November 12, 2013
Does Apple’s iCloud Keychain Really Improve Security?
Apple has introduced iCloud Keychain feature in iOS 7 and OS X Mavericks to help iPhone, iPad and Mac users better manage their passwords with minimal inconvenience. Apple’s new iCloud Keychain claims that it can sync passwords across devices without storing them in the cloud. With features like random password generator, auto fill and iCloud sync, it helps you to create strong passwords and manage them effectively. There is no doubt that Apple iCloud Keychain does a good job of automatically entering your passwords on Apple’s Safari browser, but it does not work with any third party browsers on OS X or iOS. Same goes for autofill. Once you enter your passwords in iCloud Keychain they are only usable in Safari. You cannot use them with Web.app (the framework that pins websites and web apps to your Home screen), or with embedded web views in other apps. Therefore in order for iCloud to really help more people become more secure it needs to be compatible with other third party browsers and applications.
Let’s take a look at the password generator feature of iCloud Keychain. First of all make sure you are using Safari in order to use this feature. When you create a new Web account or fill in passwords, iCloud Keychain will ask you to save the password or recommend complex passwords if required. iCloud Keychain always generates passwords of 12 letters and numbers and three dashes, whereas most password generators like 1Password will change the default length and composition of the password. Another issue with iCloud Keychain is, if you wish to have a longer password then you have to come up with it yourself. Then what is the purpose of having an automatic password generator?
As I had mentioned earlier, your passwords in iCloud Keychain will be automatically filled on Safari on any Mac or iOS device you use, but the autofill feature is not going to work on any non-Safari browser or application. In order to enter your password into a non-Safari browser, you need to go to iCloud Keychain’s non-Safari functionality that is found in Mac’s Keychain Access Tool. From there you can copy your password and then paste it into non-Safari browser or desktop application. This whole process is very complex and inconvenient to use. On the contrary other password generators available these days have extensions for every major browser. That makes generating passwords and filling them in easy no matter what you’re using.
As per an Apple support document, Apple claims that it can sync passwords across various devices from the company without storing them in the cloud. Some security experts find it hard to believe, because in general password managers sync data across multiple devices by storing password data on Cloud servers. Only devices like Wi-Fi sync allow users to sync data and passwords across multiple devices without storing them in the cloud. This requires a few extra steps however and reduces the simplicity and efficiency of good password manager applications.
Three user options are available to secure iCloud Keychain:
- The keychain app that contains user names and passwords for credit cards, websites and other merchant sites can be secured using a 4 digit passcode similar to ATM pins. This is the default option for all users.
- The second option is to use a longer, more complicated password instead of a 4-digit pass code.
- The third option is for the user to leave iCloud Keychain unsecured, without a PIN or passcode, preventing the device from approving other devices.
Several security experts are conducting tests to explore the new functionality introduced by Apple and determine whether Apple has found a new method of password syncing without cloud services or the company has made an error while documenting for the new application.
Secure your data with SpiderOak
For most users, finding a truly protected third party cloud service can be a challenge as many “secure” services on the market have security gaps that leave data and private company info wide open to third party attacks, leaks, or hacking. One cloud storage and sync service that sets itself apart from the rest of the market is SpiderOak. This service provides businesses with fully private cloud storage and syncing, featuring all of the benefits of the cloud along with 100% data privacy. SpiderOak is available with onsite deployment and private servers or outsourced deployment through a private and secured public cloud server, so that users can tailor the service to fit their needs.
SpiderOak protects sensitive user data with 256-bit AES encryption so that data, files, and passwords stay private. Authorized accounts and network devices can store and sync sensitive data with complete privacy, because this cloud service has absolutely “zero-knowledge” of user passwords or data. And all plaintext encryption keys are exclusively stored on approved devices because SpiderOak never hosts any plaintext data. This way, even if programs like NSA’s PRISM continue to stand unchallenged, developers can rest easy knowing that their data is truly protected. SpiderOak’s cross-platform private cloud services are available for users on Windows, Mac, and Linux platforms, along with Android and iOS mobile devices, allowing for full flexibility and enabling a secure mobile workforce.