Inside iOS 12: AutoFill gives password manager apps on your iPhone a big boost
After years of steadily absorbing features like suggesting strong passwords and remembering the ones you've got, iOS 12 now gives back to password manager developers. The new AutoFill lets your third-party password manager be on tap in more places and much more easily. AppleInsider unlocks what you do -- and where the unexpected limitations are.
It used to be that you couldn't convince people they needed a password manager because until you've seen one in action, you don't get it. More recently, though, all iOS users have indeed seen this feature in action -- built right into Safari. Now the issue is showing people that full password manager apps are better and iOS 12 has just removed one barrier to that.
Apple's latest iPhone and iPad operating system includes an AutoFill setting that, if you choose to accept it, will let your password manager of choice be on tap everywhere.
That's the theory and again if you haven't seen these in action, you're wondering what the significance is. As long as you have all of your passwords securely in a manager, then you can always refer to it. You can always go first to a website or click on a shopping basket icon and then switch over to your password manager to copy out the username, password, security codes or anything else.
Maybe you'd actually app-switch to go to it: leave one app completely and go into your password manager instead. Or, somewhat better, you could stay in the first app and call up the Share button. Password manager apps have lived here since Share Extensions existed the start and now with a tap you can be retrieving the relevant information from there.
Share is a poor title when what you're doing is getting information from another app instead of sending information to it. We can't think of a better title but it's still a barrier: unless you know, unless you've seen it, there's no way you'd think to click Share when what you want is to get information in.
Still, that or even app switching, as tedious as it sounds, are still far faster than manually typing in your password or your credit card number.
Also, the three main password manager apps -- 1Password, LastPass and Dashlane -- have all worked to cut down the steps you need to take. Arguably the most successful in this line has been 1Password whose developers have worked with the makers of many other apps. It's reasonably common now to be going through an app's login process and be offered a 1Password button.
Now iOS 12 has effectively given that feature to all password managers -- and it's made the process much clearer.
Try it with one of yours. Go to a website that you need to log into. Tap into the username field and as soon as you do that, if it can be AutoFilled then Safari will offer to fill in the password. Once you've set this up, though, that offer is not from Apple's own iCloud Keychain system, it's from your choice of LastPass, 1Password or Dashlane.
You're asked if you want to log in to the site using the details from the password manager. Specifically -- and nicely -- the most prominent detail is the username of the site which your manager has details for. Then beyond that there's a note saying this comes from, say, Dashlane. When you tap on the website's username, then your password manager takes over.
While you stay within Safari and on the website you're logging into, you get the password manager request for a security passcode, TouchID or FaceID. Enter that and the password details you want are retrieved from the app and popped into the right places in the site.
This AutoFill does need setting up, however.
On your iOS device, go to Settings and scroll down to Passwords & Accounts.
Now tap on AutoFill Passwords, turn on the AutoFill toggle.
You may have a little choice here. One of the options in the list of apps that you are saying is allowed to use AutoFill for you is iCloud Keychain. It's selected by default and you should leave it on. What else is on the list depends on whether you have a password manager installed.
If you don't yet, go get one. Whichever you pick -- 1Password, LastPass or Dashlane -- is far better than remembering passwords or scribbling them down in a book.
You might find that you don't like one and you decide to move to another. That's more than fine but if you ever have two password managers on your iOS device at the same time, this is where you need to think about it.
Password managers are just secure databases, buttoned-down lists of information, they're not executing code that can interfere with each other. Yet Apple has set a limitation: only one password manager at a time can be trusted with AutoFill.
You can always come back later and switch to the other one but it would've been handy to see how each handles AutoFill side by side.
That one button does make it very clear that, should you tap it, you'll be logging into this account with this username. Apple doesn't really hide any other information but in making that username so prominent, it does feel like LastPass and the rest are given a back seat.
So perhaps this isn't Apple being generous, giving this AutoFill feature to password manager app developers. Perhaps it's just Apple keeping us in Safari. After all, if you ignore the button and go away from the login site, when you come back you aren't offered the option again until you close the site and return.
Whatever Apple's motivation, though, AutoFill is a real boon. It's also a delight: the first time you see it, you think yes, that's exactly how this should work.
