Apple iCloud Keychain in OS X Mavericks gets mixed reviews

Security researchers have mixed opinions about the new password manager Apple has included with Mavericks, the latest version of the Mac OS X operating system.

[Apple's iOS 7 patches 80 vulnerabilities]

The new iCloud Keychain stores all website usernames and passwords, credit card numbers and Wi-Fi network information and keeps the data up to date across all of a person's Apple devices, including the iPhone and iPad. The data is protected through 256-bit AES encryption.

The optional feature, which only works through Safari and with Apple products, makes it possible to log into websites without having to remember separate passwords. Third-party password managers with similar and more advanced features include LastPass and 1Password.

Apple's manager could become popular among customers who use multiple devices from the vendor. Those who may have other products, such as an Android smartphone or tablet or a Windows PC, would have to use a password manager from another company.

"I don't see why a pure Mac/iPhone user would select any other solution, except if he/she was worried about higher levels of security such as two-factor authentication," Wolfgang Kandek, chief technology officer for Qualys, said Wednesday in an email.

"Of course cross-platform users such as Mac/Android or iPhone/PC will still have to look for a third party solution, but for the pure Apple users, iCloud Keychain offers an attractive proposition."

Nevertheless, there was some nitpicking among experts. What they didn't like was Apple letting people choose to create only a four-digit security code for adding devices to the keychain. The password is also used to verify a person's identity for other actions, such as recovering the keychain if a device is lost.

"A four-digit protection PIN is not really a protection PIN. Any computer could break a four-digit encryption PIN in less than one hour," Daniel Palacio, chief executive for Authy, which provides a two-factor authentication platform, said.

Apple does give customers the option of having a more complex code automatically generated for them. However, studies show that people tend to choose simple passwords when given the option.

A feature experts would have liked to see in Keychain was a password generator for websites. Products from vendors providing password vaults typically give customers the option of choosing a long string of characters that can include, letters, numbers and symbols.

[Apple iMessage research sparks corporate security debate]

Kandek said such a feature is important because "we tend to be very bad at selecting strong passwords."

Tyler Reguly, manager for security research at vulnerability management vendor Tripwire, said password managers in general were "scary," because a lot of high-value information is in one place.

In addition, by placing the manager in the browser, vendors are putting it in software that is a primary target for hackers.

"If that product is compromised, all of your accounts are compromised. For that reason, I don't use a password vault," Reguly said.

Whether people use Keychain will depend on whether they trust Apple, Chester Wisniewski, senior security adviser for Sophos, said.

"Your reputation is the most important thing when storing someone's passwords," he said. "It'll be interesting to see if users that wouldn't normally use a password vault, will use this simply because it's in iCloud and ready to go."

Like many vendors, Apple has had its share of criticism when it comes to security. Russian security research Vladimir Katalov recently found that a person with someone's Apple ID and password could remotely download all the data from iCloud without the owner's knowledge, ZDNet reported.

While stealing the Apple ID and password first is difficult, it's possible through email phishing techniques.

Join the CSO newsletter!

Error: Please check your email address.

Tags Applesecurity

More about AES EnvironmentalAppleQualysSophosTripwire

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts