Generate Secure Passwords in Safari with iCloud Keychain for Mac OS X
iCloud Keychain is a password management feature that arrived to the Mac with Mac OS X Mavericks, and to the mobile Apple world with iOS 7 and remains available in all modern system software releases. Basically it stores encrypted passwords securely within iCloud, which can then be accessed securely through your Mac or iOS device, allowing you to never have to enter a password again. That’s convenient enough, but another great feature is iCloud Keychains ability to randomly generate secure passwords directly in Safari, which are then stored in the keychain service as part of the AutoFill service, then accessible from any of your other Macs or iOS devices.
Many users don’t have this feature turned on by default though, so let’s cover enabling iCloud Keychain, and then using the function to generate a secure password directly in Safari during the familiar ‘new account’ signup process that is ubiquitous throughout the web.
The setup for this will be a two part process; enabling iCloud Keychain support in Mac OS, then using it to generate secure passwords in Safari.
Enable iCloud Keychain Support for Mac OS X
First you’ll want to enable iCloud Keychain, or at least confirm that you have it enabled. This is simple:
- Head to the Apple menu and open System Preferences
- Open the “iCloud” preference panel – if you somehow do not yet have an iCloud account you will need one to access any iCloud features
- Scroll through the list and locate “Keychain” and be sure the box next to it is checked, then exit out of System Preferences
Note that if you haven’t used iCloud Keychain before you will be asked to setup an iCloud Security Code, this is used to authorize other devices to use the iCloud Keychain, and to verify your identity. Do not forget that security code, it’s important.
How to Generate a Secure Password in Safari & Store in iCloud Keychain
Now that iCloud Keychain support is on, we can use it to generate and, more importantly, store secure passwords. Followers of OSXDaily probably already know that Keychain can generate strong passwords on the Mac, the difference here is storing them in the cloud which provides for easy access. If you had Safari open when you enabled iCloud Keychain, quit and relaunch the app before beginning:
- Open Safari and go to any website signup page, we’ll use Facebook as an example but anything with a “New Password” field works
- Create the account as usual, and when you click or tab into the “New Password” field, note the pop-up surfaces saying “Use Safari suggested password:” – this is the randomly generated password
- Select that password to use it, which then gets encrypted and stored in iCloud, and complete the web signup process as usual
This is so easy, and accessing that secure password is now done as part of AutoFill for all devices that also use iCloud Keychain, regardless of either being on Mac OS X or iOS. The only requirement is that the feature is also enabled on that device, and that the same iCloud account is used.
Remember, setting up new devices with iCloud Keychain will require the entry of the iCloud Security Code to be entered as an additional security precaution.
You’ll notice the password suggested is usually a string of gibberish with special characters, which is exactly what you want if you’re looking for a secure password. They are not meant to be easy to remember, or easy to read, because with iCloud Keychain the user is not meant to ever know the password since it’s accessible via iCloud as needed. This is in contrast to asking Siri to generate a random password, which are secure, but you’d obviously have to either try to remember it yourself, or write down.
How Secure are Passwords Stored in iCloud Keychain?
With any online service it’s natural to wonder about security these days, and thankfully Apple is very open about what encryption strength it uses to secure saved password data stored in iCloud Keychain:
[iCloud Keychain] uses 256-bit AES encryption to store and transmit passwords and credit card information. Also uses elliptic curve asymmetric cryptography and key wrapping.
In a short summary, that’s very secure. You can read more on Apple’s iCloud security page. For some additional background, AES is the standard used by the US Government, and AES 256 is used by the NSA, supposedly to protect against (currently theoretical) quantum computing, those interested in the details of these can read more on Wikipedia and on the NSA’s cryptography page.
Overall I’m personally very comfortable with iCloud Keychain, particularly for the infinite amount of fairly mundane logins out there for seemingly every website in the world. If you’re only half-convinced, perhaps considering using iCloud Keychain in limited situations, for sites that you don’t really care much about anyway.
And if you’re a security buff, don’t miss our ongoing security series for iOS and MacOS X, with tips ranging from simple to complex.
Same question as Martin. I’ve accepted safari’s suggested password for Facebook. How do I connect to Facebook on windows and Firefox.
What happens down the line if you move back to windows ?
Or you want to log into an account on a windows machine?
I have my iCloud and keychain all set up on my laptop and iPhone. Passwords that I create are saved in iCloud and shared…which is so great. However, the passwords that were created with the “Safari suggested password” feature while using my laptop are not being shared across all my devices. Within my iPhone, I’ve gone to the password list under Safari and only see passwords I created myself. On my laptop, when I go to the list of saved passwords, I can see all passwords…mine and Safari suggested.
Any tips on how to fix this?
Unfortunately I was changing my password on my computer and clicked on these to see what they were and I believe that my computer set the password to this suggested one but I don’t know what it was please help !!
You can uncover forgotten passwords on the Mac using these instructions, they’re for finding a wireless password but they work with any password that has been saved on the Mac:
You’d want to find the password you set it to, then reset it to a password you can remember easier.
For a website, you can also just reset the password through the service (like Facebook or whatever)
Does Keychain work only with Safari? Will it work with Firefox?
Like Heck I trust Safari with my passwords! Apple has NOT been good in remembering a lot of stuff for me, that they supposedly are supposed to remember. And what if I’m using a Windows computer to make a purchase?
Nope, I’ll never use this “feature” because it reeks of insecurity to me.
Anyone know how to control the format of Safari’s autosuggested passwords? They are nearly all of the time xxx-xxx-xxx-xxx, and very occasionally xxxxxxxxxxx (letters and numbers).
A laborious workaround is to go into the Keychain and specifically generate a password that meets a few formats, copy it and paste it into the website login and have Safari remember it, but that’s not very automated.
I notice this too. But I think the hyphens are just to make it easier to read. The actual password is 12 characters long which is good, but not great.
Is it possible to use these “generated password” in IOS Apps ?
I mean, if I use iCloud Keychain to generate a password for Facebook, can I use this password in the Facebook App? Or would I have to remember the password?
Did you ever get a response to your question? Did you ever figure out how to have a Safari or iCloud generated password auto fill for a third party app?
I believe this can be very helpful for most of the people. But I have one question in mind, can I maintain a local backup of the iCloud Keychain? Specially when a unique password is being created for each website and the passwords are becoming hard to memorize, I think its better to keep passwords stored at more than one place just in case of they become unavailable.
Don’t trust what NSA says about strong encryption: http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security
If it’s online, better assume it can be decrypted. So don’t store anything confidential online, or use open source software (like TrueCrypt http://www.truecrypt.org ) to store your confidential files in an encrypted container, and hope nothing else leaks when you access what you want to protect.
It’s certainly less user-friendly than iCloud keychains. Using one or the other depends on how much you value the information you want to protect.
How Secure are these Passwords?
Not enough actually! They are 72bit passwords only:
12 characters * 6 bit each = 72 bit total.
I’m curious. I’d like to use something like this or 1Password, but what if I’m away from my iDevice or iMac and need to log into my bank account while at a work computer or friend’s house? How would I call up the super-strong password? Thx.
“How would I call up the super-strong password?”
You would not.