Inside iOS 12: AutoFill gives password manager apps on your iPhone a big boost

Posted:
in iOS edited September 2018
After years of steadily absorbing features like suggesting strong passwords and remembering the ones you've got, iOS 12 now gives back to password manager developers. The new AutoFill lets your third-party password manager be on tap in more places and much more easily. AppleInsider unlocks what you do -- and where the unexpected limitations are.

Dashlane, 1Password and LastPass icons


It used to be that you couldn't convince people they needed a password manager because until you've seen one in action, you don't get it. More recently, though, all iOS users have indeed seen this feature in action -- built right into Safari. Now the issue is showing people that full password manager apps are better and iOS 12 has just removed one barrier to that.

Apple's latest iPhone and iPad operating system includes an AutoFill setting that, if you choose to accept it, will let your password manager of choice be on tap everywhere.

That's the theory and again if you haven't seen these in action, you're wondering what the significance is. As long as you have all of your passwords securely in a manager, then you can always refer to it. You can always go first to a website or click on a shopping basket icon and then switch over to your password manager to copy out the username, password, security codes or anything else.

Maybe you'd actually app-switch to go to it: leave one app completely and go into your password manager instead. Or, somewhat better, you could stay in the first app and call up the Share button. Password manager apps have lived here since Share Extensions existed the start and now with a tap you can be retrieving the relevant information from there.

Detail of logging in via a Share Extension


Share is a poor title when what you're doing is getting information from another app instead of sending information to it. We can't think of a better title but it's still a barrier: unless you know, unless you've seen it, there's no way you'd think to click Share when what you want is to get information in.

Still, that or even app switching, as tedious as it sounds, are still far faster than manually typing in your password or your credit card number.

Also, the three main password manager apps -- 1Password, LastPass and Dashlane -- have all worked to cut down the steps you need to take. Arguably the most successful in this line has been 1Password whose developers have worked with the makers of many other apps. It's reasonably common now to be going through an app's login process and be offered a 1Password button.

Now iOS 12 has effectively given that feature to all password managers -- and it's made the process much clearer.

How it works

It doesn't work. Not with every website. It's going to take time for sites and developers to work in AutoFill but already it's on major sites.

Try it with one of yours. Go to a website that you need to log into. Tap into the username field and as soon as you do that, if it can be AutoFilled then Safari will offer to fill in the password. Once you've set this up, though, that offer is not from Apple's own iCloud Keychain system, it's from your choice of LastPass, 1Password or Dashlane.

Logging in to a site using AutoFill


You're asked if you want to log in to the site using the details from the password manager. Specifically -- and nicely -- the most prominent detail is the username of the site which your manager has details for. Then beyond that there's a note saying this comes from, say, Dashlane. When you tap on the website's username, then your password manager takes over.

While you stay within Safari and on the website you're logging into, you get the password manager request for a security passcode, TouchID or FaceID. Enter that and the password details you want are retrieved from the app and popped into the right places in the site.

You won't want to go back

It's a feature you'll be telling people about when they ask what's so great about iOS 12.

Detail of AutoFill preferences


This AutoFill does need setting up, however.

On your iOS device, go to Settings and scroll down to Passwords & Accounts.
Now tap on AutoFill Passwords, turn on the AutoFill toggle.

You may have a little choice here. One of the options in the list of apps that you are saying is allowed to use AutoFill for you is iCloud Keychain. It's selected by default and you should leave it on. What else is on the list depends on whether you have a password manager installed.

If you don't yet, go get one. Whichever you pick -- 1Password, LastPass or Dashlane -- is far better than remembering passwords or scribbling them down in a book.

You might find that you don't like one and you decide to move to another. That's more than fine but if you ever have two password managers on your iOS device at the same time, this is where you need to think about it.

Password managers are just secure databases, buttoned-down lists of information, they're not executing code that can interfere with each other. Yet Apple has set a limitation: only one password manager at a time can be trusted with AutoFill.

