Managing Credentials and Securing Accounts with Apple Passwords on iOS

For iOS 18

Intro

If you’re like most people, you likely have many online accounts with usernames and passwords. In this guide, I will describe how Apple Passwords, the password manager built into iOS, iPadOS, and other Apple platforms, can help you create, use, and manage strong credentials for your online accounts.

While Apple Passwords is also available on macOS, as well as Chromium-based browsers on other operating systems, this guide will focus primarily on how to use it with iOS and iPadOS, in an effort to limit information overload. However, once you become familiar with Apple Passwords on iOS and iPadOS, you’ll likely find that it works similarly on other platforms.

Why use a password manager?

With the proliferation and ubiquity of online accounts accessed with usernames and passwords, you may find the process of coming up with and remembering unique ones for each account fatiguing. In an effort to make passwords easier to create and remember, it may be tempting to base them on common words in the dictionary, musical artists, sports teams, birthdays, pets, and references to other things of significance in your life, and use the same or similar passwords for different accounts.

However, while passwords created with such techniques may be easy to create and remember, they can be easily guessed by password cracking bots that are designed to quickly try numerous common or previously exposed passwords on websites until a desired account is accessed. Furthermore, using the same password across multiple accounts makes you additionally vulnerable, as if the password for one account is compromised, threat actors could then successfully try that password for another account of yours, further exposing your identity.

For this reason, passwords should ideally comprise a string of randomly generated letters, numbers, and symbols, things that many humans are not particularly good at creating and remembering, but what password managers like Apple Passwords excel at. When creating a new account or changing the password to an existing one, Apple Passwords should offer to create a strong password that can then be autofilled on all devices signed into your Apple Account.

For apps and websites that support it, you can use a passkey, a token that is stored and synced via iCloud paired with a separate token on the server, in leu of a password. While this method of authentication is relatively new and supported by a limited number of apps and websites, the requirement of two tokens, one possessed by you and the other possessed by the server you’re logging into, to access the account makes passkeys more difficult to compromise than passwords. More detailed information on how this works in practice is given later in this guide.

Setup

Setting up Apple Passwords to sync your saved credentials via iCloud involves simply going to Settings > [your name] > iCloud > Passwords, and toggling the “Sync this iPhone/iPad” switch on. Make sure all the devices you want to be able to sync credentials are signed into the same Apple Account and have this setting enabled.

In addition, the same infrastructure that facilitates the secure saving and syncing of login credentials can be used by Safari to save and sync credit card information for autofill on your signed in devices. To set this up, go to Settings > Apps > Safari > AutoFill, and make sure the “Credit cards” switch is on.

The Passwords app

Saved accounts can be viewed and managed using the Passwords app. When opening this app, you’ll be prompted to authenticate with Face ID, Touch ID, or your device passcode, after which you can either find an account using the search field near the top of the screen, or select a category like all, Wi-Fi passwords, passkeys, or verification codes. Additionally, if you’ve created or been invited to any shared password groups, they will also appear on this screen.

Note: If you’re using Stolen Device Protection, your device passcode cannot be used to access saved accounts, requiring either Face ID or Touch ID instead.

Once you’ve entered a search term or selected a category, you’ll be presented a list of saved accounts. Either triple-tap (or double-tap and hold) an account to access a context menu, or double-tap to open it. After opening an account, you can double-tap the password field to show the password, or double-tap the Edit button to manually change the saved credentials, add a more descriptive title that the account will be identified by in the list, or add additional notes for that account.

To create a password group, useful for sharing credentials with others and keeping all members up-to-date when those credentials change, double-tap the “New group” button on the main screen of the app, and follow the onscreen instructions to invite others and select accounts to include. In the future, to share an account with a group, locate and triple-tap (or double-tap and hold) the account, select “Move to group” from the context menu, and select the group you want to share it with; note that an account can only be shared with one group at a time.

Creating and using strong passwords

To create a strong password for an app or website, navigate to the page to create or change the password, and double-tap the password field. A “Save and fill” option should appear toward the bottom of the screen in place of the keyboard; double-tap it to accept the password and fill it into the field. It will then be saved once Apple Passwords has sensed that the app or website accepted it as valid, which typically happens when you continue to the next page of the account creation flow.

