Tel: +44 (0) 330 380 1094

Apple's iCloud Keychain - Should You Use It?

September 19, 2013 Chris Fairey

Apple announced an interesting feature they are adding to the latest version of OS X and iOS at their World Wide Developer Conference this year: iCloud Keychain. Now that iOS 7 is out, I thought I would give you my opinion as to why you should probably not use it.

Edit (19/09/2013 13:01): iCloud Keychain is currently not present in iOS 7 - with the iOS 7 homepage simply stating 'Coming Soon' next to the feature details.

Secure Passwords, Made Easy

The basic idea is that it provides an easy-to-use secure password storage and creation tool that is integrated into your Apple devices, so you don't need any extra software to enable you to create and manage secure passwords.

I like this idea, but the part that has me worried is the synchronisation aspect that ensures your passwords (and credit/debit card details) are available on all your devices - if it's supposed to be secure, and the data is encrypted, Apple must be storing the encryption key to enable them to sync it to multiple devices without user input.

Who Has Access to My Passwords?

If Apple is storing the encryption key used to encrypt your iCloud Keychain database, this raises the obvious question (in the light of recent revelations about the activities of certain US government agencies) of 'who can access my passwords?' - obviously, you would like to think that only you can, but that may not be the case.

Under various anti-terrorism laws present in many countries around the world, service providers - like Apple - have a legal requirement to hand over any data they hold that may relate to either an actual - or potential - act of terrorism. This, as of the introduction of iCloud Keychain, would include your passwords.

Once a government agency has access to your passwords, they can of course use them to log into any service for which they have the password (your e-mail, Amazon account, online banking, e-bay, etc.).

Not The First - Or Probably The Last

Apple is certainly not the first company to face the issue of just how secure the data you entrust to them is. Dropbox has had many instances where members of staff making system changes have caused major failures in the security systems that protect the contents of your Dropbox folders - enabling anyone to access your files.

Dropbox claims that your data is securely stored, and that only you (and the people you share it with) can access it, but what they don't tell anyone is what they do if they receive a request from a government agency - I suspect that they will hand over any files they deem to be of interest.

Convenience > Security

Many of you reading this will be thinking "so what if Apple stores the encryption key that secures my passwords? I want them on all my Apple devices without hassle".

This is the inherent problem, and the reason why many people wonder why their accounts are hacked - the convenience of remembering a password, trumps the fact that you know it should be difficult to remember to make it secure.

Apple is hoping that iCloud Keychain solves this problem, but the convenience of having your passwords synchronised across devices means they are probably not as secure as you would think - but what's the alternative?

Alternative Password Management Solutions

I wrote a post on Password Managers a while ago, in which I highlighted several different solutions for managing (and in some cases synchronising) your passwords. Many of these solutions have mobile clients - there are several iOS apps that support KeePass databases, with varying levels of support for the various features (only a handful currently support using Key Files to secure your password database).

The main advantage of a third-party, open solution is that in most cases you are in control of your password database, and you know exactly who can read it (and where it is). You are also capable of completely destroying it, should you feel it necessary - with many hosted password management solutions (iCloud Keychain included) you do not have any of these abilities.

Conclusion

Many of you reading this post will probably activate and use iCloud Keychain regardless of the reasons I present above for not doing so, and I have no problems with that - providing you understand the risks, and don't use it for storing things you are absolutely sure no one else should have access to.

For those of you who would like to achieve something close to the level of convenience presented by iCloud Keychain - while still maintaining control over your passwords, take a look at the post linked to above, and try out a few of the solutions presented in there (I recommend KeePass) and see which one suits you best.

Leave a Reply

Your email address will not be published. Required fields are marked *

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram