DaveSouth.org

Email RSS Twitter Delicious

iCloud Keychain synchronization vs 1Password and Dropbox

iCloud keychain synchronization is more trouble than it’s worth. With 2-factor authentication on Google it causes no end of trouble as it tries to copy my Mail setup between my Mac Mini and MacBook Air. Additionally, keychain really only works with Safari, but I actually use four browsers — Safari, Chrome, Firefox, and Opera. And finally, iCloud keychain easily exposes passwords on iOS devices. My recommendation, use 1Password and don’t turn on iCloud keychain synchronization on your Macs.

Why 1Password?

  • It’s cross platform and cross browser. Want to log into a website? Just hit command-\ and 1Password instantly fills in your data regardless of the browser you use.
  • It can synchronize using Dropbox. Now that Dropbox supports 2-factor authentication, your 1Password data file is well protected if you synchronize via Dropbox. It’s better than iCloud which has poor 2-factor security.
  • It encrypts far more than just web logins. You can create secure notes, save software licenses, set up multiple identities (work, home) to fill in forms with, and save your credit card information.
  • There is an excellent iOS client with a built-in browser to visit sites and automatically fill-in login information.

When to use keychain

On Macs I use the keychain all the time. It’s where the system saves WiFi passwords and all your internet accounts. It’s a good system password manager and you should continue to let it do it’s job. Just don’t turn on synchronization.

Sync keychain between iOS devices

I do use keychain synchronization between my iPad and iPhone. This way if I decide to let keychain remember a password, I only have to entered it once in one device. The other device benefits.

Be careful on iOS devices

Navigate to Settings > Safari > Passwords & Auto Fill > Saved Passwords. There is a list of the websites you saved your password with. Now select one. You will be asked for your unlock code (the four-digit code used to unlock the device). And now you see your carefully created password.

Guess what. Four digits is not very secure.

A coworker watches you unlock the phone. Now they have the code. When you leave your desk, they navigate to that screen and now they know your log in information for your websites. You better hope they are only going to try a prank on you.

I do save a few passwords on iOS devices, but never for sensitive websites. It’s just too easy to gain access. Maybe with iPhone 5S this would be more difficult. On all the other devices, it’s pretty easy.

Caveats

  • Yes, you have to buy 1Password both for iOS and the Mac. It also requires some initial set up. In the long run it’s worth it.
  • Even the best setup is no good if you don’t carefully manage your own security. Use different, difficult passwords on each site you visit. Let 1Password help you generate secure passwords.
  • Avoid opening links in emails, especially links to commerce and banking sites. If you receive a message from your “bank”, always open the browser yourself and manually navigate to the bank site. 1Password does help in this area because it won’t fill in a password if the domain is incorrect. Even still, be careful.