The Mac Security Blog

How To

Mac and iOS Keychain Tutorial: How Apple’s iCloud Keychain Works

Posted on by

You use passwords to log into websites and services, and since there are so many of them, it’s hard to remember them. It’s a bad idea to use the same password for multiple websites, because if one site is compromised, hackers will have an email address and password that they can try on other sites. Because of this, you need to ensure that your passwords are different for every website and app, and that they are hard to crack. (An episode of the Intego Mac Podcast talks about password strategies.)

Your Macs and iOS devices have a "keychain," which is an encrypted file that stores your logins, passwords, and some other information. This file syncs via iCloud, so you can use the same passwords on all your devices.

Here’s how Apple’s iCloud keychain works.

Apple’s iCloud Keychain

Apple added the iCloud Keychain to enable you to sync all your passwords, via iCloud, to all your devices. You activate this in the iCloud settings on your Mac or iOS device. These passwords are synced to the cloud — they are encrypted, so this is secure — so when you log into a new website on your iPhone, for example, you’ll be able to automatically use that login and password on your Mac. When you sync the iCloud Keychain, you can access your website passwords in Safari and in System Preferences, as mentioned above.

It’s easy to use the iCloud keychain. When you visit a website and encounter a login form, Safari on the Mac or on iOS, and some apps, will pre-fill the form if it has a password stored for that site or service. In some cases, you may have multiple login/password combinations for a site, and you’ll see options for what’s available. And if none of these options are correct, which may happen if a website has changed its domain, for example, click or tap Other Usernames to search all the saved passwords.

How to access passwords on a Mac

While Macs, iPhones, and iPads will autofill passwords that are stored in iCloud Keychain, you may need to access these passwords to view them or edit them.

There are three ways you can access passwords on your Mac.

  • Open the Settings app and click Passwords.
  • View passwords in Safari.
  • Launch the Keychain Access app.

Each of these methods gives you slightly different access to your passwords.

Access passwords in the macOS Settings app

The main way to access passwords is to go to Settings > Passwords. You’ll have to authenticate to access passwords, either by entering your user account password, or by using Touch ID, if you have a Mac that supports this feature.

After you’ve authenticated, you’ll see a list of passwords, with two useful features at the top. The first is Security Recommendations, which can help you ensure that your passwords are robust. If you click this, a toggle lets iCloud Keychain detect leaked passwords. It can tell you if any of your email and password combinations have been found in data leaks. This is a serious problem, as billions of credentials have leaked in recent years. iCloud Keychain will tell you which passwords may be compromised, and prompt you to change them.

You’ll be alerted if you’re using passwords that are too common, or too simple. iCloud Keychain will tell you that "Many people use this password, which makes it easy to guess." This is the case for passwords such as 123456, qwerty, password, etc. I have noticed that many public wi-fi passwords show up in this list, those used in hotels, coffee shops, and other locations, which are often simple so patrons can easily connect to wi-fi networks. Don’t worry about these.

It will also alert you to reused passwords, and it’s important to not use the same password on multiple websites. However, you may see some credentials that are supposedly reused, but are actually just used on multiple subdomains of the same website, such as example.com, login.example.com, mail.example.com, etc. Don’t worry about these.

You may have a lot of passwords in this Security Recommendations list, and, while it can take a long time to correct them, it’s worth doing. Click one of the passwords, then click Change Password on Website. Sometimes this will take you to a password reset page, but in most cases, you’ll need to log into your account, then find where to change the password.

You’ll also see Password Options. Click this to see what iCloud Keychain can do.

  • Auto-fill Passwords and Passkeys: iCloud Keychain will offer to automatically fill login and password fields, for passwords that are already stored in it. For new logins, it will suggest you use a strong password, and will save your credentials when you log into a new website.
  • Use Passwords and Passkeys from iCloud Keychain: this seems redundant, because only iCloud Keychain is available as an option, for now. Turn this on to allow your device to use passwords and passkeys from iCloud Keychain.
  • Verification Codes: Clean Up Automatically: Enable this so your device will automatically delete any two-factor authentication codes that you receive via SMS after you have used them.

Access Passwords in Safari

Safari also allows you to access passwords in its Preferences. A Passwords tab lets you view and edit passwords for websites you can access in the browser. As in the Settings app, you need to authenticate to view these passwords.

You can view and edit these passwords, and Safari can flag compromised passwords – user name and password combinations that have been found in data breaches – and alert you to reused passwords, just as the Settings app does. You can also enter codes to set up two-factor authentication, and when you sign into a website that requires 2FA, Safari can automatically fill the code (see below to find out how to set up 2FA for your logins).

Safari also stores credit card numbers, and can auto-fill them on websites when you make purchases. You can manage these in Settings > AutoFill.

Use the Keychain Access app

The Keychain Access app has been around on the Mac since the launch of Mac OS X. It provides access to your encrypted passwords, as well as other items such as certificates that ensure the security of websites and services. It stores passwords not just for the Safari web browser, but also for applications that store passwords to access websites or services. When you sign into apps like Twitter, Slack, or Skype, the passwords you use are stored in your keychain, and you can view and edit them in Keychain Access.

Since Apple added the Passwords pane to the Settings app, you generally don’t need to use Keychain Access, though you may need to check this occasionally. You can even store secure notes here, which are encrypted, and which you cannot access from the Settings app.

The Keychain Access app is located in the Utilities folder in your Applications folder. If you launch it, you’ll see a number of items in the sidebar: different keychains, such as Login, and, if you have the iCloud Keychain active, you’ll see an entry for that. You’ll also see System, which contains some passwords used by the operating system, such as for Wi-Fi networks, and System Roots, which are important certificates that macOS uses.

If you click on one of these, such as the login keychain, you’ll see a number of tabs at the top of the window: All Items, Passwords, Secure Notes, My Certificates, Keys, and Certificates.

  • Passwords include login/password combinations for websites and some apps, Wi-Fi passwords, as well as credit cards stored by Safari.
  • Secure Notes are encrypted files you can create within your keychain with sensitive data. This is a great place to store things like credit card numbers, bank account information, and more. However, you can only access them on your Mac; they don’t sync to iOS devices.
  • Certificates and Keys are data used to ensure encrypted communication with websites and services. You will probably never need to look at these.

Note that while your login keychain is the default, it is unlocked as soon as you log into your Mac. You can increase security by creating a non-login keychain — all this requires is an additional password when you start up or log into your Mac.

Accessing Passwords on iOS

You access passwords on iOS in the Settings app. Go to Settings > Passwords, and you’ll see a long list of websites; this is very similar to what you see in the Settings app on macOS. Tap one of them to see its user name and password. If you tap either a user name or password, you’ll see a pop-up menu allowing you to copy that item, or to AirDrop it to someone else. If you tap the share button at the top of the screen, you can AirDrop both the user name and password to a friend or family member. This is useful if you’ve changed your Netflix password, for example, or for websites where you share login credentials. (You can also share passwords from the Settings app on macOS, or from Safari.)

The Passwords settings on iOS also includes Security Recommendations. Tap it to see a list of logins you should change; tap Change Password on Website to go to the website in question to update the password.

Accessing Passwords on Windows

You might be surprised to know that Apple also makes it possible to access your iCloud Keychain on Windows. To do so, simply install iCloud for Windows, which you can download from the Microsoft Store. Apple also offers Chrome and Edge browser extensions specifically for Windows users.

Setting Up Two-Factor Authentication on Mac or iOS

Two-factor authentication or 2FA is a way to protect your accounts; in addition to having to enter your user name and password, you have to also enter a one-time code, which is generally valid for a short period of time, to access a website or service. You should use two-factor authentication whenever possible.

Related:

Two-Factor Authentication: How It Works and Why You Should Use It

Many services provide 2FA codes, also known as one-time passwords or OTP, via text message, and sometimes by email, but these methods of transmitting codes isn’t secure. Also, there may be times when you cannot access text messages or emails. The safest way to work with 2FA is to use your device to generate codes.

To set up 2FA for a login, find the website or service in your passwords; this works in all the password interfaces shown above for your iCloud Keychain, with the exception of the Keychain Access app. Go to the website and find how to turn on two-factor authentication; this is usually in the site’s Security or Password settings.

You’ll generally get one or two options; an alphanumeric code and/or a QR code. If you’re on an iOS device, you have the option to scan a QR code, which you could do if you obtain the code on a computer which is in front of you. Otherwise, the easiest way is to just copy the setup key from the website then paste it into the dialog.

On macOS, click the i icon to the right of a password. Scroll down, then click Set Up. You’ll see a dialog like this:

On iOS or iPadOS, tap a password, then tap Set Up Verification Code. In the dialog that displays, tap either Enter Setup Key or Scan QR Code.

In the future, where you visit that website, your iCloud Keychain will enter your user name and password, then, when a code is requested, it will auto-fill that field with a code generated on the fly.

What else should I know about iCloud Keychain?

iCloud Keychain is a great tool that saves time and helps keep you secure. Since you don’t need to remember your passwords, you can make them even more secure, so be sure to use Apple’s iCloud Keychain to stay safe.

One final note: If you use Android, Chrome OS, or Linux devices, iCloud Keychain may not necessarily be the best option for you. While you can use the Chrome or Edge browser extensions mentioned above, if you don’t use those browsers, then you cannot access your passwords. Apple does not offer web access to passwords via iCloud.com. If you’re looking for a password manager that has better cross-platform support or has a more comprehensive feature set, see our related article detailing a few prominent password managers:

4 Best Password Managers in 2023: How to choose the right one for you

How can I learn more?

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

We discussed the iCloud keychain and more in episode 22 of the Intego Mac Podcast.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Kirk McElhearn

Kirk McElhearn writes about Apple products and more on his blog Kirkville. He is co-host of the Intego Mac Podcast, as well as several other podcasts, and is a regular contributor to The Mac Security Blog, TidBITS, and several other websites and publications. Kirk has written more than two dozen books, including Take Control books about Apple's media apps, Scrivener, and LaunchBar. Follow him on Twitter at @mcelhearn. View all posts by Kirk McElhearn →