Check out the rest of the videos in this special course: The Practical Guide To Mac Security.
Learn how to use Safari's Password Manager to general strong passwords, store them and use them later.
You can also watch this video at YouTube.
Watch more videos about related subjects: Security (133 videos).
You can also watch this video at YouTube.
Watch more videos about related subjects: Security (133 videos).
Video Transcript
Hi this is Gary with MacMost.com. This is Part 3 of my course, The Practical Guide to Mac Security. This course is brought to you free thanks to my Patreon supporters. To find out more about the Patreon Campaign go to MacMost.com/patreon. There you could read more about it. Join us and get exclusive content and course discounts.
Now that you know that having strong passwords is vitality important to the security of your Mac and all your online accounts let's learn how to create some on your Mac. To create a random password you need to be using a computer program called a Password Manager to generate a strong randomly generated unique password for every site and service you sign up to. There is such a Password Manager built into macOS. So we're going to use that. However, you could also use a third party password manager such as OnePassword or LastPass to do this. The built-in Password Manager is found in Safari. So you go to use the Safari web browser on your Mac. Let's say you want to sign up for an account at a site. So I'm going to use archive.org as an example here. Let's sign up by clicking that link there and you could see that to sign up for an account her I need to enter my email address, Choose a name, and then a password. So let's enter an email address, choose a name, and now a password.
Immediately you can see that Safari takes over here and creates a strong password. You could see it filled in here. You actually only see part of what's there. You don't need to see the entire thing. So you can see that this is a strong password, randomly generated using letters, numbers, uppercase, lowercase, everything. It's going to give you this message over here. Safari created a strong password for this website. It will automatically be saved to your iCloud Keychain. So we are going to say Yes, use the strong password. Now you could see it filled in there. It's as easy as that.
Now let's say at a later time we returned to this site and want to login. We don't have to remember that long password. We don't have to type it in at all. As a matter of fact we don't even need to remember our ID. Safari is going to prompt us to enter this in. When I go to click here to enter in my email address and password Safari is going to prompt me right away recognizing that there already is an email address and password stored that I can just access by clicking here. If there is more than one if I had, say, two accounts at this site then I would see a list of two of them. If there were several more I could always go to other passwords and it would bring up a longer list. I'm going to select this one here and it's going to recall user ID and my password and place them in there. I didn't have to type them. I didn't have to even see the password. Also note there's a little key here to the right. If I click on that it will also bring this up. So if I perhaps clicked on the wrong one or maybe I hit a key and dismissed it, I could bring this back up and use it again. Then I could use the login button to log back into the site. So every time I visit this site I don't have to enter my password in. It can automatically be pulled from Safari's database of passwords.
Now there is a way to see a list of your passwords. If you go to Safari, Preferences then you could go to Passwords and here you have to confirm by entering in your Password or you can use Touch ID if you have a Mac with Touch ID and here you could see a list of all the websites where you have passwords. You could see your User Name and you could see the Password here but it's blocked out. You can select it and it will show you the password if you really want to see it. You can double click it to bring up details. There's also a Details button down here. It will show you the website, User Name, and the Password. You can even go in here and select it, copy it, you can change it. So if you changed your Password and for some reason Safari did an update, you can type something new here as well. In this list you can Control click on any one of these. You can copy the website, copy the User Name, or copy the Password and you could also simply hit the Delete key and it will Delete this password. So if you want to get rid of one you can.
There's also an option here, you could see it says Detect Password's Compromised by Known Data Leaks. This will look at your Passwords and see if any of them show up in a list of passwords that have been compromised. Now it could have been compromised because it was your password on that account and that is now something that is out there in lists for people to be able to obtain. It could be that that password was used by you on a another site or perhaps somebody completely different if it's a weak password. But, of course, if you see any indicators here showing that there is a compromised password then you should go and change it for that site.
