For macOS Sequoia
Intro
If you’re like most people, you likely have many online accounts with usernames and passwords. In this guide, I will describe how Apple Passwords, the password manager built into macOS and other Apple platforms, can help you create, use, and manage strong credentials for your online accounts.
While Apple Passwords is also available on iOS and iPadOS, as well as Chromium-based browsers, this guide will focus primarily on how to use it with Safari on macOS, in an effort to limit information overload. However, once you become familiar with Apple Passwords on macOS, you’ll likely find that it works similarly on other platforms.
Why use a password manager?
With the proliferation and ubiquity of online accounts accessed with usernames and passwords, you may find the process of coming up with and remembering unique ones for each account fatiguing. In an effort to make passwords easier to create and remember, it may be tempting to base them on common words in the dictionary, musical artists, sports teams, birthdays, pets, and references to other things of significance in your life, and use the same or similar passwords for different accounts.
However, while passwords created with such techniques may be easy to create and remember, they can be easily guessed by password cracking bots that are designed to quickly try numerous common or previously exposed passwords on websites until a desired account is accessed. Furthermore, using the same password across multiple accounts makes you additionally vulnerable, as if the password for one account is compromised, threat actors could then successfully try that password for another account of yours, further exposing your identity.
For this reason, passwords should ideally comprise a string of randomly generated letters, numbers, and symbols, things that many humans are not particularly good at creating and remembering, but what password managers like Apple Passwords excel at. When creating a new account or changing the password to an existing one in Safari, Apple Passwords should offer to create a strong password that can then be autofilled on your Mac, as well as other devices signed into your Apple Account.
For apps and websites that support it, you can use a passkey, a token that is stored and synced via iCloud paired with a separate token on the server, in leu of a password. While this method of authentication is relatively new and supported by a limited number of apps and websites, the requirement of two tokens, one possessed by you and the other possessed by the server you’re logging into, to access the account makes passkeys more difficult to compromise than passwords. More detailed information on how this works in practice is given later in this guide.
Setup
Setting up Apple Passwords to sync your saved credentials via iCloud involves simply going to System Settings > [your name] > iCloud > Passwords, and toggling the “Sync this Mac” switch on. Make sure all the devices you want to be able to store, use, and sync credentials are signed into the same Apple Account and have this setting enabled. In Safari, you may also wish to make sure autofilling of usernames and passwords is enabled by choosing Safari > Settings, (or pressing Command-Comma) clicking the Autofill button in the toolbar, and making sure the “Usernames and passwords” checkbox is selected.
In addition, the same infrastructure that facilitates the secure saving and syncing of login credentials can be used by Safari to save and sync credit card information for autofill on your signed in devices. To set this up, make sure the “Credit cards” checkbox in the Autofill pane of Safari Settings is selected.
If you want to use Apple Passwords with a Chromium-based browser, like Google Chrome or Microsoft Edge, install the iCloud Passwords browser extension from the Chrome Web Store. While I am aware of the existence of this extension, I do not have sufficient experience with it to comment on its usability, quality, or accessibility.
The Passwords app
Saved accounts can be viewed and managed using the Passwords app. When opening this app, you’ll be prompted to authenticate with Touch ID or your login password, after which you can either find an account using the search field, or select a category like all, Wi-Fi passwords, passkeys, or verification codes from the View menu or sidebar table. Additionally, if you’ve created or been invited to any shared password groups, they will also appear in these locations.
Note: To navigate categories in the sidebar table, you must first interact with the filters grid at the top of this table, and then click a category to select it. Shared groups, however, are located below the grid and can be navigated and selected with the up and down arrow keys with no need to interact first.
Saved accounts are listed in the table to the right of the sidebar, which you can navigate with the up and down arrow keys or first-letter navigation. Once focused on an account, information saved for it will be displayed in a scroll area to the right of this table, which you can jump to by pressing VO-J. Alternatively, when focused on an account, you can press Return to view the information in a new window. When in either the scroll area or a separate window, click the password to show it, or choose Edit > Edit current item (or press Command-Shift-E) to manually change the information saved for that account, add a more descriptive title that the account will be identified by, or add additional notes for that account.
To create a password group, useful for sharing credentials with others and keeping all members up-to-date when those credentials change, choose File > New shared group, and follow the onscreen instructions to invite others and select accounts to include. In the future, to share an account with a group, focus on the account in the table and select the group you want to share it with from either the “Group” popup menu in the scroll area, or the “move to group” submenu in the context menu (accessed by pressing VO-Shift-M); note that an account can only be shared with one group at a time.
Creating and using strong passwords
To create a strong password for a website in Safari, navigate to the page on that website to create or change the password, focus on the password field, press the Down-Arrow key to select the “Use strong password” option, and press Return to fill it into the field. The password will then be saved once Safari has sensed that the website accepted it as valid, which typically happens when you continue to the next page of the account creation flow.
