I’ve been using iCloud Keychain in conjunction with the latest version of 1Password on Mavericks. It seems like an odd combination. Why trust Apple with my sensitive passwords and credit card information? After the failure of MobileMe and a rocky start to iCloud, isn’t it true that Apple has shown that they’re incapable of making reliable web services? Isn’t using these two solutions kind of redundant? These are all very valid questions. On the syncing and reliability front, I’m not concerned about iCloud keychain not syncing data between devices properly. iCloud has certainly had its share of issues, but most of those have centred around Core Data syncing, which is a completely different beast and is far more complex to get right — even for Apple.
I still prefer and use 1Password as my primary password management system. There are many reasons for this that go far beyond what iCloud Keychain can offer. Some of those happen to be: cross-platform compatibility, picking password strength, storing encrypted notes and software licences. So even though 1Password proves to be a far more useful and robust application, iCloud Keychain has several important use cases that allow it to be a perfectly acceptable companion to 1Password.
After using Apple’s own solution for the last several weeks, my initial reaction is that they struck a nice balance between ease of use and security. Whether you’re on a Mac or iOS device, you get the same smooth experience when creating new accounts or using login forms. Secure passwords are suggested when you create an account somewhere and immediately autofill for you. You would think iCloud Keychain would be limited to the browser, but it works for WiFi access points as well. By using iCloud to store the same credentials I have in 1Password, that solves one major obstacle on iOS, which is to say that you can’t use third party extensions on iOS to autofill login credentials in Safari. I’d rather not have to open 1Password to copy a username/password to the clipboard and then switch to the app that I need to enter my credentials. Sure, the Agilebits developers were smart to include in in-app WebKit browser that can autofill login credentials, but it’s not as fast as just using Safari.
When setting up iCloud Keychain, you can choose a simple pin code to encrypt your data. It’s important to note that Apple has no way of decrypting your data, even though it’s stored on their servers. The pin code that you’re to configure during setup is essentially your own private key. This private key is what’s used to decrypted your account information, so if you lose that, you’re out of luck. Instead of choosing a simple pin code, I opted to create my own more complex master password (this is available through the advanced options page). I developed my own password creation recipe that allows me to remember my master password, even though it’s quite complex. This method is what I use to create a secure master password for any service that may require one.
To create a secure master password, it’s comprised of five different unique sections. The first section would be a five letter word (the first letter being upper case). The second consists of two numeric characters and one special character. The third uses a four letter word (all lower case). The fourth uses three periods. The sixth and final section contains a single uppercase alpha or numeric character that represents the service it pertains to. For example, if I wanted to generate a master password for iCloud Keychain, I would create something like this: Final10!four…I. If I wanted to create a master password for 1Password, I would generate one like this: Final10!four…1 (note the “I” stands for iCloud and the “1” stands for 1Password).
I tend to live mostly in Apple’s ecosystem, what with my Mac and iOS devices being the primary preferred hardware and software I enjoy using on a day-to-day basis. I have been using Android more and more though, so being able to jump back and forth and have a good cross-platform password management system is essential. The unfortunate news about 1Password on Android is that although the app exists, it has languished and has not been updated since January 2012. I’ve spoken to AgileBits and they have a new version in the works that promises to be far superior. For now, I’m stuck using their incomplete and buggy Android app. At least I can retrieve my logins since it syncs my database with Dropbox.