LastPass is free to download. It has a limited free version and otherwise costs $2 per month.
1Password has a 30-day free trial and thereafter is a subscription service costing from $2.99 per month.
Dashlane is also free to try. Until, or unless, you upgrade to the Premium version, you're limited to using it on a single device and for up to 50 usernames/passwords. Premium costs $60 per year.
Keep up with AppleInsider by downloading the AppleInsider app for iOS, and follow us on YouTube, Twitter @appleinsider and Facebook for live, late-breaking coverage. You can also check out our official Instagram account for exclusive photos.
It used to be that you couldn't convince people they needed a password manager because until you've seen one in action, you don't get it. More recently, though, all iOS users have indeed seen this feature in action -- built right into Safari. Now the issue is showing people that full password manager apps are better and iOS 12 has just removed one barrier to that.
Apple's latest iPhone and iPad operating system includes an AutoFill setting that, if you choose to accept it, will let your password manager of choice be on tap everywhere.
That's the theory and again if you haven't seen these in action, you're wondering what the significance is. As long as you have all of your passwords securely in a manager, then you can always refer to it. You can always go first to a website or click on a shopping basket icon and then switch over to your password manager to copy out the username, password, security codes or anything else.
Maybe you'd actually app-switch to go to it: leave one app completely and go into your password manager instead. Or, somewhat better, you could stay in the first app and call up the Share button. Password manager apps have lived here since Share Extensions existed the start and now with a tap you can be retrieving the relevant information from there.
Share is a poor title when what you're doing is getting information from another app instead of sending information to it. We can't think of a better title but it's still a barrier: unless you know, unless you've seen it, there's no way you'd think to click Share when what you want is to get information in.
Still, that or even app switching, as tedious as it sounds, are still far faster than manually typing in your password or your credit card number.
Also, the three main password manager apps -- 1Password, LastPass and Dashlane -- have all worked to cut down the steps you need to take. Arguably the most successful in this line has been 1Password whose developers have worked with the makers of many other apps. It's reasonably common now to be going through an app's login process and be offered a 1Password button.
Now iOS 12 has effectively given that feature to all password managers -- and it's made the process much clearer.
How it works
It doesn't work. Not with every website. It's going to take time for sites and developers to work in AutoFill but already it's on major sites.Try it with one of yours. Go to a website that you need to log into. Tap into the username field and as soon as you do that, if it can be AutoFilled then Safari will offer to fill in the password. Once you've set this up, though, that offer is not from Apple's own iCloud Keychain system, it's from your choice of LastPass, 1Password or Dashlane.
You're asked if you want to log in to the site using the details from the password manager. Specifically -- and nicely -- the most prominent detail is the username of the site which your manager has details for. Then beyond that there's a note saying this comes from, say, Dashlane. When you tap on the website's username, then your password manager takes over.
While you stay within Safari and on the website you're logging into, you get the password manager request for a security passcode, TouchID or FaceID. Enter that and the password details you want are retrieved from the app and popped into the right places in the site.
You won't want to go back
It's a feature you'll be telling people about when they ask what's so great about iOS 12.This AutoFill does need setting up, however.
On your iOS device, go to Settings and scroll down to Passwords & Accounts.
Now tap on AutoFill Passwords, turn on the AutoFill toggle.
You may have a little choice here. One of the options in the list of apps that you are saying is allowed to use AutoFill for you is iCloud Keychain. It's selected by default and you should leave it on. What else is on the list depends on whether you have a password manager installed.
If you don't yet, go get one. Whichever you pick -- 1Password, LastPass or Dashlane -- is far better than remembering passwords or scribbling them down in a book.
You might find that you don't like one and you decide to move to another. That's more than fine but if you ever have two password managers on your iOS device at the same time, this is where you need to think about it.
Password managers are just secure databases, buttoned-down lists of information, they're not executing code that can interfere with each other. Yet Apple has set a limitation: only one password manager at a time can be trusted with AutoFill.
You can always come back later and switch to the other one but it would've been handy to see how each handles AutoFill side by side.