In the future, whenever you are signing into that website, you should be able to focus on the username or password field, and rest your finger on the Touch ID sensor to autofill the credentials. To fill a different set of credentials than the one that’s being suggested for that website, focus on the username or password field, press the Down-Arrow key to select the “Other passwords” option, and press Return. After authenticating with either Touch ID or your login password, focus on the account you want to fill in the list, and press Return to fill the credentials.
To manually generate a strong password in the Passwords app, choose File > New password, (or press Command-N), enter a name that the account will be identified by, as well as the account’s username, in the dialog that appears. Focus on the Password field, press the Down-Arrow key to select the strong password suggestion, press Return to fill it into the field, and click Save to save it and dismiss the dialog.
To fill an existing password when not in Safari, focus on the password field, choose Edit > Autofill > Password, and authenticate with either Touch ID or your login password. In the resulting dialog, click the account you want to log into, interact with the list that appears, and click either the username or password to fill the information and dismiss the dialog.
Using verification codes
In addition to usernames and passwords, it is generally advised to use a second factor of authentication, most commonly a code sent via SMS text message that you must enter in order to access the account. However, while SMS-based two-factor authentication is common, it is not ideal, as threat actors have been known to deceive employees of wireless carriers into giving them access to users’ phone numbers, allowing them to receive verification codes or initiate password resets for services that allow users to use SMS to verify their identity. As a more secure alternative, supported apps and websites allow password managers like Apple Passwords to generate rotating one-time codes that can be used in addition to a password to access accounts.
Setting up this method of two-factor authentication involves navigating to the page of the website where additional authentication methods can be configured and choosing to use an authenticator app; note that the precise wording of this option varies. Focus on the provided image and choose “Set up verification code” from the context menu (accessed by pressing VO-Shift-M). You will then be prompted to select the account from the accounts saved in the Passwords app, and then verify that setup was successful by focusing on a field provided by the website and resting your finger on the Touch ID sensor to fill in the test code. If the code is accepted, setup was successful, and your signed in devices should offer to autofill the code in the future whenever it is requested.
Alternatively, this feature can be set up manually by supplying a key obtained from the website into Apple Passwords. To do this:
- Rather than setting up with the image provided on the website, select to set up manually, the precise wording of this option varies.
- Copy the key displayed and open the account in the Passwords app.
- Click “Set up verification code,” paste the key from the website into the provided field, and click “use setup key.”
- Copy the code generated and paste it into the field provided by the website; note that you’ll have thirty seconds to supply this code. If the code is accepted, setup was successful, and your signed in devices should offer to autofill the code in the future whenever it is requested.
Creating and using passkeys
As mentioned earlier, a passkey is a pairing of two cryptographic tokens, one on your device, known as the private key, and the other on the server you’re logging into, known as the public key, that can be used instead of a password to access an account. On supported apps and websites, you’ll be given the option to set up a passkey, which typically involves clicking a button on the app or website to initiate the process, at which point you’ll be prompted to authenticate with Touch ID or your login password; note that your login password or fingerprint is not shared with the server and is only used to verify your identity to your Mac. Once authenticated, the private key will be saved and synced to your other Apple devices via iCloud.
To sign into an app or website with a passkey, initiate the sign in process and authenticate with Touch ID or your login password when prompted. Signing into the app or website on a device that does not have the private key saved typically involves providing your username, scanning a QR code displayed on the device with your iPhone, and then authenticating with Face ID, Touch ID, or your passcode to supply it to the server. As private keys saved in the Passwords app do not sync to non-Apple devices, apps and websites that offer this functionality typically allow you to create separate passkeys for each ecosystem you use the account on.
Conclusion
While the concepts of complex, randomly generated passwords, rotating verification codes, and cryptographic key pairings may at first sound intimidating, you now hopefully have an idea of how these technologies work, as well as how to use them if you wish to increase the security of your online accounts. More information is available in your Mac’s built in help, Apple Support, and the AppleVis Forum, and if you have any questions or believe any of the information in this guide is inaccurate, sound off in the comments.
Comments
Wonderfully written
Hi Tyler, the article is wonderfully written. Thank you so much for such an informative post.
Now Using Strongbox
It integrates with Safari using the same autofill behaviour as in Keychain using Apple's provided API, so the experience is, like Keychain, very luscious.
As far as I can tell, the process of scanning a QR code for performing cross-device passkey authentication isn't accessible. There's no way to get a key for manual entry on your phone. This strikes me as a shocking injustice; it effectively locks us into our respective platforms.
For me, the accounts I use…
For me, the accounts I use passkeys with, like Google, still allow me to use my password to login instead. This way, if I wanted, for example, to log into my Google account on Windows, I could authenticate with my email address and password, then create a separate passkey for that platform.
I think in the future, the goal of the WebAuthn standard is to replace passwords entirely, and when that becomes more wide spread, I definitely think an alternative to a QR code should be developed. I'm not a security expert, but I envision this possibly as a link sent to a user's email address that they can open on a computer or mobile device with the private key stored, in order to authenticate a nearby device.