Video Transcript
Hi this is Gary with MacMost.com. On today's episode let's look at creating and storing passwords in Safari.
The password functionality in Safari not only stores passwords but allows you to create very strong randomly generated passwords. You should use this functionality.
As an example let's create a new Twitter account. I'm just going to create something temporarily. Notice when I get to the password field it comes up and says Use Safari suggested password. Now you should use this password. It is a randomly generated password. The only reason not to use one is if you use a third party program, like say OnePassword or Last Pass which also will generate random passwords for you.
But you should never use a password that you think of in your head because it is not random and it can be guessed by computer algorithms. So you should always use a random one to keep things strong. Of course always use a different one for different sites.
So this is going to be a unique new random password. I'm going to accept it and use it to sign up for Twitter.
Now let's take a look in Safari in the Preferences. If you click on passwords here you will see a list of all the sites where I have created a password. If I entered my own password in it would be here as well. But the randomly generated one is going to be here. It doesn't make any difference. I can see the user name, the web site, the password.
I can select it and remove it if I wanted to clear that out which I would do, for example, once I delete this Twitter account that I have created as just an example.
I can also click here to show these and it is going to ask me for my user account password. The user account for my Mac here. When I do so I can see the password there. I can also control click at this point and I can copy the user name or the password.
So that's useful because sometimes you have to enter in a password for something that is not Safari. Like for instance I may download a Twitter app and I may want to then copy this password rather than having to look at it on the screen and recreate it. So I can copy it and it copies it to the buffer. That is very handy.
You also have access to this password outside of Safari by using an app called Keychain Access. So I'm going to use the search menu there to search for Keychain Access. You can see it is in the Application Utilities folder. I'm going to launch that and click on the Passwords category here. I'm going to do a search for Twitter and you can see there it is. The one I just created. I can double click it there and I can see information about it including the ability to show a password here.
Now here it what happens when I go to sign into Twitter. I've signed out. I'm going to click on the sign in button here. You can see it fills in my ID and my password. You can see it has this yellow background here showing that autofill has filled this in. So now I can log in. That's all there is to it. It is automatically filled in. You don't have to do anything else.
Every once in a while I notice a site that sometimes you have to jump to the actual field for it to fill in. Sometimes it prompts you. But a lot of times it just appears here like this. So now I can log in and I didn't have to type my password.
What happens if I change my password? Let's go to Settings here in Twitter again and I'm going to go to Password. You can see it automatically fills in my current password. Safari does that for me. I'm going to create a new password. You can see that as soon as I select that field it is going to suggest a new password.
So I'm going to use that. It is smart enough also to fill it in in the second field, the verify field, as well. So now I can save the changes on this.
You can see here I had a little bit of trouble because this web page Twitter, which is not associated with Apple, didn't recognize that those fields had been filled in. So just by tabbing between them I was able to activate the Save Changes button. You can see also that Twitter rated my password as very strong, as it should.
Now I get a little field here, a prompt, to Update Password. Of course I do want to do that. So now the new password is in Safari saved. You can see that's the new one created. So it is always going to kind of automatically update.
Now here is perhaps the best part of the entire thing. If I go to System Preferences and I go to iCloud. I will see my iCloud account settings and if I scroll down I will see one of the settings here as Keychain and I've selected it.
So this is iCloud Keychain. This means that iCloud is going to be used to sync my Keychain between my devices. So my iPhone, my iPad, and my other Mac are all going to share the same Keychain. They are going to sync which means the next time I try to log onto Twitter on one of those devices I'll find that those password fields are already filled in. This is especially great on the iPhone, say, where it is kind of hard to type those in especially if it is a long strong password like this one.
So I've created this Twitter account, I've saved the password to the iCloud keychain and now I can log onto Twitter across all my devices and it is secure because the Keychain file is encrypted across those devices. If you don't have access to my iCloud account then you can't get access to the data inside the Keychain.
One more thing I want to point out. What if you need to update this password here. In Safari you can't update the password. You can copy it. But you can't update it in the Preferences here. So say you have updated your Twitter password on another device and it wasn't connected to your iCloud keychain account. How can you update it so that Safari knows the new password?
Well one way to do that is to go and sign in again and you can just manually type the new password and it will then update. Another thing that you can do is, of course, you can go to Keychain Access and you can edit in there. So when I select this you can see that I can actually edit this here if I want.