Not practical
If you could do that, though, you probably couldn't also have AutoFill's simple one-button choice when you're prompted for a password.That one button does make it very clear that, should you tap it, you'll be logging into this account with this username. Apple doesn't really hide any other information but in making that username so prominent, it does feel like LastPass and the rest are given a back seat.
So perhaps this isn't Apple being generous, giving this AutoFill feature to password manager app developers. Perhaps it's just Apple keeping us in Safari. After all, if you ignore the button and go away from the login site, when you come back you aren't offered the option again until you close the site and return.
Whatever Apple's motivation, though, AutoFill is a real boon. It's also a delight: the first time you see it, you think yes, that's exactly how this should work.
LastPass is free to download. It has a limited free version and otherwise costs $2 per month.
1Password has a 30-day free trial and thereafter is a subscription service costing from $2.99 per month.
Dashlane is also free to try. Until, or unless, you upgrade to the Premium version, you're limited to using it on a single device and for up to 50 usernames/passwords. Premium costs $60 per year.
Keep up with AppleInsider by downloading the AppleInsider app for iOS, and follow us on YouTube, Twitter @appleinsider and Facebook for live, late-breaking coverage. You can also check out our official Instagram account for exclusive photos.
Comments
In turn, this caused me to sign up for their online* family account which means 1P is making more money from more customers, while I'm spending less per year since I no longer will need to pay $50+ for their Mac app every few years.
So if Apple's motivation is to get people to stay with Safari (and make iOS a more friendly environment to help retention and get switchers), along with making it safer for family and friends new to a password manager then that's a whole lot of winning with no downside for anyone… except maybe for Android and Android-based vendors.
* For those still not aware and are taken aback by having your vault saved to 1password.com, you don't have to use it. I still sync my vault the same way I was before version 7 and have set up every family and friend connected to my family account the same way so that their private vault is never stored on their website whole still being able to easily manage all the accounts securely.
They use a secret key (which is just like a Windows product key), along with your username and password so it's secure from individual hacking since you'll need access to the 1P app's vault to see those details, but I still won't trust it because I always assume that server-based security has flaws.
That said, I do use their online vaults for a few items in their Shared vault option where I share my Hulu, Netflix, et al. logins with family members. This makes it easy for them to keep these logins in their local 1P vault and will allow the owner to change their password with ease which will propagate to their vaults immediately. Since these are randomly generated passwords and are for some streaming media—as opposed to email, Dropbox, iCloud, etc.—I'm not worried about them being compromised. One could argue that if someone hacks into 1password.com and steals my shared account data they could see info about my IP address, viewing history, and potential my CC on file, but I'm more concerned with those services being hacked before I am 1Password and then my encrypted vault being compromised.
OT: I'd really love to stop using my physical CC cards (and checking account) online, especially when they're stored. I wish more would support Apple Pay.
I use LastPass and have been using it for years. It's also quite SAFE. https://lastpass.com/safety.php
Not that it works even better on my iOS devices, it's a huge plus. You already have Keychain built into Safari. But it's really a part of Safari, and the data is on your iCloud. It works pretty well. BUT there are problems using it. If you're fulling in the Mac world, great, maybe that's all you need. BUT if you're on a number of devices, from iPads to Windows, and using different browsers. You're now out of luck. If you use Chrome on iOS and Chrome on Windows I assume the built-in Password thing works between them. But I generally use Safari on my iOS devices. Sometimes Chrome or Edge.
Password Managers allow you to randomly create new Passwords. My Passwords these days are at least 20 digits and they're different everywhere. There is no way most people could remember any of them, let alone all of them. They need to be long and different. Most sites don't have 2 factor. So Lastpass has a password generator. Lastpass can store your Credit Card info so you don't have to keep inputting that Data. I have Autofill in Data for Personal and Work. So when I sign up to a new site at work on my Windows Computer, I click on the Work Box in Lastpass and it fills out my name and work email and work address, etc. None Work I use my personal settings.
