A crucial point to understand: unbeknownst to me, my passwords ended up on a device that I didn't specifically authorize to download them.
The good news is that the device is owned by me and under my control. However, since it's just a test machine with no personal data—or so I believed—it's less protected than my other devices. For example, it has a weak login password, no Filevault, and no biometrics (Mac mini).
In general, the presence of my passwords in the cloud is an unwanted and unnecessary liability for me. I understand that for other people, cloud storage is a benefit, and I don't wish to deprive them of that choice. Nonethless, Apple deprived me of a choice in this case.
>[manufacturer] deprived me of a choice in this case
This seems to be the industry trend with these remotely managed machines, like Apple or Windows PCs. The update mechanism, for better or worse, takes power from the user and assigns it back to the manufacturer / service provider. It's something that the software world would have considered a Trojan horse some 20 years ago, an extension of control to the end users machine, for someone other than the end user themselves.
I'm not sure where I'm going with this. What's for sure is that the IT zeitgeist really changed over the decades.
>The only way to see the contents of iCloud Keychain is on an Apple device with iCloud Keychain enabled. You can't even see anything on the icloud.com website.
FYI this is because of all contents of iCloud Keychain are end-to-end encrypted, such that only your devices are able to decrypt the data. Apple’s servers do not have access to the contents of a user’s iCloud Keychain.
Also the second part of this Blackhat talk, titled “Synchronizing Secrets” is very interesting and details the design and security architecture of iCloud Keychain: https://youtu.be/BLGFriOKz6U
I had a similar but more concerning experience. I enabled family sharing (years ago when it was newer) and suddenly my spouse had access to many (all?) of MY passwords in HER keychain. I never knowingly granted access or put any passwords in a non-personal group — it just happened like magic.
> The device isn't "owned by you and under your control" if your passwords were synced without your doing or permission.
Why are you being repeatedly, needlessly pedantic? Everyone knows what I meant (including you, who chose to misinterpret). Your other comment was also pointless: "that's still choosing Mac over Linux and every day you continue to make that choice." https://news.ycombinator.com/item?id=42016888
You can play with your own ultra-strict definitions of "own" and "choose", but please do it in your own mind, and don't pester us with them in these comments. It adds absolutely nothing to the conversation.
wouldn't you assume that if you log into a machine with your apple "cloud" credentials that various programs would sync up? I don't see how it could happen any other way? It would be nice if they had a pop up like they do for app permissions though. Perhaps submit a radar on it as a regular user? https://lickability.com/blog/5-tips-for-filing-radars/
I don’t know if it’s true but when backing up locally via Itunes it warns you that if you don’t encrypt the backup, passwords won’t be saved. I don’t save backups on icloud.
The most obnxious aspect of owning an iphone for me. Apple turns icloud syncing on by default for everything, not just password management. Photos, browsing history etc. there should be an account setting that lets you turn this off completely no matter what device you sign into with your icloud account. Completely obnoxious, my icloud photos is a total mess of triple and double copies of photos going back decades i recently had no idea it was even syncing. All from signing in then having stop automatic syncing. I now only sign in when the device has fresh reset so i can immediately turn all the syncing off. This should be an account wide option that applies to any all current and future device sign ins.
To clarify, Apple is often good about requiring opt-in for a bunch of features, especially privacy-related features, and I appreciate that. Unfortunately there are some annoying corner cases, such as having to manually disable iCloud sync for photos (etc.), or the issue that OP ran into with having iCloud keychain re-enable itself after being turned off. It also used to be easier to actually turn off wi-fi and bluetooth without them reactivating automatically. I understand why they made it harder (to reduce complaints and support calls/appointments for AirDrop/AirPods/Apple watch/etc. not working due to user settings) but I would have preferred an alternative approach of making it simple and obvious how to fix any AirDrop or other issues while preserving the ability to easily turn off wi-fi.
It begins with the choice of operating system. Getting Windows/OSX to not phone home is one thing, ensuring it stays that way as the updates come in is another can of worms entirely.
It’s pretty easy in macos, you turn off the features explicitly labeled as such in the nice icloud settings menu, or you never log into icloud in the first place
> They offer no option to delete your passwords from the Cloud once there?
Does it matter tho. Like in general internet, once something is posted, it will not disappear with certainty. We can never be certain that there is a copy of the encrypted password on some log file when we have no visibility into that sytem. Since it is encrypted, it passes the regulation checks.
That is just a UI bug if passwords keep coming back in the cloud/you still see them. Unless there is a system in place that can transparently verify that indeed, the passwords are deleted, does it matter?
A decade ago this was more true but all of the major browsers include a cloud password manager now, and this is very popular with normal people because it means a lost or failed device doesn’t mean they have to go through a bunch of password resets.
The big question here is whether there’s a reproducible way that the opt-in changes. iCloud Keychain has robust end to end encryption but it still needs to inform the user.
Well, the real problem is iCloud Keychain is essentially a "black box" system. Apple does use AES encryption in various parts of their security architecture, as documented in their security white papers. But we can't confirm the specific implementation details for iCloud Keychain.
And you should also know...
Best practices for password storage use one-way hash functions (like bcrypt, Argon2, or PBKDF2).
> Best practices for password storage use one-way hash functions (like bcrypt, Argon2, or PBKDF2) rather than encryption algorithms like AES.
That is true if you are running a service that USES passwords. In that case you just need to confirm they match. That is not true if you are running a password manager where the user needs to be able to get their plain text password back out of the system.
