Reprinted from TidBITS by permission; reuse governed by Creative Commons license BY-NC-ND 3.0. TidBITS has offered years of thoughtful commentary on Apple and Internet topics. For free email subscriptions and access to the entire TidBITS archive, visit http://www.tidbits.com/ Using Apple's iCloud Passwords Outside Safari Adam Engst We regularly recommend using a password manager like 1Password, and for good reason. Passkeys may eventually take over'and I hope to explore them soon'but until that time, we're stuck with passwords, and managing them manually is less secure and vastly more work. For many years, solutions like 1Password, BitWarden, Dashlane, and LastPass (which I no longer recommend'see '[1]LastPass Publishes More Details about Its Data Breaches,' 3 March 2023) fell into the must-have category. Apple's Keychain Access utility has long provided basic password management capabilities in macOS but has never been particularly usable. With macOS 12 Monterey, iOS 15, and iPadOS 15, Apple gave passwords a better user-facing interface in System Preferences and Safari on the Mac and the Settings app on the iPhone and iPad. Although the settings screens are labeled Passwords and the iCloud-based password syncing feature is called iCloud Keychain, Apple doesn't seem to have a formal name for the totality of these password management features, making it hard to talk about them in the same sentence as something like 1Password. For this article, I will use the name iCloud Passwords for reasons that will soon become obvious. Although iCloud Passwords didn't'and still doesn't'have full feature parity with third-party password managers, it was pretty good. It offered all the basics, such as auto-fill, editing, searching, and even syncing through iCloud Keychain. Over time, Apple added support for one-time passwords, password sharing, and more. Importantly, it's also completely free. Despite these improvements, iCloud Passwords suffered in one significant way: it worked only in Safari. On the iPhone and iPad, that wasn't a problem because other Web browsers relied on the same WebKit engine as Safari. (Apple also allowed Safari to treat third-party password managers as first-class alternatives.) But Mac users who wanted to use Chromium-based browsers like Arc, Brave, Google Chrome, Microsoft Edge, Opera, and Vivaldi, or Mozilla's Firefox couldn't take advantage of iCloud Passwords. In 2021, Apple released the [2]iCloud Passwords extension for Google Chrome, but only for Windows. In July 2023, Apple updated it to version 2.0, adding support for Mac versions of Google Chrome running in macOS 14 Sonoma. Although I'm happy with 1Password, I've been using iCloud Passwords for the past month in Arc to see if I could recommend iCloud Passwords for those who don't rely on Safari. While I miss features from 1Password, the answer is yes: iCloud Passwords works fine. At least that's true for me'I see reviews on the Chrome Web Store page that claim it doesn't work or broke after some update, but I've been using it long enough that I'm comfortable saying it's functional. Although Apple released iCloud Passwords only for Chromium browsers'and it seems to work equally as well in all the variants I've tried'the company has done nothing for Firefox users. However, an independent developer named AurĂ©lien recently published a Firefox add-on also called [3]iCloud Passwords, so that's an option for those running Sonoma or recent versions of Windows'it doesn't work for earlier versions of macOS. It's not yet well-known, with only 716 users last I checked (versus 2 million for the iCloud Passwords Chrome extension), but I've installed it and verified that it works. Although I'm a little hesitant to recommend an independent add-on that interacts with a system-wide password store, it's open source, and anyone can [4]view its code on GitHub. Passwords Settings Before we get to the specifics of using iCloud Passwords in a Chromium browser, I want to review the basics of password management in macOS. You access your passwords in System Settings > Passwords or Safari > Settings > Passwords'they're the same'and you must authenticate every time you go there. Touch ID or Apple Watch authentication makes that a lot easier. Let's look at all the options from the top: * Search field: Usethis to find logins in the list below by searching for the site name or username. Unlike 1Password, you can't search for strings contained in your passwords. * + menu: Choose New Password or New Shared Group as desired. Most of the time, you'll create new logins while setting up an account on a website'iCloud Passwords offers to remember the login information for you. More on shared groups shortly. * '¢'¢'¢ menu: Apple puts the Import and Export commands in this unhelpfully labeled menu. The import/export format is CSV, and Apple warns that exported passwords will be stored unencrypted. (As an aside, I think using + and '¢'¢'¢ to label menus is borderline criminal interface design, but it's just one of many decisions in System Settings that will make its designers first up against the wall when the revolution comes.) * Security Recommendations: If the switch here is enabled, Apple will check your passwords against those from known breaches and warn you if they may have been compromised. The company [5]doesn't say explicitly, but I imagine it uses [6]Have I Been Pwned, much like 1Password does for its [7]Watchtower feature. Apple also points out logins that have weak passwords. * Password Options: I see no reason to turn off autofill or the option to clean up verification codes automatically, but I'm intrigued by the 'Use passwords and passkeys from' section. iCloud Keychain is the only option here, but this setting parallels the iOS Settings > Passwords > Password Options screen that lets you use third-party password managers. Perhaps Apple will open up macOS to others in the future. * Share Passwords with Family: This option triggers an assistant that walks you through creating a Family Passwords shared group, adding family members, and moving passwords from your personal set to the shared set. It's simple and well done. You can also share passwords among any other group; choose New Shared Group from the + menu at the top. * Edit login: Finally, you can edit any login by clicking its ' button. Happily, double-clicking anywhere on the login item also works, unlike other controls like System Settings > General > Software Update > Automatic Updates. Most of the items here are self-explanatory, though all the Change Password on Website button does is take you to the top level of the site. Note the Verification Code section, which can create and autofill two-factor authentication codes (see '[8]Add Two-Factor Codes to Password Entries in iOS 15, iPadOS 15, and Safari 15,' 7 October 2021). Unfortunately, the Website section, which shows the domain of the site on which iCloud Passwords will autofill your credentials, is not editable. That's too bad'I've had to edit remembered URLs in 1Password occasionally because the URL used for account creation doesn't always closely match the login URL. Nothing in Passwords Settings will set the world on fire, but Apple has provided a solid set of basic features. iCloud Passwords in a Browser To autofill your passwords in a Chromium browser like Arc, Brave, or Google Chrome, you need to install Apple's [9]iCloud Passwords extension from the Chrome Web Store. That's as simple as clicking the Add to Chrome button and acknowledging that you want to install when prompted. How you interact with extensions varies a bit by browser, though most let you add them to a toolbar. In Chromium browsers other than Arc (which has a bug in this area), clicking a login form displays a notification that you can click to enable Password AutoFill. Arc has no such toolbar, but choosing Extensions > iCloud Passwords has the same effect as clicking the toolbar button or the notification. However you invoke it, iCloud Passwords presents you with two dialogs: a system-level dialog with a verification code and a browser-level dialog into which you enter it. If you make a mistake typing, you're instantly presented with another code. Although this verification approach is straightforward, it's required for every launch of the Web browser, so you may end up typing a lot of verification codes. It's much easier to use biometric authentication via Touch ID or an Apple Watch in 1Password; I presume other password managers also support biometric authentication. Once you've enabled Password AutoFill, it's trivially easy to use. Just click in a login form, and iCloud Passwords detects that action and presents you with passwords that match the domain of the site you're on. Click one to enter its information in the login form fields. Typically, only a single password will appear, but if you have multiple logins at different sites within the same domain, as I do in the screenshot below, you get to pick one. (As an aside, this domain detection is one of the key reasons to use a password manager'they can't be fooled into helping you enter a password onto a malicious site pretending to be something else. A human might not notice, but app1e.com isn't apple.com in the eyes of a password manager.) If a login form has both a username and password field, iCloud Passwords will autofill both. If the login process first requires you to enter your username, followed by the password after a form or page refresh, you'll likely have to click again to autofill the password separately. 1Password is better at injecting the password into the second field that appears without requiring manual intervention. One last thing. If you need to create a new account, iCloud Passwords almost always notices and offers to save your credentials. What it doesn't do, unfortunately, is create a secure password for you. Instead, it suggests creating a strong password in System Settings > Passwords or opening the page in Safari (below left, ignore the broken graphic icon). Indeed, Safari automatically generates strong passwords and saves them to your password collection when you click Use Strong Password (below right). So, the better part of valor is to switch to Safari when creating new accounts and then switch back to log in with the new credentials. If you instead use System Settings > Passwords, you'll have to click the + menu, choose New Password, click the Create Strong Password button, copy the password, switch back to your browser, and paste the password. Limitations Compared to Other Password Managers I've mentioned a few ways that iCloud Passwords fails to match up to the likes of 1Password, but let's collect all of them here so you get a sense of the difference. iCloud Passwords: * Generates many more verification requests. * Doesn't support biometric authentication, so those verification requests can be answered only by typing in a six-digit code. (Although the code may be easier than typing in