In the future, whenever you are signing into that app or website, you should be able to double-tap the username or password field, and be given the option to use the saved password. Double-tap the “Fill password” button, and authenticate with either Face ID, Touch ID, or your device passcode when prompted. To fill a different set of credentials than the one that’s being suggested, double-tap the “Other passwords” button, authenticate when prompted, and double-tap the account you want to fill in the list.

To manually generate a strong password in the Passwords app, double-tap the “New password” button and enter a name that the account will be identified by, as well as the account’s username, in the sheet that appears. Double-tap the password field, and a strong password suggestion should appear above the keyboard; double-tap it to except it, and then double-tap Done to save it and dismiss the sheet.

If no saved password is suggested when double-tapping a password field in an app or website, double-tap the “Passwords” button above the keyboard, authenticate when prompted, then double-tap the account you want to log into. This may happen if you, for example, create an account on a website in Safari on your Mac, and then log into that service’s mobile app on your iPhone or iPad for the first time.

Using verification codes

In addition to usernames and passwords, it is generally advised to use a second factor of authentication, most commonly a code sent via SMS text message that you must enter in order to access the account. However, while SMS-based two-factor authentication is common, it is not ideal, as threat actors have been known to deceive employees of wireless carriers into giving them access to users’ phone numbers, allowing them to receive verification codes or initiate password resets for services that allow users to use SMS to verify their identity. As a more secure alternative, supported apps and websites allow password managers like Apple Passwords to generate rotating one-time codes that can be used in addition to a password to access accounts.

Setting up this method of two-factor authentication involves navigating to the page of the app or website where additional authentication methods can be configured and choosing to use an authenticator app; note that the precise wording of this option varies. Triple-tap (or double-tap and hold) the provided image and choose “Set up verification code” from the context menu. You will then be prompted to select the account from the accounts saved in the Passwords app, and then verify that setup was successful by double-tapping a field provided by the app or website and choosing to insert the test code. If the code is accepted, setup was successful, and your signed in devices should offer to autofill the code in the future whenever it is requested.

Alternatively, this feature can be set up manually by supplying a key obtained from the app or website into the Passwords app. To do this:

1. Rather than setting up with the image provided, select to set up manually, the precise wording of this option varies.
2. Copy the key displayed and open the account in the Passwords app.
3. Double-tap “Setup verification code,” paste the key into the provided field, and double-tap OK.
4. Copy the code generated and paste it into the field provided by the app or website; note that you’ll have thirty seconds to supply this code. If the code is accepted, setup was successful, and your signed in devices should offer to autofill the code in the future whenever it is requested.

If you’re signing into an account from an app or website you haven’t previously used, that account’s verification code may not be automatically suggested when it is required. For this reason, when double-tapping the “Passwords” button and choosing the credentials to fill, you may want to first triple-tap (or double-tap and hold) the account and choose “Copy verification code” from the context menu before double-tapping the account to fill the credentials. Then, if the verification code isn’t automatically suggested, you can simply paste it into the field provided by the app or website, instead of needing to detour to the Passwords app and copy the code from there.

Creating and using passkeys

As mentioned earlier, a passkey is a pairing of two cryptographic tokens, one on your device, known as the private key, and the other on the server you’re logging into, known as the public key, that can be used instead of a password to access an account. On supported apps and websites, you’ll be given the option to set up a passkey, which typically involves double-tapping a button on the app or website to initiate the process, at which point you’ll be prompted to authenticate with Face ID, Touch ID, or your device passcode; note that your device passcode or biometric data is not shared with the server and is only used to verify your identity to your device. Once authenticated, the private key will be saved and synced to your other Apple devices via iCloud.

To sign into an app or website with a passkey, initiate the sign in process and authenticate when prompted. Signing into the app or website on a device that does not have the private key saved typically involves providing your username, scanning a QR code displayed on the device with your iPhone, and then authenticating with Face ID, Touch ID, or your passcode to supply it to the server. As private keys saved in the Passwords app do not sync to non-Apple devices, apps and websites that offer this functionality typically allow you to create separate passkeys for each ecosystem you use the account on.

Conclusion

While the concepts of complex, randomly generated passwords, rotating verification codes, and cryptographic key pairings may at first sound intimidating, you now hopefully have an idea of how these technologies work, as well as how to use them if you wish to increase the security of your online accounts. More information is available in your iPhone or iPad’s respective user guide, Apple Support, and the AppleVis Forum, and if you have any questions or believe any of the information in this guide is inaccurate, sound off in the comments.