So how do you change a Password for a site? Well, let's continue with the login for archive.org here. I will look at my settings for my account and you could see here it allows me to change my password. So if I go to enter in a password here, you could see it's going to ask me if I want to fill-in my password, but I don't want to do that. I want to change it. But if I click here you could see I get something that looks very similar, but one of the things it's going to have is Suggest a New Password. So this will work slightly different on different sites. But basically you go through whatever the website's regular functionality is for changing your password. When you enter in a new password, like that, then you hit Change Account Settings it should update the account with that new password in Safari. So let's check here and you could see it puts a new password in place. That's because when we went here and suggested a new password it was Safari itself suggesting a new password. So it knows that that new password is now set and when you go in and look again you can see that it's remembering that new password for the next time you want to login.
So updating your password should automatically update Safari's list of passwords. The great thing about doing this as part of iCloud Keychain is that these passwords will also be used on your iPad, your iPhone, other Macs. Anything connected to your iCloud Account will have access to these passwords as long as you're logged into that iCloud Account and also, of course, logged into that device. So you create a new password here on your Mac and you'll be able to log into the same site on say your iPhone.
Now starting with macOS Monterey there is also the ability to access your password outside of Safari in System Preferences. So you go to System Preferences and then you'll see Passwords there. It looks a lot like how it does in Safari and you'll see these same passwords there and be able to access them and edit them. So you can do this without ever going into Safari. This is especially useful if the website also has an app and you're trying to login using the same User ID and Password in the app that you are on the web. Of course you're not in Safari when you're doing that so accessing passwords from System Preferences might be more convenient.
Now one last word about Password Managers. A third party Password Manager is especially useful if you are using a Mac and maybe some non Apple products. Maybe you have an android phone. Maybe you have a windows computer. You want to go beyond the devices that use iCloud. In that case a third party Password Manager that's cross platform could be handy because then you have access to your passwords everywhere. One such one that I use is OnePassword. You can get that at OnePassword.com but the apps are also available in the App Stores. Also another one that a lot of people use is LastPass. So the idea here is that you can take your passwords to websites and access them using browser extensions in any browser. So in your Mac and say Chrome or Firefox and also in Windows, in Chrome, Firefox, Edge, and having a third party Password Manager allows you to use these passwords in all sorts of situations where completely Apple centric solutions like Safari and iCloud will not.
Hi Gary,
Just watched your Security Course part 3. Although I am a 1Password user I am still very interested in following along and finding out how everything works. One item on this course that I couldn't follow along with was when you chose the Passwords icon within System preferences, I don't have this icon. I have a new MacBook Air and am up-to-date on MacOS. Is there something I am missing? Hope you can help me. Thanks.
Guy: "Now starting with MACOS MONTEREY there is also the ability to access your password outside of Safari in System Preferences."
Presently Apple does not allow sharing of their system generated passwords. Do you know if they are considering changing this where one could select certain passwords to share with their family members, i.e., for example, one’s financial institution, etc.
Deborah: if at all possible you should have separate logins. I know we can do that for all my banks and credit cards. But if you need to share a password you can. For instance on an iPhone you can clog to Settings, Passwords, select the password and use the Share button. For instance you can use it to send a password to a family member when they are trying to log into a streaming service. Then they can save the password in their iCloud account to use later.
Responding to Guy:
I don't see it either, you need to go into your Apple ID at the top of System Preferences window and then to Passwords & Security.
Responding to Guy:
Oops, answered the wrong question.
Paul: This is a feature of Monterey. I mention that.
Hi Gary, great videos . Question : If I opt for a suggested password will that also apply for my iPhone and iPad ?
Bert: Yes, via iCloud. Make sure you have Keychain turned on in iCloud settings for all devices.
Hi Gary, when using Keychain the only place I see to put notes (ie. Answers to Security Questions, Secret Keys, etc.) is in the Comments section . . . but unlike the Password, where you have to enter your initial password in order for it to show up, the comments always show up . . . not secure. Any other place in Keychain I can enter that information to keep it hidden & safe?
Thank you.
Kathy: What's wrong with them showing up? Only you have access to them since your Mac is locked with your password. You can use Secure Notes for this too (through the Keychain Access app).
