Should I just use iCloud?

CybernettrCybernettr
edited May 7 in iOS

I am a long-time user of 1Password. I had to create a new login for a site today on my iPad. It has come to the point where I hate creating logins because passwords in general are such a pain, and 1Password has not done much to ease the frustration.

At the point where it comes to creating the password, iCloud / iOS offers to create one for me. I am loathe to accept this offer, because the iOS generated passwords are gibberish and it is a pain to re-enter them into 1Password.

I know 1Password is supposed to automatically notice when you create a new password on your device and automatically create an entry it’s database, but this does not always happen.

However, I noticed there is a 1Password button above the iPad keyboard which I tapped and used to create a password. Lovely! Except that the site now returns, as is so often the case, that the password does not meet it’s highly-individualized criteria (yet it didn’t tell me that at the time I was creating the password), so now the password is wrong in the 1Password application.

There are a bunch of other fumbles that I will not get into in my struggle to make sure that the password is created that the website will accept that is also entered properly into 1Password.

I am not blaming 1Password for this. The whole process of passwords is a horrible, byzantine, primitive and not very secure method of identification, but it is one that we appear to be stuck with for some time to come. The problem is that 1Password is a third-party application, and as such, it has to jump through hoops in order to work around Apple’s quirks and own way of doing things.

So why not just use iCloud and forget about 1Password? I know that I will then not be able to use my passwords on windows and android devices, but this constant struggle to juggle multiple applications is driving me nuts. If I need to use a password on non-Apple devices, I can always create an entry in that instance into the 1Password app, rather than trying to do this all the time.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • BenBen AWS Team

    Team Member

    Hi @Cybernettr

    I'm sorry to hear about your struggles. Certainly it is your call as to how you want to manage your passwords. If you find iCloud Keychain to be just as convenient as 1Password then perhaps you do want to go that route. But from where I sit I don't really see how that is going to solve any of the problems you outlined and may create new ones. I would however recommend picking one password manager and sticking with it, disabling the other entirely.

    If you choose to continue to use 1Password I'd recommend disabling iCloud Keychain. Steps can be found here (see the "tip" section in green). I'd recommend doing the same with any password managers the browsers you are using on other platforms have. The instructions for that are here.

    I know that I will then not be able to use my passwords on windows and android devices, but this constant struggle to juggle multiple applications is driving me nuts. If I need to use a password on non-Apple devices, I can always create an entry in that instance into the 1Password app, rather than trying to do this all the time.

    This just seems to add an extra step and only further the "juggle struggle."

    I know 1Password is supposed to automatically notice when you create a new password on your device and automatically create an entry it’s database, but this does not always happen.

    This isn't true on iOS. Unfortunately we don't have that ability there. Instead I'd recommend using the 1Password UI within the Password AutoFill feature on iOS to generate and save passwords:

    Use 1Password to fill and save on your iPhone and iPad

    An alternative, if you don't find that to be convenient, would be the 1Password share sheet extension:

    Use the 1Password extension to fill in Safari and apps on your iPhone and iPad

    The whole process of passwords is a horrible, byzantine, primitive and not very secure method of identification, but it is one that we appear to be stuck with for some time to come.

    The reason it isn't secure is because folks tend to choose one (poor) password and then use it everywhere. That, and not all companies take care to encrypt and store passwords appropriately. The former is something end-users have control over, and a password manager like 1Password can help with. The latter, as you say, is seemingly something we're stuck with.

    because the iOS generated passwords are gibberish

    Gibberish passwords are the best kind of passwords from a security standpoint. They should be random to be effective.

    Except that the site now returns, as is so often the case, that the password does not meet it’s highly-individualized criteria (yet it didn’t tell me that at the time I was creating the password), so now the password is wrong in the 1Password application.

    I wish there were more we could do here. I think at this point the best we can do is encourage web developers to

    1. Use sensible password requirements
    2. Make those requirements obvious to the user before they try entering one

    We've talked about trying to build a database to track what websites have what requirements and generating passwords based on that database, but there are a number of pitfalls with that and so I don't think it is a realistic approach to the problem. It may be worthy of further discussion, though.

    I understand managing a number of accounts, particularly on a small mobile device, can be quite tiresome. Hopefully 1Password can continue to help make the process a bit less painful. Maybe the tips I've shared above help? Please let me know.

    Ben

  • CybernettrCybernettr

    _ Gibberish passwords are the best kind of passwords from a security standpoint. They should be random to be effective_

    A Macworld writer made a pretty good case some time ago that a random but legible password of a given length, like pencil-237-moldish, is just as secure as a gibberish password of the same length, because a brute force attack has to try all combinations anyway, whether the letters spell a pronounceable word or not. But this is just one of the many disagreements in the password community.

  • brentybrenty

    Team Member
    edited May 8

    Gibberish passwords are the best kind of passwords from a security standpoint. They should be random to be effective

    @Cybernettr: This is a true statement.

    A Macworld writer made a pretty good case some time ago that a random but legible password of a given length, like pencil-237-moldish, is just as secure as a gibberish password of the same length, because a brute force attack has to try all combinations anyway, whether the letters spell a pronounceable word or not. But this is just one of the many disagreements in the password community.

    Also may be true -- if it's random, sure, it can be secure. We've offered word-based password generation in 1Password for a while now. Just keep in mind that a password like that, even if random, will still be weaker than one of the same length composed entirely of random characters, since there's more entropy.

    The "disagreement" you're hinting at is more of a misunderstanding and difference of philosophy. We assume that attackers are competent, not incompetent, and know that password managers exists, and how they generate passwords. So they would be able to try guessing word-based passwords too, not just character by character. Certainly not all attackers are going to be competent, but the incompetent ones are much less of a threat, so I think it's wiser to defend against the competent ones. ;)

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file