You can always come back later and switch to the other one but it would've been handy to see how each handles AutoFill side by side.

Not practical

If you could do that, though, you probably couldn't also have AutoFill's simple one-button choice when you're prompted for a password.

That one button does make it very clear that, should you tap it, you'll be logging into this account with this username. Apple doesn't really hide any other information but in making that username so prominent, it does feel like LastPass and the rest are given a back seat.

So perhaps this isn't Apple being generous, giving this AutoFill feature to password manager app developers. Perhaps it's just Apple keeping us in Safari. After all, if you ignore the button and go away from the login site, when you come back you aren't offered the option again until you close the site and return.

Whatever Apple's motivation, though, AutoFill is a real boon. It's also a delight: the first time you see it, you think yes, that's exactly how this should work.


LastPass is free to download. It has a limited free version and otherwise costs $2 per month.

1Password has a 30-day free trial and thereafter is a subscription service costing from $2.99 per month.

Dashlane is also free to try. Until, or unless, you upgrade to the Premium version, you're limited to using it on a single device and for up to 50 usernames/passwords. Premium costs $60 per year.






Keep up with AppleInsider by downloading the AppleInsider app for iOS, and follow us on YouTube, Twitter @appleinsider and Facebook for live, late-breaking coverage. You can also check out our official Instagram account for exclusive photos.
jahblade
«1

Comments

  • Reply 1 of 30
    Safe+ does also support AutoFill - works really great!
    watto_cobra
  • Reply 2 of 30
    SoliSoli Posts: 8,548member
    Personally, I love that 1Password is getting the most attention with this new feature, but there is a 4th third-party password manager that will work with Autofill.

    watto_cobra
  • Reply 3 of 30
    This is probably one of the best new features, if not THE best new feature of iOS 12, in my opinion. I use the free version of 1Password. This has made logging into apps that don't use Touch ID much easier. No more going to 1Password, finding the correct vault entry, copying the password, then going back to the app and pasting the password.

    Love this feature.
    jahblademwhitelostkiwijbdragonwatto_cobra
  • Reply 4 of 30
    lkrupplkrupp Posts: 6,704member
    I personally find that I simply cannot function on the Internet without a password manager, 1Password in my case. Every single login has a different, strong password and I don’t have to know it or remember it.
    tylersdadjahbladelostkiwiwatto_cobra
  • Reply 5 of 30
    SoliSoli Posts: 8,548member
    tylersdad said:
    This is probably one of the best new features, if not THE best new feature of iOS 12, in my opinion. I use the free version of 1Password. This has made logging into apps that don't use Touch ID much easier. No more going to 1Password, finding the correct vault entry, copying the password, then going back to the app and pasting the password.

    Love this feature.
    Because I know this feature was (tentatively) coming since their WWDC announcement I was to get family and friends that wouldn't have been able to jump between apps to switch passwords to finally setup 1Password.

    In turn, this caused me to sign up for their online* family account which means 1P is making more money from more customers, while I'm spending less per year since I no longer will need to pay $50+ for their Mac app every few years.

    So if Apple's motivation is to get people to stay with Safari (and make iOS a more friendly environment to help retention and get switchers), along with making it safer for family and friends new to a password manager then that's a whole lot of winning with no downside for anyone… except maybe for Android and Android-based vendors.


    * For those still not aware and are taken aback by having your vault saved to 1password.com, you don't have to use it. I still sync my vault the same way I was before version 7 and have set up every family and friend connected to my family account the same way so that their private vault is never stored on their website whole still being able to easily manage all the accounts securely.

    They use a secret key (which is just like a Windows product key), along with your username and password so it's secure from individual hacking since you'll need access to the 1P app's vault to see those details, but I still won't trust it because I always assume that server-based security has flaws.