The whole OS is a blackbox. We trust that keyloggers are not everywhere. We need to trust completely or not at all. I think there is nothing between when the same vendor also supplying the underlying closed-source OS.
All the trust-us data-grabby pushes by Apple products creeped me out, until I finally got rid of their products.
For example, although I laboriously went through a ton of settings to make it less privacy-invading, I knew, for example, that I was still only one fumbled touch to a piece of glass away from Apple saying, "Oh, hey! I just grabbed all of your photos! Forever!" (Then Apple would say "Thanks!" in a sunny Californian way that normally is not every meaningful, but accidentally takes on meaning in the era of surveillance capitalism and AI training data.)
This may be annoying, but it’s uploading encrypted versions of passwords, not passwords themselves. Keychain is end-to-end encrypted so no one else can read them.
They say they can’t, but it’s impossible to be certain. Although, if you distrust Apple enough to think they might lie about it, you probably wouldn’t want to use any Apple device or services. They already have privileged access to the software and hardware.
Readit News
The good news is that the device is owned by me and under my control. However, since it's just a test machine with no personal data—or so I believed—it's less protected than my other devices. For example, it has a weak login password, no Filevault, and no biometrics (Mac mini).
In general, the presence of my passwords in the cloud is an unwanted and unnecessary liability for me. I understand that for other people, cloud storage is a benefit, and I don't wish to deprive them of that choice. Nonethless, Apple deprived me of a choice in this case.
This seems to be the industry trend with these remotely managed machines, like Apple or Windows PCs. The update mechanism, for better or worse, takes power from the user and assigns it back to the manufacturer / service provider. It's something that the software world would have considered a Trojan horse some 20 years ago, an extension of control to the end users machine, for someone other than the end user themselves.
I'm not sure where I'm going with this. What's for sure is that the IT zeitgeist really changed over the decades.
Pray they don’t finish the job. </Vader>
>The only way to see the contents of iCloud Keychain is on an Apple device with iCloud Keychain enabled. You can't even see anything on the icloud.com website.
FYI this is because of all contents of iCloud Keychain are end-to-end encrypted, such that only your devices are able to decrypt the data. Apple’s servers do not have access to the contents of a user’s iCloud Keychain.
You might find this article interesting:
https://support.apple.com/guide/security/icloud-keychain-sec...
Also the second part of this Blackhat talk, titled “Synchronizing Secrets” is very interesting and details the design and security architecture of iCloud Keychain: https://youtu.be/BLGFriOKz6U
The relevant part of the talk starts at 22:40.
Why are you being repeatedly, needlessly pedantic? Everyone knows what I meant (including you, who chose to misinterpret). Your other comment was also pointless: "that's still choosing Mac over Linux and every day you continue to make that choice." https://news.ycombinator.com/item?id=42016888
You can play with your own ultra-strict definitions of "own" and "choose", but please do it in your own mind, and don't pester us with them in these comments. It adds absolutely nothing to the conversation.
Settings -> Apple ID -> iCloud -> iCloud Passwords & Keychain -> Sync this Mac
In general though having a weak password on a device logged in to iCloud is a bad idea.
You clearly didn't even read the article. The whole point was that Apple silently toggled this on without my knowledge or consent.
[*] They consider it a feature; you may not.
[1] https://support.apple.com/guide/security/secure-icloud-keych...
[2] https://support.apple.com/guide/security/escrow-security-for...
They offer no option to delete your passwords from the Cloud once there?
If that's indeed how they all/always work, we shouldn't just Stockholm-syndrome accept it!
Seems pretty trivial to download the icloud windows client (which has password manager support), and modify/delete the passwords there?
Has been this way for at least a decade.
Does it matter tho. Like in general internet, once something is posted, it will not disappear with certainty. We can never be certain that there is a copy of the encrypted password on some log file when we have no visibility into that sytem. Since it is encrypted, it passes the regulation checks.
That is just a UI bug if passwords keep coming back in the cloud/you still see them. Unless there is a system in place that can transparently verify that indeed, the passwords are deleted, does it matter?
The big question here is whether there’s a reproducible way that the opt-in changes. iCloud Keychain has robust end to end encryption but it still needs to inform the user.
And you should also know...
Best practices for password storage use one-way hash functions (like bcrypt, Argon2, or PBKDF2).
That is true if you are running a service that USES passwords. In that case you just need to confirm they match. That is not true if you are running a password manager where the user needs to be able to get their plain text password back out of the system.
https://support.apple.com/en-au/guide/security/secb0694df1a/...
It’s then stored in iCloud as a SQLite file and encrypted as it does for your other synced data.
For example, although I laboriously went through a ton of settings to make it less privacy-invading, I knew, for example, that I was still only one fumbled touch to a piece of glass away from Apple saying, "Oh, hey! I just grabbed all of your photos! Forever!" (Then Apple would say "Thanks!" in a sunny Californian way that normally is not every meaningful, but accidentally takes on meaning in the era of surveillance capitalism and AI training data.)
For tablet, I was using a PocketBook ereader (which works fine airgapped, and is friendly towards DRM-free ebooks, and doesn't need jailbreaking).
For most purposes, Debian Stable on my laptop, and on my GPU server.
They've been mostly reduced to single-use tokens thanks to password change policies.
And they're no better than email verification codes, which can be used to change the password anyway.
Still no proof that there’s no back door, but as far as the system on the surface goes, it does make sense.
>Passwords and Keychain (6): End-to-end
And guess who has the decryption keys…?
And the decryption keys are stored on your devices in the Secure Enclave. Apple doesn’t have the keys on their servers.
Deleted Comment