The password functionality in Safari not only stores passwords but allows you to create very strong randomly generated passwords. You should use this functionality.
As an example let's create a new Twitter account. I'm just going to create something temporarily. Notice when I get to the password field it comes up and says Use Safari suggested password. Now you should use this password. It is a randomly generated password. The only reason not to use one is if you use a third party program, like say OnePassword or Last Pass which also will generate random passwords for you.
But you should never use a password that you think of in your head because it is not random and it can be guessed by computer algorithms. So you should always use a random one to keep things strong. Of course always use a different one for different sites.
So this is going to be a unique new random password. I'm going to accept it and use it to sign up for Twitter.
Now let's take a look in Safari in the Preferences. If you click on passwords here you will see a list of all the sites where I have created a password. If I entered my own password in it would be here as well. But the randomly generated one is going to be here. It doesn't make any difference. I can see the user name, the web site, the password.
I can select it and remove it if I wanted to clear that out which I would do, for example, once I delete this Twitter account that I have created as just an example.
I can also click here to show these and it is going to ask me for my user account password. The user account for my Mac here. When I do so I can see the password there. I can also control click at this point and I can copy the user name or the password.
So that's useful because sometimes you have to enter in a password for something that is not Safari. Like for instance I may download a Twitter app and I may want to then copy this password rather than having to look at it on the screen and recreate it. So I can copy it and it copies it to the buffer. That is very handy.
You also have access to this password outside of Safari by using an app called Keychain Access. So I'm going to use the search menu there to search for Keychain Access. You can see it is in the Application Utilities folder. I'm going to launch that and click on the Passwords category here. I'm going to do a search for Twitter and you can see there it is. The one I just created. I can double click it there and I can see information about it including the ability to show a password here.
Now here it what happens when I go to sign into Twitter. I've signed out. I'm going to click on the sign in button here. You can see it fills in my ID and my password. You can see it has this yellow background here showing that autofill has filled this in. So now I can log in. That's all there is to it. It is automatically filled in. You don't have to do anything else.
Every once in a while I notice a site that sometimes you have to jump to the actual field for it to fill in. Sometimes it prompts you. But a lot of times it just appears here like this. So now I can log in and I didn't have to type my password.
What happens if I change my password? Let's go to Settings here in Twitter again and I'm going to go to Password. You can see it automatically fills in my current password. Safari does that for me. I'm going to create a new password. You can see that as soon as I select that field it is going to suggest a new password.
So I'm going to use that. It is smart enough also to fill it in in the second field, the verify field, as well. So now I can save the changes on this.
You can see here I had a little bit of trouble because this web page Twitter, which is not associated with Apple, didn't recognize that those fields had been filled in. So just by tabbing between them I was able to activate the Save Changes button. You can see also that Twitter rated my password as very strong, as it should.
Now I get a little field here, a prompt, to Update Password. Of course I do want to do that. So now the new password is in Safari saved. You can see that's the new one created. So it is always going to kind of automatically update.
Now here is perhaps the best part of the entire thing. If I go to System Preferences and I go to iCloud. I will see my iCloud account settings and if I scroll down I will see one of the settings here as Keychain and I've selected it.
So this is iCloud Keychain. This means that iCloud is going to be used to sync my Keychain between my devices. So my iPhone, my iPad, and my other Mac are all going to share the same Keychain. They are going to sync which means the next time I try to log onto Twitter on one of those devices I'll find that those password fields are already filled in. This is especially great on the iPhone, say, where it is kind of hard to type those in especially if it is a long strong password like this one.
So I've created this Twitter account, I've saved the password to the iCloud keychain and now I can log onto Twitter across all my devices and it is secure because the Keychain file is encrypted across those devices. If you don't have access to my iCloud account then you can't get access to the data inside the Keychain.
One more thing I want to point out. What if you need to update this password here. In Safari you can't update the password. You can copy it. But you can't update it in the Preferences here. So say you have updated your Twitter password on another device and it wasn't connected to your iCloud keychain account. How can you update it so that Safari knows the new password?
Well one way to do that is to go and sign in again and you can just manually type the new password and it will then update. Another thing that you can do is, of course, you can go to Keychain Access and you can edit in there. So when I select this you can see that I can actually edit this here if I want.