a master password.) * Isn't quite as capable of autofilling login fields separated by a form or page refresh. * Sometimes fails to offer to save a manual login. * Supports only logins, unlike other password managers, which can store many other types of private information, such as identity cards, medical record cards, bank accounts, API credentials, secure notes, and even documents. * Can't autofill credit card or address information. You can work around this last limitation using browser features. Chromium browsers can all autofill payment methods and addresses, but by default, iCloud Passwords blocks those features from working, even though it won't help you in that department. If you circumvent the iCloud Passwords block on browser autofill, you can get the best of both worlds. Follow these steps: 1. In your Chromium browser, navigate to the Extensions page, usually by choosing Window > Extensions. In Arc, it's Extensions > Manage Extensions. 2. Click the Details button next to iCloud Passwords. 3. On the iCloud Password Details screen, click the button next to Extension Options, and in the dialog that opens, deselect Turn Off Chrome AutoFill. That double-negative allows Chrome's AutoFill to operate independently again. 4. Navigate to the browser's Autofill settings, which is usually accessible from the main Settings page under 'Autofill and Passwords,' although Microsoft Edge puts it under Profiles. The URL browsername://settings/autofill will always take you there. 5. Start with Payment Methods. Make sure 'Save and fill payment methods' is turned on. Use the Add button to add your credit card information. It won't let you save credit card CVV codes for security reasons, so you must remember and enter them manually. When you're done, click the Back arrow in the upper left to return to the Autofill and Passwords screen. 6. Next, in Addresses and More, ensure that 'Save and fill addresses' is turned on, and enter any addresses you want to autofill. Click Back to return to the Autofill and Passwords screen. 7. Finally, click Password Manager, and then click Settings in the sidebar. Deselect 'Offer to save passwords' to prevent your browser from asking you to save passwords every time you log in to a site using iCloud Passwords. Once you've done all that, you should be in a situation where iCloud Passwords autofills your login credentials, and your browser autofills credit card information and addresses. The browser-level interface looks a little different but works well'you simply click in a credit card or address field and then click the desired set of information from the pop-up. Now that I've written this article, I fully admit that I'm going to disable iCloud Passwords and revert to 1Password because it's easier to use and autofills more information. Plus, my nearly 1000 logins are stored in 1Password'I've been using 1Password's Quick Access pop-up to find and enter credentials in Arc logins so iCloud Passwords could remember them. In the past month, I've migrated 73 logins to iCloud Passwords, and although those take care of most of my day-to-day logins, I never get through a week without having to bring more over from 1Password. But it's clear that with the addition of the iCloud Passwords extension for Chromium browsers and some judicious browser configuration for payment methods and addresses, it's entirely possible to rely on Apple's free password management tools. References Visible links 1. https://tidbits.com/2023/03/03/lastpass-publishes-more-details-about-its-data-breaches/ 2. https://chromewebstore.google.com/detail/icloud-passwords/pejdijmoenmkgeppbflobdenhhabjlaj 3. https://addons.mozilla.org/en-US/firefox/addon/icloud-passwords/ 4. https://github.com/au2001/icloud-passwords-firefox 5. https://www.apple.com/legal/privacy/data/en/passwords/ 6. https://haveibeenpwned.com/ 7. https://watchtower.1password.com/ 8. https://tidbits.com/2021/10/07/add-two-factor-codes-to-password-entries-in-ios-15-ipados-15-and-safari-15/ 9. https://chromewebstore.google.com/detail/icloud-passwords/pejdijmoenmkgeppbflobdenhhabjlaj Hidden links: 10. https://tidbits.com/wp/../uploads/2024/04/iCloud-Passwords-in-System-Settings.png 11. https://tidbits.com/wp/../uploads/2024/04/iCloud-Passwords-Security-Recommendations.png 12. https://tidbits.com/wp/../uploads/2024/04/iCloud-Passwords-Options.png 13. https://tidbits.com/wp/../uploads/2024/04/iCloud-Passwords-Shared-Family-Group.png 14. https://tidbits.com/wp/../uploads/2024/04/iCloud-Passwords-edit-login.png 15. https://tidbits.com/wp/../uploads/2024/04/iCloud-Passwords-extension.png 16. https://tidbits.com/wp/../uploads/2024/04/iCloud-Passwords-enable-autofill.png 17. https://tidbits.com/wp/../uploads/2024/04/iCloud-Passwords-code.png 18. https://tidbits.com/wp/../uploads/2024/04/iCloud-Passwords-autofill.png 19. https://tidbits.com/wp/../uploads/2024/04/iCloud-Passwords-generate-strong.png 20. https://tidbits.com/wp/../uploads/2024/04/iCloud-Passwords-Details.png 21. https://tidbits.com/wp/../uploads/2024/04/iCloud-Passwords-autofill-setting.png 22. https://tidbits.com/wp/../uploads/2024/04/iCloud-Passwords-Chromium-autofill.png 23. https://tidbits.com/wp/../uploads/2024/04/iCloud-Passwords-Chromium-payments.png 24. https://tidbits.com/wp/../uploads/2024/04/iCloud-Passwords-Chromium-addresses.png 25. https://tidbits.com/wp/../uploads/2024/04/iCloud-Passwords-Chromium-password.png 26. https://tidbits.com/wp/../uploads/2024/04/iCloud-Passwords-browser-autofill.png .