iCloud Keychain vs. 1Password


There are several password manager products available for the Mac and iOS. In this post, I’ll focus on iCloud Keychain (free) and 1Password 5 ($49.99 for the Mac app). There are other popular options, such as LastPass and Dashlane, which store your passwords in the cloud. While it’s theoretically safe to store your data encrypted in the cloud, my personal preference is to keep my key stores local. Your risk tolerance may vary, in which case LastPass and Dashlane might be worth trying. I would highly recommend enabling two-factor authentication when using any cloud service containing sensitive data.

iCloud Keychain can work with either cloud or local-only storage. If local-only storage is desired, do not set up a security code when enabling the iCloud Keychain. (Apple gives you this choice when selecting advanced security code options.) Without a security code, iCloud Keychain will sync the passwords stored in your connected devices by pushing the data through Apple’s iCloud infrastructure. However, the passwords will not be stored in Apple’s iCloud data center. If you want your passwords backed up, you can always create a security code after iCloud Keychain is enabled. Some of the details around Apple’s encryption mechanisms for syncing and key escrow can be found in the iOS Security Guide. See pages 38-40.

1Password allows password synchronization with your iOS devices using a local wi-fi network. A sync service runs on the Mac, which is protected by a random password. This password needs to be typed into your iOS device when syncing. (You may want to disable this sync service after syncing.) 1Password also allows syncing with Dropbox and iCloud. When syncing with Dropbox, there is an added feature called 1PasswordAnywhere. This allows you to view your passwords on the web, via Dropbox’s web site. iCloud syncing only works if you purchased 1Password via the Mac App Store.

There are differences in the day-to-day usage of iCloud Keychain and 1Password. Some examples:

  • iCloud Keychain only works with Safari. 1Password has extensions for Safari, Firefox, and Chrome on the Mac. 1Password supports Safari and Chrome on iOS.
  • iCloud Keychain doesn’t require typing a separate master password, since it leverages the built-in Mac and iOS authentication frameworks. 1Password requires a master password to be entered in order to unlock the password vault. The frequency of master password prompting depends on some configuration options in the 1Password app. On iOS, Touch ID can be used instead of typing the master password.
  • On OS X: Safari automatically enters your iCloud keychain-stored username/password when visiting a site. To log into the site, just click the site’s regular login button. 1Password doesn’t automatically fill in the credentials when visiting a site. The site needs to be selected from the browser extension button or the equivalent menu bar icon. This requires a couple of mouse clicks. Alternatively, there is a keyboard shortcut (command-\) that can be used to fill in the credential fields and log in.
  • On iOS: Safari will automatically fill in your stored iCloud keychain credentials. To enter 1Password credentials, a helper function is accessed via the share icon at the bottom of the screen. At this point, 1Password needs to be unlocked by typing the master password or using Touch ID. Once unlocked, the site credentials can be selected. Alternatively, the 1Password app has a built-in web browser which can be used instead of Safari.

If you are running entirely within the Apple ecosystem and only use Safari, the iCloud Keychain is perfectly viable. It’s free and offers a great user experience. 1Password makes more sense if you use FireFox or Safari, or even Windows. The 1Password vault can be shared with a Windows PC using a folder sync function. It should be noted that both iCloud Keychain/Safari and 1Password offer additional features which aren’t covered in this post. So try both to see which works best for your needs. 1Password offers a free trial.


Leave a Reply

Your email address will not be published. Required fields are marked *