    That said, I do use their online vaults for a few items in their Shared vault option where I share my Hulu, Netflix, et al. logins with family members. This makes it easy for them to keep these logins in their local 1P vault and will allow the owner to change their password with ease which will propagate to their vaults immediately. Since these are randomly generated passwords and are for some streaming media—as opposed to email, Dropbox, iCloud, etc.—I'm not worried about them being compromised. One could argue that if someone hacks into 1password.com and steals my shared account data they could see info about my IP address, viewing history, and potential my CC on file, but I'm more concerned with those services being hacked before I am 1Password and then my encrypted vault being compromised.

    OT: I'd really love to stop using my physical CC cards (and checking account) online, especially when they're stored. I wish more would support Apple Pay.
    razorpitwatto_cobra
  • Reply 6 of 30
    I would never trust 3rd party password tools. Why would Apple not provide iCloud key chain solution out of the box for all password fields? Or is it already available in iOS 12?
  • Reply 7 of 30
    lkrupplkrupp Posts: 6,704member
    jason98 said:
    I would never trust 3rd party password tools. Why would Apple not provide iCloud key chain solution out of the box for all password fields? Or is it already available in iOS 12?
    Well, Apple has approved 1Password for all employees so I think the issue of trust is moot.
    jbdragontylersdadRayz2016watto_cobra
  • Reply 8 of 30
    SoliSoli Posts: 8,548member
    lkrupp said:
    jason98 said:
    I would never trust 3rd party password tools. Why would Apple not provide iCloud key chain solution out of the box for all password fields? Or is it already available in iOS 12?
    Well, Apple has approved 1Password for all employees so I think the issue of trust is moot.
    Is that true? I thought that Apple doing that came out with the rumour Apple was buying 1P.
  • Reply 9 of 30
    jbdragonjbdragon Posts: 1,994member
    Soli said:
    lkrupp said:
    jason98 said:
    I would never trust 3rd party password tools. Why would Apple not provide iCloud key chain solution out of the box for all password fields? Or is it already available in iOS 12?
    Well, Apple has approved 1Password for all employees so I think the issue of trust is moot.
    Is that true? I thought that Apple doing that came out with the rumour Apple was buying 1P.

    I use LastPass and have been using it for years.  It's also quite SAFE.  https://lastpass.com/safety.php

    Not that it works even better on my iOS devices, it's a huge plus.  You already have Keychain built into Safari.  But it's really a part of Safari, and the data is on your iCloud.  It works pretty well.  BUT there are problems using it.  If you're fulling in the Mac world, great, maybe that's all you need.  BUT if you're on a number of devices, from iPads to Windows, and using different browsers.  You're now out of luck.  If you use Chrome on iOS and Chrome on Windows I assume the built-in Password thing works between them.  But I generally use Safari on my iOS devices.  Sometimes Chrome or Edge.

    Password Managers allow you to randomly create new Passwords.  My Passwords these days are at least 20 digits and they're different everywhere.  There is no way most people could remember any of them, let alone all of them.   They need to be long and different.  Most sites don't have 2 factor.  So Lastpass has a password generator.  Lastpass can store your Credit Card info so you don't have to keep inputting that Data.  I have Autofill in Data for Personal and Work.  So when I sign up to a new site at work on my Windows Computer, I click on the Work Box in Lastpass and it fills out my name and work email and work address, etc.  None Work I use my personal settings.

    There's another capability.  You can give access to your Lastpass account to others for when you DIE.  So you give a number of passwords to 2,3 or more people, to use to gain access to your account, Last Pass will send you an email telling you they're trying to get into your account, and you can set the number of days to wait for you to NOT respond so they can gain access to your password.   Which would like allow your Wife to get into your banking account and all the other accounts much easier.  These days it's all on the Internet and all password protected.   Just another feature and something that will happen to all of us at some point.

    So Apple's works, but it's limited and not full featured like a Full Password Manager.  LastPass,  you do have to pay for to work on mobile devices.  1Password is also good, but it costs more per year.  It all depends on your own needs.  Check out the features on all of them.   I'm glad Apple added better support for them as they are needed, especially these days.

    Stop using the same password(s) everywhere!!!

    edited September 2018
  • Reply 10 of 30
    I must be in the minority, but i never use password autofill or understand why people use it.  So if someone is able to get into my device, suddenly they have access to ALL my logins?  It Seems like such a breach of security protocol.

  • Reply 11 of 30
    urashid said:
    I must be in the minority, but i never use password autofill or understand why people use it.  So if someone is able to get into my device, suddenly they have access to ALL my logins?  It Seems like such a breach of security protocol.

    So how do remember individual passwords for every site you visit? If you aren't using a password managers, you likely using either weak passwords, or re-using passwords over and over again. Chance are you are less secure than someone using a password manage. 

    For someone to access my passwords (I use 1Password), they would have to know my computer password (or iPhone PIN) PLUS my 1Password master password. Good luck with that. Even Keychain is not as secure. While it does prompt for a password (or FaceID/TouchID authentication), it is using the same authentication as my computer/phone. 1Password is a separate authentication process. 
    Solidouglas bailey
  • Reply 12 of 30
    SoliSoli Posts: 8,548member
    jbdragon said:
    Not that it works even better on my iOS devices, it's a huge plus.  You already have Keychain built into Safari.  But it's really a part of Safari, and the data is on your iCloud.  It works pretty well.  BUT there are problems using it.  If you're fulling in the Mac world, great, maybe that's all you need.  BUT if you're on a number of devices, from iPads to Windows, and using different browsers.  You're now out of luck.  If you use Chrome on iOS and Chrome on Windows I assume the built-in Password thing works between them.  But I generally use Safari on my iOS devices.  Sometimes Chrome or Edge.

    Password Managers allow you to randomly create new Passwords.  My Passwords these days are at least 20 digits and they're different everywhere.  There is no way most people could remember any of them, let alone all of them.   They need to be long and different.  Most sites don't have 2 factor.  So Lastpass has a password generator.  Lastpass can store your Credit Card info so you don't have to keep inputting that Data.  I have Autofill in Data for Personal and Work.  So when I sign up to a new site at work on my Windows Computer, I click on the Work Box in Lastpass and it fills out my name and work email and work address, etc.  None Work I use my personal settings.
    It's fine if people want to use Apple's iCloud Keychain, but I cold never use it because of how limited the storage is. Not only do I have randomly created passwords, I also have randomly created usernames (where possible) which Apple can do, but I also have random answers for my recovery answers so that "What's the name of your first pet?" can't possibly be uncovered with a social hack.

    Then there's storing my medical history, a list of websites where I use my CC or bank accounts online, which includes the card/account that they have, their frequency of use, and if they actively save the data in my account profile. Then there's membership data, wireless routers and server data, identities, as well as the through security audit options.

    When creating new, complex passwords with the maximum security allowed it can be confusing for those that aren't technically savvy. I know people that I got to use 1Password the still don't understand the difference between a password manager and a password generator. I can get them to do Stage One, which is just adding one new login per day into a robust password manager, but once that is complete moving onto Stage Two, which is changing their their weak and/or repeated passwords that appear in the security audit to something complex becomes more of a hassle.

    For me, I want to maximize the security, but when I move 1P's slider to generate a 64-character passcode using alphanumerics and special characters it won't also take because websites tend to be very bad about letting you know the full parameters of for creating a password. Typically they only state the minimum requirements. 1Password (and I assume all the others) have an issue with knowing which special characters are allowed, so even if they can take my password length I'm often having to scan the password manually to find and replace odd characters that aren't supported.

    Even worse, is when a website seemingly takes a new password but they truncated it in the background so when you go to test it (which is something I always do while the average user probably just assumed it all went as planned) the password doesn't work so you have to keep removing a character off the end until it goes though and you hope that your account isn't locked out before you find that magic length.

