Many people keep their passwords in a note or a Numbers or Pages document. This is a bad idea, but not for the reason you probably think.
You can also watch this video at YouTube.
Watch more videos about related subjects: Notes (34 videos), Security (133 videos).
You can also watch this video at YouTube.
Watch more videos about related subjects: Notes (34 videos), Security (133 videos).
Video Transcript
Hi, this is Gary with MacMost.com. Let me tell you why storing your passwords in a note or a document is a bad idea.
MacMost is brought to you thanks to a great group of more than 1000 supporters. Go to MacMost.com/patreon. There you can read more about the Patreon Campaign. Join us and get exclusive content and course discounts.
So recently I've notice a lot of people saying that they like to store their passwords in a note in the Notes App or perhaps in a Numbers or Pages document. Now when you do that you can keep is secure by adding a password to it and, of course, your entire Mac account should be secure because you have a password on that. So the security of those passwords really isn't an issue. Still there are some important things that you're missing out on when you're using a note or document to store passwords rather than using a Password Manager like Apple's built-in Password Manager or a third party password manager.
The first is that Password Manager's allow you to create strong unique random passwords. If you're storing your passwords in a note or document chances are you're just creating the passwords on your own and even if you think they're random then they're not. They're probably not long enough and strong enough. Now when you go to a site like this one and you go to create a new account you select an email like that and then you go to create a password. You're going to get prompted here to use a strong randomly created password. You can see part of it entered in here. You can simply say Use Strong Password. Now this password is going to be very hard to break because it's just too long and too random. The problem is, of course, typing it in. But you don't have to worry about typing it in because the Password Manager will take care of that for you.
Now another thing that Password Managers will do for you is store the password automatically. So at this point if you were saving your password in a note or document you would have to copy the User ID, the password, go over to that note or document and record it there manually. But, when I simply register with this password at the site now that is stored in the Password Manager. So in this case I'm using the default Password Manager included with macOS and when I go look at that I can find it right here and I can see its recorded that password for me. I don't have to do any additional steps and there is no chance that I would have forgotten to do it in quickly setting up an account at a site.
Now another thing a Password Manager does for you is it easily allows you to auto-fill the password. So in this situation where I want to login if I was storing them in a note I would have to go to the note and copy the ID, copy the password, and put them in each of these fields. But the password manager does that for me. I can go into here, and in fact, it will show me if I have multiple ID's assigned to this site, select that one and you could see it filled in the password for me. I didn't have to type it in. I didn't have to copy and paste it in and maybe make a mistake, and now I can login. So this saves you a lot of time particularly for sites that are very secure and ask you to login all the time. Like a bank should ask you to login each and every time. It shouldn't leave you logged in for a long period. That means you'll be entering your password in all the time and having to go back and forth between the document and the login page to do that.
Now here's probably the most important thing that a Password Manager gets you. Its protection against a phishing attack. So in a typical website password phishing attack you'll get a link somehow, maybe in an email, maybe in a text message, maybe from another site, and you click on that link to go to login. Maybe the email makes it seem urgent like there's an invoice for an expensive purchase that you didn't make or your account has been compromised and you have to logon right away. So you click on it without thinking. Now you get to a page that looks like this. The page looks perfectly like the login page for the site you want to go to. A quick glance here at the URL shows you that it is, in fact, the right site. Except its not! You can see here that it goes on and the actual domain is this odd thing here. Perhaps you catch that nine times out of ten or even 99 times out of a 100. But that's not enough. You have to catch that 100% of the time. These could be really tricky to spot. So then you could go here to sign in and you would go and copy your ID, copy your password, place them in here and then you would be handing that information to whomever is trying to steal it from you. You may never even realize your mistake because they may simply redirect you with a fake error message to the actual site where you go and enter them again and you successfully login and find there's no problem. You don't remember that you actually gave your password twice and the first time was to a bad actor.
But this won't happen with a Password Manager. Because a Password Manager says, oh you're at this site, do I have a password for that. No I don't. So you go to use the password from the Password Manager and it doesn't appear. Something is wrong. Now that prompts you to take another look here to see that, oh this is the wrong site, somebody is trying to trick me. The Password Manager doesn't find a match and therefore it has protected you from this phishing attack.
Another thing a Password Manager will do for you that a note or document will not is it will tell you if a password has been compromised or maybe it's too weak. For instance, in this case this password here is too weak and it's telling me it is easily guessed. It puts a little caution symbol there and it prompts me to do better. If the password is compromised, say somebody stole a database of passwords from a big site, then it would also show that up here and you would know about it and be able to make the change. A note or document is not going to do that, of course.
Here's one last thing that a Password Manager will do for you. This is fairly new for most Password Managers including Apple's built-in one. You can see here if I go into Edit you can see there is Verification Code and I can enter a setup key. This is for two-factor authentication. For a lot of sites they are using standard two-factor authentication which means you have to enter in this six-digit code to get into the site. This makes it much harder for somebody else to break into your account. Password Manager's have this feature will not only allow you to fill in your ID and password but also your two-factor code making it easier than ever to use two-factor codes. If it's easier to use two-factor codes that means you could use them more often. They won't be as inconvenient. Meaning that your account will be that much more secure. A note or document isn't going to have that so it's going to make it inconvenient to use two-factor codes a lot of the time and you may be tempted to skip using them every once in a while making your online accounts more vulnerable.
So there are some great reasons why you should absolutely use a Password Manager, even just Apple's built-in Password Manager, instead of storing your passwords in a note or a document. However, if you want to store some of your most important passwords in a note or document as a backup, sure, it's always good to have backups for those kinds of things. But your primary place for storing them should be a regular Password Manager.
Hope you found this useful. Thanks for watching.
Gary, that is very good advice and I would like to switch over but I have 75 or 100 passwords that currently exist. How do I go to each one to change it to the randomly generated computer password?
Steve Mishket
Steve: Start with the most important sites. Go to them and change your password. When you do, it should prompt to save that password in Safari. Check to make sure it is saved. Then move on to the next.
Thanks, I was hoping there would be a quick and easy way to do it. I should've known better.
Steve
Steve: If there was a quick and easy way to change 75-100 site passwords like that, it would also be very dangerous if you think about it.
Gary, doesn't use of a randomly generated password pose potential problems when attempting to login to a site using another computer besides the Mac that generated the password? That's what's always kept me from using generated passwords, but maybe I'm misunderstanding this. If I can get past that issue, I'd be all in on using generated passwords.
Bill
Bill: Do you mean another one of YOUR computers? If so, then you can use the same password manager to log in. For instance, if you have two Macs, then iCloud would allow you to access your passwords on both since you'd be signed into the same iCloud account.
If you mean another computer that IS NOT YOURS, then it SHOULD be harder to log in. If it is easy to log in, that means it is easy for someone else to log in as well. You should have to work hard to enter in a long random password in that case. Otherwise, it means your security is too weak.
If you want to make it easy to log in by having a weak password, then expect to have your accounts compromised very soon.
Hi Gary, what if the other computer I have is a Windows computer? Is there a way for me to access my Apple password manager on there also?
Steve: If you have a mix of Apple and non-Apple, you should use a third-party password manager like 1Password or LastPass.
I use a password manager but apps can and do go wrong - recently my Apple Contacts list deleted itself! If the password manager did this I would be in a mess.
So I keep a back up list of passwords - password protected ! With a hard copy in a safe.
Another concern is the random password generated by a password manager - it is difficult to record this in a separate document as a back up.
I like the protection of a password manager when logging onto a site, and generally log on this way.
Gary - Thoughtful and useful guidance as usual, thank you. I have an iMac, iPad, and iPhone and use apps across all three, including my phone when abroad. Can I get all three looking at one Password Manager, or do I have to change passwords one device at a time? Thank you for your weekly newsletter - always read and appreciated.
Adrian: If you use the same password manager, they should work across all three easily. The built-in Apple password manager does, as long as they are all Apple devices.
Gary. I do use a Passport Manager but must admit I still keep a record on file (suitably protected). I always have the niggling thought that, the server holding my passwords online, could crash and then how would I get into all my password protected accounts. I suppose I would have to use the 'forgot password' for each account.
Derek: As I mention in the video, it is fine to do a backup like that. Many passport managers (all?) have a way to export to a file for this reason. It is doubtful that a server crash will mean you lose your passwords as any company doing this would have backup procedures probably way better than any of us do at home.
Why won't the most important credential of all -- Apple ID with password -- not be usable with Safari password manager?
Becky: It is. If you go to iCloud.com you can use the built-in password manager to log in. But outside of that your Apple ID is one of two ways to get into your account (account password the other one). So it is kind of like keeping your house key IN your house.
What sort of password would you recommend to gain access to your Mac (mini)? Other devices have Face ID or fingerprint to access, so is the Mac the weakest link? If the log in is guessed, they would have access to all Keychain data would they not?
Roger: Right, so it should be strong, unique and random. Since you'll be typing it all of the time, you'll quickly memorize it and be able to type it quickly. It is one of probably only two passwords you'll need to memorize, the other being your Apple ID password. Newer Macs have Touch ID or can come with the Touch ID keyboard, so things will be getting easier in this respect. Those with Apple Watches can use them to unlock as well.
Thanks for a very useful and insightful conversation about the password manager built-in to Safari. I don't believe I really ever understood it to be a manager in the same way that third-party ones are (like 1Password). You've sold me on going back and, over time, converting all my passwords to strong, random ones, which will be managed via the manager. This is the sort of thing I really do enjoy about being in the Apple family of products.
I have to log in to machines in lecture theatres, then into web systems or OneDrive. They are not mine and don’t have my pass manager onboard. I have to use non-random passes here and remember my iPhone for TOTP.
Jasper: I would still use random passwords there. So it takes 4 seconds to type it instead of 2. Worth it. Like locking a door deadbolt when you leave the house. You could save some time by not locking it. But is it worth it?
Typing is no problem, it’s memory!
The few passes that I have to run like this are still fairly strong. I tend to use long, non-words that make some kind of sense to me and won’t be in a dictionary and aren’t something publicly connected to me. eg “YltlmlycmIshthn-a125” is the initial letter of an Otis Reading song followed by a (fictitious) door code that only I know.
Jasper: With a password manager you don't need to worry about that. You can use random passwords because you don't need to remember them. That's much stronger than your method
Hi Gary! I have been a long time user of Firefox. Should I wish, at one stage, to switch to Safari, will the auto generated paswords used in Firefox be picked up in Safari or would i have to start again?
Hubert: Firefox (I assume) is using its own system. Or are you using a password manager like 1Password or LastPass? If a password manager, then just install the extension in Safari and you should be set. If some Firefox thing, then you have to "start again" but that isn't as bad as it sounds. The first time you log on to a site you'll need to go back to Firefox to copy the password. But then when you enter it in Safari, it should prompt you to record that password there. Then after that it knows the password. So you just do that once per site.
Sorry if this is a really stupid question. I am now sold on the idea of using the Apple Password Manager, but how do I get it to leap into action? I have been to a website, logged in, gone to change my password, but PM has not suggested a new word or indeed even put up the "key" symbol to click on. I have manually added the website and password to Safari Password, but again, returning to the website does not prompt any log in assistance. Do I have to tell Safari to start using Passwords?
Adrian: It should do it automatically. Check in Safari, Preferences, Autofill to make sure you have't turned something off. Then look for the key icon on the right side of the ID field on a site. Of course any site can obfuscate their ID and password fields so the browser doesn't know what they really are. So maybe the one site you tried had some poor code?
Gary - Your status as genius is confirmed! Auto fill was completely turned off. Many thanks.