Many sites I have an account on now have options to log in with Apple or Google. My understanding is that by sighing in with Apple, my email is not sent to the site. If I already have an account, and I opt to sign in with Apple, am I creating a new account without access to the content of my old account (e.g., wishlists and order history). Can I start using Apple to sign in and still access my "old" account? TIA.
Alex: That would be up to site, whether they would offer a way to merge accounts or change an account in such a way. Really no advantage to it for you if you already have account set up. I would imagine few, if any, sites offer this.
So will keychain passwords work if I am using Duck Duck Go as my browser or do I need a third party manager?
Nanci: If you want to use a third-party browser then a third-party password manager is your best bet, But make sure it has an extension/plugin for that browser.
Hi Gary. Excellent security initiative. I use BigSur 11.5.1. No Password icon in system preferences but I can wait till Monterey comes on. I have 2 questions: Q1: I sometimes use Firefox and sometimes Safari. I guess I can only work with one default browser to rely in generated passwords? Q2: There are still websites which don’t allow more than say 6 digits (even a bank I bank with!!!) or which don’t allow certain characters in their passwords. I guess a password manager cannot be used then?
Hubert: Passwords in System Preferences is for macOS Monterey (In the video I say "Now starting with macOS Monterey there is also the ability to access your password outside of Safari in System Preferences"). If you use a third-party password Manager like 1Password or LastPass you can install extensions for all browsers. So you can then use Safari and Firefox both very easily. If a website is still doing that today in 2021, you can just edit the password to remove some characters.
Hi Gary. I had a look at Bitwarden. No fee. They do indeed ask for a Master password but for this you can alos use the password generator. Do you recommend to use tjis procedure (and record the master password somewhere safe) of is it better to creat one oneself?
Hubert: Use a generator to create a master password, but make sure it is something you can easily type. Still random and unique though. Yes, write it down and store it somewhere safe, though you will quickly memorize it.
In follow up to Kathy's question above, where ARE the secure notes or places to keep things you want to be secure. I have no problem with them being displayed but I do not see how to get to the notes create/edit place. Thanks
Gene: You can use the Keychain Access app to store those (File, New Secure Note) or store them somewhere else like in the Notes app (locked notes).
In updating my safari passwords to a stronger password, I've often come across websites (usually old, long ago accessed websites) where it's no longer possible to log-in. Therefore am unable to update the password and/or delete my account. Some of these sites have even been flagged with the Safari Passwords warning symbol! If I can't get in, should I assume no-one else can either and therefore I can simply delete these accounts from my Safari Preferences Password list?
Janice: Depends on what you mean by "no longer possible to log-in." Is the site closed? Or not working? Or is it just not accepting your password? If the latter, just use their password reset function.
Further to my earlier inquiry, These are website accounts which were originally set up with an ID & password and I haven’t accessed these accounts for a number of years. These sites are stored in my Safari Preferences Password data bank, some flagged with “caution” (easily guessed password, duplicate password or implicated in a data breach). However I’m unable to sign into these websites to update with a more secure password using the original ID and password when I first created the account.
Janice: Then just use the site's "reset password" function to set a new password. Usually they email you a link to click to confirm it is you. Every site does it a little differently.
So if the password reset request is not recognized, shall I assume that the website is no longer active or that the original data given to them is now protected from security breaches? ie: if I can’t get in so no one else can either …
Janice: What do you mean by "not recognized?" If you don't need the site anymore, and you aren't use that same password anywhere, then just forget about it.
Safari-generated passwords do not contains “symbols” other than a hyphen in the approximately two dozen passwords that I’ve asked Safari to generate. Doesn’t that mean that the generated passwords are no stronger than upper case, lowercase and numbers with one extra character? Perhaps a 20-character password without symbols other than hyphen is strong enough?
Fred: Adding a few extra characters would make it slightly stronger, but these are strong enough. They probably avoid symbols because some sites won't allow them and they vary across the world.