    I propose a standard, not unlike robots.txt, where every website has a simple text file that can be read by any password generator that lists basic data about password parameters (MIN TOTAL, MAX TOTAL, MIN LC [lower case], MAX LC, MIN UC [upper case], MAX UC, MIN NUM, MAX NUM, MIN SC [special characters] MAX SC), as well as any specifically included and excluded characters (eg: INCL !#%& -or- EXCL %@<>/  ).


    PS: One day I hope that emoji can be used. There's an inherent benefit by making passwords more complex as well as making the few passwords you have to remember easier for many since pictograms are retained differently. You can easily make a complex story that is easy to remember and not something that would be easy to crack.
  • Reply 13 of 30
    Tribruin said:
    urashid said:
    I must be in the minority, but i never use password autofill or understand why people use it.  So if someone is able to get into my device, suddenly they have access to ALL my logins?  It Seems like such a breach of security protocol.

    So how do remember individual passwords for every site you visit? If you aren't using a password managers, you likely using either weak passwords, or re-using passwords over and over again. Chance are you are less secure than someone using a password manage. 

    For someone to access my passwords (I use 1Password), they would have to know my computer password (or iPhone PIN) PLUS my 1Password master password. Good luck with that. Even Keychain is not as secure. While it does prompt for a password (or FaceID/TouchID authentication), it is using the same authentication as my computer/phone. 1Password is a separate authentication process. 
    Please re-read my answer and tell where I said I don't use password managers.  I am talking about the autofill feature that everyone is raving about.  I find that to be a major breach of security protocol.

    And it's not just a matter of someone breaking into your computer.  There are dozens of exploits that leverage autofill to siphon off user information. Here is a Quora answer from an AgileBits (maker of 1Password) employee which begins with "If you are using a password manager with automatic auto-fill, switch off that behavior. It is a (mis)feature that is dangerous and is actively being exploited."


    One more tip:  Never store actual passwords in password managers.  Only store clear hints that make sense to you but cannot be deciphered by others.  Its a dangerous world out there, take care of your secrets.

    edited September 2018 SpamSandwich
  • Reply 14 of 30
    SoliSoli Posts: 8,548member
    urashid said:
    One more tip:  Never store actual passwords in password managers.  Only store clear hints that make sense to you but cannot be deciphered by others.  Its a dangerous world out there, take care of your secrets.
    How do you create hints for randomly generated 64-character passcodes?
    edited September 2018 StrangeDaysdouglas bailey
  • Reply 15 of 30
    Soli said:
    urashid said:
    One more tip:  Never store actual passwords in password managers.  Only store clear hints that make sense to you but cannot be deciphered by others.  Its a dangerous world out there, take care of your secrets.
    How do you create hints for randomly generated 64-character passcodes?
    This is another myth that randomly generated passcodes are somehow more secure.  As xkcd 936 explains, "Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember but easy for computers to guess"





    edited September 2018 StrangeDayswatto_cobra
  • Reply 16 of 30
    SoliSoli Posts: 8,548member
    urashid said:
    Soli said:
    urashid said:
    One more tip:  Never store actual passwords in password managers.  Only store clear hints that make sense to you but cannot be deciphered by others.  Its a dangerous world out there, take care of your secrets.
    How do you create hints for randomly generated 64-character passcodes?
    This is another myth that randomly generated passcodes are somehow more secure.  As xkcd 936 explains, "Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember but easy for computers to guess"
    [image]
    1) That's bullshit because you can't reasonably expect everyone to do that for 500 passcode, which means for every… single... login they have to go into their password manager to check out the clues and then type each passcode in manually. Random words are decent, but only for access to the few passcodes you have to remember. For everything else using a random set is better all around. If you think the algorithm for a 64-character random passcode is more guessable than using four, short, faux-random words using only lower-case characters that you pull out your head then there's probably no talking reason to you or showing you the math, but I'll give it a go anyway.

    2) Who refers to character length as bits? You do understand that characters aren't comprised of a single bit, right? ASCII is 7-bits per character (not referring to ASCII-compatible) and Unicode has varying bit length depending the version, which are conveniently named, like UTF-32 to refer to 32-bits, for example.

