Of the many announcements Apple made last week, the news about iCloud Keychain seemed fairly minor. After all, senior vice president of of software engineering Craig Federighi spent just 1:20 on it at Apple’s WWDC keynote.
However, iCloud Keychain could end up having a big impact on consumer habits. We all know we should use different, hard-to-crack passwords for the many services we use every day, yet few people do so. A recent study found that almost two-thirds of consumers re-use passwords across multiple sites, making them much more vulnerable to a phishing attack.
Obviously, having many complex passwords creates a new problem: How do you remember them all? Writing them down is a security risk, not to mention ridiculously low-tech (Apple open mocked it to much laughter in the keynote). You can put them in an online document, but that assumes you’ll always be able to access it and whatever service you’re using is secure, plus it involves a lot of copying and pasting.
Password Managers vs. Synced Passwords
For many, the answer is a password-management service such as 1Password or LastPass. These services can integrate directly with web browsers, automatically logging you in once you’re logged into their service via a master password. And since the passwords are stored in the cloud, they can be accessed on any device.
“Generally we’re positive about [iCloud Keychain],” says Joe Siegrist, CEO of LastPass. “If the world ends up with good password hygiene, I think it’s a win for everyone, however it comes about. We’re glad to see it.”
If you’ve ever used a password manager, you can see how they’re a great solution to the multi-password problem. But you also might ask why isn’t password management just a feature of a web browser? Well, it is, but until recently they left out a key class of devices: mobile.
A couple of months ago Google brought password syncing to the mobile version of Chrome for Android (but not iOS), and last week Apple said it would be doing the same thing with Safari via iCould Keychain. Once the feature becomes available in the fall with OS X Mavericks and iOS 7, users will be able to access the same set of passwords via mobile and desktop versions of Safari.
That approach has clear advantages over a password manager, since Apple and Google prevent those services from integrating with mobile browsers. Instead, users must either access the password manager site on the browser, log in with their master password, and then copy and paste every password, or instead download an app — which is essentially the same procedure in a mobile-friendly interface.
“They have one advantage over us, and that’s being able to plug directly into Safari on the mobile browser, which is an anti-competitive annoyance to all other password managers out there,” says Siegrist. “But it is what it is. It’s especially frustrating when you continue to lobby them to fix them, and instead of fixing them they roll out a competitive feature.”
The Platform Question
Nonetheless, Apple re-introducing password syncing (it was actually a feature of the old MobileMe service that was discontinued in 2011) could have a big impact on the hundreds of millions of iOS users, many of which may not be inclined to use a third-party password manager. In addition, is ability to suggest and save hard-to-crack passwords might finally ensure no one uses “password” or “12345” for any login again.
“I’m glad to see more people are going to be exposed to using different passwords for every site. We want people to use a tool — it doesn’t have to be ours. This is one more sign that the market is being educated,” says Siegrist.
Then there’s the other obvious advantage iCloud Keychain: It costs nothing. Although both LastPass and 1Password don’t charge for their basic services, their apps aren’t free: 1Password for iOS costs $8.99 and the LastPass app only works with a $1/month subscription.
However, third-party password managers have a trump card: They’re cross-platform, meaning you can access your stored passwords from any device with either a web browser on an app. iCloud Keychain offers lower cost and more convenience (especially on mobile), but any Android or Windows devices you own won’t have access to your passwords.
“We support every possible platform — Windows, Linux, iOS, Android, Symbian, BlackBerry, Windows Phone — we support them all,” Siegrist says. “LastPass also gives you a lot more management capabilities, such as when you want your vault locked up. We also have a lot of enterprise features, such as being able to share passwords.”
What About Apps?
Finally, there’s the question of apps. So far, no platform or service offers any kind of password manager that can log you into apps, as opposed to webpages. While Apple has shown it’s technically possible with its baked-in logins for Facebook and Twitter on the iPhone, this kind of functionality would require integration at the OS level. It may come to iCloud Keychain at some point in the future, but once it arrives users will still be stuck copying and pasting passwords — either from Safari’s password list or a password manager — to log into apps.
Do you think Apple’s done a good job with iCloud Keychain, and do you think you’ll use it instead of a third-party password manager? Let us know your take on the password problem in the comments.
images via iStockphoto, jangeltun, Logorilla