1. Occasionally, when I enter a password manually, Safari does not ask to save it and it does not show up in keychain. This seems to be a random occurrence. What’s going on?
2. Most of my financial accounts, banks, investments, etc. do not auto fill the password when I go to the site. This would be the most important use of the random password feature. Any logic or solution to this?
Safari only knows that a field is a password field because the website developer uses “normal” identifiers for the field. If a developer uses something unusual, then Safari has no way of knowing that it is a password field.
I also believe that some sites specifically obfuscate the field identifier, or do something else to turn off this functionality for a web page. Probably thinking that they are helping people (so they don’t use this function on a “public” computer). But you’d have to have an expert review each instance on a case-by-case basis to know for sure.
I have been reticent to use Safari-generated passwords because I often use non-Apple computers in my adult children’s homes as well as pcs in the office. I suppose I could log into iCloud each time to review the Keychain, but that seems too cumbersome. Safari-generated is great if one stays within the Apple system, but I’m not confident in its usability across other browsers. Advice?
If you have an iPhone, you could simply use the Settings app to access your Safari saved passwords so you could type them when visiting another computer.
Otherwise, your only other option is to use weak passwords that you can memorize. But that is not an option anyone should use. Better to write down the strong passwords on a piece of paper and carry that with you than to use weak passwords. Maybe leave out the last few letters of a password and memorize that instead.
Carrying around metal keys to get into your house is also cumbersome, but no one would think of just leaving their door unlocked as an alternative. Using a weak password is like leaving your door unlocked.
Direct & helpful; thank you, Gary!
How secure is my icloud account against hacking?
Depends on whether you are using a weak password or a strong one. For the best security, use a unique strong one, plus two-step: https://support.apple.com/en-us/HT204152. Then password-protect your Mac and iOS devices too, of course.
About 10% of the time, Safari enters an incorrect password and my sign-in is rejected. When I eventually over-ride Safari with the correct password, Safari does NOT respond in any way. I think this is a BUG that Safari needs to fix.
Sometimes, the password from Keychain does not get filled in on an iPhone, but I know of no way (like Keychain) to see the password on the iPhone, and oftentimes the mac is a long way off. Do you know any way around this?
You can always go into Settings, Safari, Passwords & Autofill, Saved Passwords to see your passwords.
for some sites, i don’t bother remembering a password & just have one emailed when i need to get in there
…apple has a reset that’s a little more trouble because you have to generate a new one each time but is probably more secure
You should switch to two-step authentication to be even more secure.
Thanks! I looked that up (what a drag). What would you use if you had no smart phone & never used the computer outside the house?
I didn’t mean, “What would you use…” meaning other than two-step authentication. I meant, “What would you use to implement that, given that I have no smart phone & don’t use other networks.”
If you don’t have a way to receive two-step codes, then you can’t use two-step. No way around that.
If you had no phone then you can’t use two-step, really. Though you can use it with an iPad or iPod touch.
I guess you are just stuck with using a very strong password and using the Keychain to remember it, or a third-party equivalent like 1Password or LastPass.
I would also caution you to not use real answers to security questions. They are too easy to guess. Answer questions like “What was the name of your high school” with random strong passwords and then print them out and store them in a safe place (or two).
How secure is this password manager compared with others like LastPass or KeePass?
I’d imagine they are about the same as I would think they would use the same basic encryption. But you’d probably need to go to a security/encryption expert for a detailed answer.
How do I convert all the passwords that I have already created so that I can start all over and have Safari create new passwords and be sure they will be synched with all my Apple devices?
To use an existing password, just log in to that web site and Safari should ask to keep the password. Better than that is to use the site’s “change password” function, and this time let Safari generate one for you.
Can I use the Safari password generator with Version MAC OSX 10.7.5?
I can’t remember which version of OS X it was introduced in, but I’m pretty sure it doesn’t go back that far.
The automatic password generation feature does not seem to work for me. I’ve tried setting up new accounts at several sites but I do not get the password generation option when I click on the password field. The saved password option works fine. Am I missing something? Am running OS 10.10.3.
Could just be the sites you have tried so far. Check your Safari Preferences under AutoFill to see if maybe you have turned something off.