    3) If you cared about passcode complexity you'd refer to the number of character types available for a passcode. If you have upper and lower case letters, numbers, and 6 special characters it's 58 options per character, which you can refer to as BASE-58 which is represented mathematically as 68^n where n equals the number of character in your passcode. With iOS and macOS logins you have around 210 options per character, which is much more secure, even for a short passcode, than the 26^n system of your lower-case letters.
    edited September 2018
  • Reply 17 of 30
    @Soli, sorry for having triggered you but I would think that an ex-NASA engineer (I am referring to Randall Monroe, author of XKCD) probably knows a little bit (no pun intended) about computers and cryptography.  However, let me try to answer your concerns:

    1) I don't have 500 passcodes, you must use a lot more websites than I do. (A quick check of my password manager shows 126 logins. You win.)

    2) In cryptography, everybody uses bits, not characters.  If someone is trying guess your password, sure they think in terms of characters.  But if someone is trying to use computing power to break your password, they are only thinking in terms of bits.  And there are millions more of this kind.

    3) You said the magic phrase, "password complexity."
    I wish I could somehow convince you that just making passwords more complex does not make them more secure (in fact, they can work against security concerns because of how humans handle complexity).

    I know you won't take my word for it, but maybe you have more regard for NIST?


    (Oh look, they have the same graphic from xkcd.  Sorry, my bad :wink: ).

    edited September 2018 StrangeDays
  • Reply 18 of 30
    SoliSoli Posts: 8,548member
    urashid said:
    @Soli, sorry for having triggered you but I would think that an ex-NASA engineer (I am referring to Randall Monroe, author of XKCD) probably knows a little bit (no pun intended) about computers and cryptography.
    Again, he was clearly referring to passcodes you need to remember. You somehow contorted that into believing that it's harder to crack than a much longer and randomized passcode using a much richer character palette. All he's pointing out is that his passcode is harder to crack for a completely random system that goes character-by-character for every possible outcome.

    Gibson Research has noted this on their haystacks page much longer than XKCD posted their comment:

    You probably know this is a trick question, but the answer is: Despite the fact that the first password is HUGELY easier to use and more memorable, it is also the stronger of the two! In fact, since it is one character longer and contains uppercase, lowercase, a number and special characters, that first password would take an attacker approximately 95 times longer to find by searching than the second impossible-to-remember-or-type password!

            • https://www.grc.com/haystack.htm

    That's just an example of how more characters adds to the complexity of it being hacked so don't think they expect you to make all your passwords include 21 repeating characters at the end (which you can't even do in a lot of places).

    Here, I did the work for you and took screenshots…



    Note: Keep in mind that GRC's website is old still using the original data—"a few hundred guesses per second"—in regards to how long it takes a computer to check a passcode.

    edited September 2018
  • Reply 19 of 30
    "Password guru regrets past advice"

    https://www.bbc.com/news/technology-40875534

    In Verge's version of this story they said the xkcd's numbers have been confirmed:

    https://www.theverge.com/2017/8/7/16107966/password-tips-bill-burr-regrets-advice-nits-cybersecurity
    urashid
  • Reply 20 of 30
    SoliSoli Posts: 8,548member
    "Password guru regrets past advice"

    https://www.bbc.com/news/technology-40875534

    In Verge's version of this story they said the xkcd's numbers have been confirmed:

    https://www.theverge.com/2017/8/7/16107966/password-tips-bill-burr-regrets-advice-nits-cybersecurity
    1) xkcd's math is right, but the data is outdated with only 1,000 guesses per sec. I know it's easy to build a specialized cracker that can do billons per second, and I think I've read about them doing trillions of computations per second.

    2) That second article notes:
    Of course, for those who use password managers like LastPass, you can generate cryptographically secure passwords on the fly. But it’s still important to have a hard-to-crack master password.
Sign In or Register to comment.