I’m a Patreon supporter and love what you do for us.
I have a security question related to Keychain. I get into Keychain on the Mac or the iPhone either using Face ID or the passcode for getting into the device. Which means that the security of my passwords in Keychain are only as strong as the passcode I’m using to unlock the Mac or the phone.
Is there a way to add a separate password to access Keychain which is different from the device passcode, to act as an additional security barrier?
—–
David
Actually, the security here is much stronger than you realize. A password is all that is needed to get into something like an online account that you can access anywhere in the world. A malicious individual or a bot halfway around the planet can try to break in. But your device is only in one location. Someone needs actual physical access to it. That's much much harder. It is like a second factor: password and physical access.
So it is in fact pretty secure. Like a key to your house. The key isn't very secure, but it isn't like a magic key where you can break into your house from anywhere in the world. You have to be there.
There is also another thing that adds another level to it. If your device is stolen, then you probably will know that pretty quickly. Then you can use Find My to lock or disable it.
And another factor: limited tries. You can't brute force your Mac or iPhone. Try entering the wrong code. It takes a few seconds. SO you can't try a thousand times, it would take a long time. And you can even set your iPhone to lock (or erase!) after many tries.
For someone to successfully get physical access to your device, guess your passcode before the limit, and you not notice in the meantime ... that's pretty secure. Plus someone would need to be targeting you for this. It isn't a way to get 1,000 passwords without any effort, which is what they want.
And if someone is targeting you, well, they could always physically attack you and force you to log in. So there's no 100% solution.
OK...that all sounds great. Very good to know. So does that also then mean that 1Password may not be as secure as Keychain since it is possible to access 1Password online but you can't access Keychain content online?
David: First, you don't have to use 1Password's online service to use 1Password. I don't. I use an encrypted vault and it is kept on iCloud. But if you do use 1Password's service, that is also encrypted and two-factor. So you'd have that online account protected with two-factor, and inside that "vault" would be weaker (non-two-factor account passwords).
The alternative is to not store your passwords using any sort of password manager at all. But then you'd have trouble generating good strong passwords, you'd be tempted to use weak passwords for some things since your list would grow and it would take a long time to set up or change an account, and you'd also not get the phishing protection since your human eyes would easily fall for a phishing attempt whereas a password manager wouldn't. So in an attempt to make one aspect just a bit more secure, you'd make many other aspects more insecure or downright weak.