Smart Lock and iCloud Keychain – password managers for the rest of us

Here at Naked Security, we’ve been banging the drum for password managers for a long while now, and there are a number of strong examples out there in the marketplace.

For people who care deeply about privacy and security, deciding which password manager to use means making decisions about password storage, reputation, browser integration, credential sharing options, whether you want cloud-based or local password vaults, and cost.

For many though, it’s still a question of why bother at all?

Convincing people who aren’t as security-focussed as you to use any kind of password manager at all can be difficult because it adds extra complexity to something many already regard as a hassle.

That said, two juggernauts have recently entered the scene, and they will likely help password managers become more mainstream: Apple’s iCloud Keychain and Google’s Smart Lock.

Both are built-in and on by default, which could make it easier for users to make the switch to using a password manager.

Integrated password managers

The whole point of password managers is to remove the burden of having to remember umpteen passwords. Ideally, with that burden taken from us, we’ll be more likely to use different passwords for each of the websites and apps we use instead of reusing the same one (I’m looking at you passw0rd1) or making weak iterations of the same password (passw0rd2,passw0rd3…).

In their current state, these password managers do exactly what you’d expect. They capture passwords that you enter on one device or website, store them in an encrypted form in the cloud and then automatically fill in your credentials the next time you need them, so you don’t have to remember them.

Your stored credentials are tied to a central identifying account with each service. If you’re logged in to your Google or iCloud account on multiple devices or browsers, any of those devices can access your credentials, no matter where you first entered them.

So an iPhone or Android user can enter their credentials into a web form on their smartphone, and then log in to that same website using the Safari or Chrome browser on their laptop, without having to remember the password, if they’re logged in to the same iCloud or Google account on both devices.

It should be noted that Apple’s iCloud Keychain can also store credit card information, and many third-party password managers do as well.

Both iCloud Keychain and Smart Lock are turned on automatically, helpfully prompting users to save their username and password for later in much the same way that browsers have been offering to do for us years, only now these credentials aren’t just stored locally, or in plain text. (No more getting stuck with an old password on a browser you haven’t used in a while, as credentials will sync to use the latest version.)

Where 3rd party managers win

Smart Lock and iCloud Keychain still have room to grow, of course. They are mostly without bells and whistles at the moment – they encrypt, transmit, and then store your passwords centrally in the cloud and allow you to lock down your password manager account with a master password and/or biometric security. Pretty standard.

Smart Lock doesn’t generate passwords for you – though iCloud can – so, Google users, the burden is still on you to think up a strong password, and undoubtedly this means a lot of people won’t. Smart Lock will just fill up with multiple copies of passw0rd1 instead of a collection of strong, rare passwords.

Where 3rd party managers lose

One area where both Google and Apple have a number of third-party password managers beat is storing credentials for smartphone apps – there are third-party password managers that do support storing app credentials, but not all of them do just yet. As of Apple iOS 11, iCloud Keychain supports app sign-ins with AutoFill.

iOS 11 users can save credentials not just for web-based forms, but even for stand-alone apps. These credentials are saved to the iCloud Keychain, and when the user logs back into the app in the future, they’ll be presented with the option to have AutoFill automatically enter their credentials and log in.

Similarly, Google notes that Smart Lock can fill in credentials for some apps, but not all.

Those of us who use third-party password managers have a few more steps to take if the app doesn’t already support grabbing credentials from password managers (switch apps, log in to password manager, copy/paste the credentials).

It remains to be seen if Apple or Google will make pulling credentials from third-party password managers easier, or if they will leave that up to individual app developers to support as they do now.

How do I enable or disable these password managers?

If you’re using a recently updated Apple or Google smartphone, unless you’ve taken steps to disable your password manager it’s likely already active and working for you. But if you want to make sure the service is enabled, or if you want to disable it, here’s how:

  • Google’s Password Vault: go to, sign in and disable Google Smart Lock.
  • Apple’s iCloud Keychain: log in to your iCloud account on a Mac or iPhone, and check the iCloud options in Settings and select the “Keychain” option.

As these services come with your phone they’ll be an easy choice for many who may have bristled at the idea of using a password manager previously. And for those of us who want to see more people moving to password managers, no matter how imperfect, this is absolutely a good thing.