature.
The risks of using Apple password manager
How secure is iCloud Keychain? Over the years, the Apple password manager has incorporated new security features, including 2FA and AES 256-bit encryption, a strong digital encoding method that government agencies and banks use to improve security. Despite these improvements, the Apple Keychain still has some limitations:
- Creates a single point of failure
By limiting you to a single device brand, the iCloud Keychain also creates a single point of failure. In other words, the Apple password manager puts all your eggs in one basket. If one of your Apple devices is lost or stolen, all your stored logins and account information can be accessed with just a passcode. Screen locks and authenticator apps can minimize this risk, but consolidated password lists present a tempting target for cybercriminals.
- Others can access password data
The Apple password manager automatically syncs logins between your compatible devices. This includes credit card numbers and other personal information you’ve stored in the Keychain. Syncing introduces security risks when your MacBook, iPad, and iPhone are in different locations. Unless you take extra steps to protect your data with 2FA, other users of these commonly shared devices will also have access to it.
What the iCloud Keychain doesn’t do
Is Apple Keychain safe? Despite the convenience for Apple users, the Apple password manager lacks some of the flexibility and features found in other leading password managers. This creates additional limitations since it’s designed to work primarily with Apple devices. These are a few of the things the Apple password manager doesn’t do:
- iCloud Keychain doesn’t work for non-Apple owners. To use the Apple password manager, you must own an Apple product. 47% of smartphone users in the United States own an iPhone, but a much smaller percentage of laptop and desktop computer users own an Apple product. This means they need a different password manager for their non-Apple devices unless they install iCloud for Windows and create browser extensions for Edge or Chrome on their PC.
- iCloud Keychain is made for Safari. Twenty years ago, Apple unveiled its proprietary browser called Safari. This differentiated the Apple brand before the launch of the iPhone four years later, but it also created limitations when features like the Apple Keychain were restricted to Safari alone. Apple has improved upon this limitation with the addition of Chrome and Edge browser extensions, but you must already have an iCloud Keychain account set up through your Apple device to enjoy this versatility. For comparison, the Dashlane browser extension syncs with all major browsers and operating systems.
- Apple’s iCloud Keychain doesn’t easily export passwords. The option to download your password data to a standard file type like a comma-separated values (CSV) file or Excel spreadsheet can be convenient when you’re migrating to a new (non-Apple) device, have been impacted by a data breach, or select a different password manager. Exporting passwords from an iPhone requires the simultaneous use of a Mac device or third-party app. This inability to export passwords easily can make the migration process frustrating and time-consuming.
- iCloud Keychain doesn’t let you pre-specify password criteria on any website. When you generate a new password using the Apple password manager, you can choose 1 of 3 options: 1) Let the password manager create a password for you, 2) Let the password manager generate a password, then edit it yourself, or 3) Create your own password.
On certain websites and apps, Apple recognizes the password requirements and creates a unique password for you that suits the vendor’s criteria. However, if you’re using a site not included in Apple’s database of password criteria, you’ll have to create your own strong password.
In this case, you can request a new password consisting of only letters and numbers, or a password that’s easy to type, after reviewing your system-generated password. What’s missing is a setting that lets you specify your password criteria in advance, such as the desired length, character types, and capitalization. Password criteria is an important consideration for generating passwords that must meet certain requirements—since these requirements often vary from account to account. The best password generators let you predefine attributes, so you don’t need to customize, regenerate, or manually edit newly generated passwords. The Dashlane Password Generator does this and works on any website.
- Apple doesn’t have extensive dark web monitoring. You may not always realize when your passwords or personal information are compromised. Although the iCloud Keychain now monitors the web to ensure your passwords don’t match any that have been exposed in data breaches, it doesn’t search for your email address and other important identifiers.
Dashlane’s Dark Web Monitoring provides a holistic approach to password management and cybersecurity by scanning the depths of the internet for your logins and personal information and notifying you if they’re detected.
- Apple doesn’t provide a universal virtual private network (VPN). Unsecured WiFi networks are an invisible cybersecurity threat, with hackers targeting public venues like airports, cafés, and hotels to intercept unencrypted communications using tactics like man-in-the-middle (MITM) attacks. A VPN reduces the risk of data intercepts by routing all data going into or out of a device through a secure portal. Apple provides a built-in VPN for Safari, called iCloud Private Relay, as part of an iCloud+ subscription. This optional VPN maintains that your Safari browsing sessions are protected. However, online activities on apps and browsers other than Safari aren’t covered. Dashlane includes a free universal VPN that works anywhere and protects all your browsers and devices.
- iCloud Keychain doesn’t separate business credentials from personal credentials. A growing number of people use multiple devices, including laptops, tablets, and smartphones, for work and personal purposes. More organizations have implemented bring-your-own-device (BYOD) policies to improve worker productivity and flexibility. The Apple password manager doesn’t provide a way to separate business and personal credentials, and only one Keychain account can be linked to your Apple ID. This lack of flexibility makes the iCloud keychain a less viable option for business or hybrid-use devices since there is no safe way to keep business credentials private.
Alternatives to the Apple password manager
Password managers with various formats and price points have sprung up in recent years as more people recognize the security and productivity benefits.
- Browser-based password managers: Built-in browser password managers provided by Google and other major browser developers allow you to generate, save, and autofill passwords. Like the iCloud Keychain, these built-in password managers are limited to a single browser type, which can be inconvenient for computer users who regularly navigate between devices and browsers. Browser-based options also lack the added security and privacy benefits of the best zero-knowledge password managers.
- Offline/local password managers: A local password manager offers many of the same basic functions and features found in cloud-based options, including password generation, storage, encryption, and autofill. Since the password data remains offline, a local password manager can’t provide certain benefits like automatic password synchronization and secure family password sharing made possible by an internet connection. Local device storage creates a single point of failure and makes data more susceptible to data loss.
- Zero-knowledge password managers: Top password managers, including Dashlane, are known as zero-knowledge password managers since the advanced encryption, data storage, and password recall technology ensures your private password data can never be intercepted by hackers (or anyone else) in an unencrypted format. Data is encrypted using zero-knowledge architecture before it leaves your device for secure storage in the cloud, and the data remains encoded while stored. Since only you retain the encryption key, it’s impossible for anyone, including the password manager provider, to view your private data in its unencrypted format since everything, including metadata, is truly encrypted. This premium password manager category typically includes a high level of customer support as well as customizable password generation, autofill, and dashboard settings.
How Dashlane keeps your Apple passwords safe
With standard Dashlane features, including a Password Health score, universal VPN, and secure password-sharing portal contributing to a comprehensive cybersecurity solution, the Dashlane vs. iCloud Keychain comparison is not exactly apples to apples. Dashlane operates seamlessly with Safari, macOS, and iOS, along with most other popular browsers and operating systems. Adopting Dashlane means you can still use your favorite Apple products and have it all.
Extensive Dark Web Monitoring alerts you if your logins or personal information are compromised, while 2FA adds an additional layer of 24/7 protection. Our patented zero-knowledge architecture ensures that no one, including Dashlane, can access your unencrypted data. If Dashlane were ever hacked, which has never happened, the hackers would be unable to access your information. So why settle for a keychain when you can use a Swiss army knife instead?
Cyber threats never sleep, and neither should your cybersecurity solutions. Find out how the benefits of advanced security technology like a password vault, VPN, and digital wallet can safeguard your security and privacy when you're on or off the clock.
- Dashlane, “Data Breach or Hack? Know the difference,” June 2021.
- Dashlane, “How To Find Passwords on an iPhone & Never Forget Them,” March 2023.
- Dashlane, “What is Encryption?” March 2019.
- Dashlane, “A Beginner’s Guide to Two-Factor Authentication,” August 2022.
- Earthweb, “How many people use iPhones in 2023?” April 2023.
- Intego, “Apple’s Safari Web Browser is 20 Years Old,” January 2023.
- Dashlane, “The Best Browser Extensions for Digital Privacy,” October 2020.
- iPhone User Guide, “Automatically fill in strong passwords on iPhone,” 2023.
- Dashlane, “How to Shine a Light on the Dark Web,” June 2022.
- NIST, “Man-in-the-middle attack (MitM),” 2023.
- Dashlane, “How Businesses with a BYOD Policy Can Secure Employee Devices,” January 2023.
- Apple Insider, “How to use iCloud Keychain, Apple's built-in and free password manager,” June 2022.
- Dashlane, “6 Things a Safe Username Should Always Do,” February 2023.
- TechTarget, “single point of failure (SPOF),” November 2021.
- Dashlane, “Why Every Employee Device Should Be Secured,” May 2021.
- Dashlane, “How to Export Google Chrome Passwords to a CSV,” April 2023.
- Dashlane, “A Deep Dive into Dashlane's Zero-Knowledge Security,” 2023.
- Dashlane, “Putting Security First: How Dashlane Protects Your Data,” January 2023.
- Dashlane, “Security and Privacy When You're off the Clock,” 2023.
- GitHub, “apple/password-manager-resources.”
Thanks! You're subscribed. Be on the lookout for updates straight to your inbox.