There's another capability. You can give access to your Lastpass account to others for when you DIE. So you give a number of passwords to 2,3 or more people, to use to gain access to your account, Last Pass will send you an email telling you they're trying to get into your account, and you can set the number of days to wait for you to NOT respond so they can gain access to your password. Which would like allow your Wife to get into your banking account and all the other accounts much easier. These days it's all on the Internet and all password protected. Just another feature and something that will happen to all of us at some point.
So Apple's works, but it's limited and not full featured like a Full Password Manager. LastPass, you do have to pay for to work on mobile devices. 1Password is also good, but it costs more per year. It all depends on your own needs. Check out the features on all of them. I'm glad Apple added better support for them as they are needed, especially these days.
Stop using the same password(s) everywhere!!!
For someone to access my passwords (I use 1Password), they would have to know my computer password (or iPhone PIN) PLUS my 1Password master password. Good luck with that. Even Keychain is not as secure. While it does prompt for a password (or FaceID/TouchID authentication), it is using the same authentication as my computer/phone. 1Password is a separate authentication process.
Then there's storing my medical history, a list of websites where I use my CC or bank accounts online, which includes the card/account that they have, their frequency of use, and if they actively save the data in my account profile. Then there's membership data, wireless routers and server data, identities, as well as the through security audit options.
When creating new, complex passwords with the maximum security allowed it can be confusing for those that aren't technically savvy. I know people that I got to use 1Password the still don't understand the difference between a password manager and a password generator. I can get them to do Stage One, which is just adding one new login per day into a robust password manager, but once that is complete moving onto Stage Two, which is changing their their weak and/or repeated passwords that appear in the security audit to something complex becomes more of a hassle.
For me, I want to maximize the security, but when I move 1P's slider to generate a 64-character passcode using alphanumerics and special characters it won't also take because websites tend to be very bad about letting you know the full parameters of for creating a password. Typically they only state the minimum requirements. 1Password (and I assume all the others) have an issue with knowing which special characters are allowed, so even if they can take my password length I'm often having to scan the password manually to find and replace odd characters that aren't supported.
Even worse, is when a website seemingly takes a new password but they truncated it in the background so when you go to test it (which is something I always do while the average user probably just assumed it all went as planned) the password doesn't work so you have to keep removing a character off the end until it goes though and you hope that your account isn't locked out before you find that magic length.
I propose a standard, not unlike robots.txt, where every website has a simple text file that can be read by any password generator that lists basic data about password parameters (MIN TOTAL, MAX TOTAL, MIN LC [lower case], MAX LC, MIN UC [upper case], MAX UC, MIN NUM, MAX NUM, MIN SC [special characters] MAX SC), as well as any specifically included and excluded characters (eg: INCL !#%& -or- EXCL %@<>/ ).
PS: One day I hope that emoji can be used. There's an inherent benefit by making passwords more complex as well as making the few passwords you have to remember easier for many since pictograms are retained differently. You can easily make a complex story that is easy to remember and not something that would be easy to crack.
2) Who refers to character length as bits? You do understand that characters aren't comprised of a single bit, right? ASCII is 7-bits per character (not referring to ASCII-compatible) and Unicode has varying bit length depending the version, which are conveniently named, like UTF-32 to refer to 32-bits, for example.
3) If you cared about passcode complexity you'd refer to the number of character types available for a passcode. If you have upper and lower case letters, numbers, and 6 special characters it's 58 options per character, which you can refer to as BASE-58 which is represented mathematically as 68^n where n equals the number of character in your passcode. With iOS and macOS logins you have around 210 options per character, which is much more secure, even for a short passcode, than the 26^n system of your lower-case letters.
Gibson Research has noted this on their haystacks page much longer than XKCD posted their comment:
That's just an example of how more characters adds to the complexity of it being hacked so don't think they expect you to make all your passwords include 21 repeating characters at the end (which you can't even do in a lot of places).
Here, I did the work for you and took screenshots…
Note: Keep in mind that GRC's website is old still using the original data—"a few hundred guesses per second"—in regards to how long it takes a computer to check a passcode.
https://www.bbc.com/news/technology-40875534
In Verge's version of this story they said the xkcd's numbers have been confirmed:
https://www.theverge.com/2017/8/7/16107966/password-tips-bill-burr-regrets-advice-nits-cybersecurity
2) That second article notes: