Generate Secure Passwords

Client Notes

This past week, I helped Leslie negotiate a challenging predicament with her Apple Account password that prevented her from signing in on her Mac — which had suddenly stopped accepting her computer password. With Apple engineering support and 6 days, all is well.

Along the way, though, we determined her password storage system to be faulty and I recommended letting her devices generate and store most of her logins. Then, she won’t have to rely on her brain to come up with them or remember and type them in most of the time.

I also completed David’s Mac migration; resolved a weird glitch Roberta had with sharing Word documents by email; coached Beth to move email messages on iPhone to mailboxes in a different account; and eliminated an email connection issue shared by both Alan and Deborah.

Generate with Keychain Access

Since Mac OS X 10.0 was released in 2001, Apple has offered a utility called Keychain Access. You probably recognize a keychain in the real world as a holder of keys, each of which you can use to open one or more locks. In the Apple ecosystem, a keychain is a place to store passwords and other credentials that open digital locks, like online accounts.

One of the core features of Keychain Access is to generate secure passwords. Even two decades later, it still carries this functionality. Use Spotlight to open Keychain Access or find it in /Applications/Utilities or, in macOS 15 and later, /System/Library/CoreServices/Applications.

Create a New Password Item (look for the top New command in the File menu or press Command+N) and click  to the right of the password field. A utility window appears with a choice of various password types and lengths.

I recommend Letters & Numbers or Random. You can generate a password that is 8–31 characters long and get a list of choices in the Suggestion popup menu.

Use Safari and its Settings

In 2013, Apple introduced iCloud Keychain starting with Mac OS X 10.9. This feature works in tandem with Keychain Access and enables passwords to stay in sync among Apple devices over encrypted channels.

At the same time, Safari began offering password management, too. Through macOS 14, you can view saved logins and create new ones in the Passwords section of Safari’s preferences or settings window.

On all devices, when on an account creation page, Safari offers to generate a strong password that can be stored locally on the device. Or, in settings, click + to make a new entry and generate a password. With iCloud Keychain enabled, logins sync seamlessly to other devices. Then, you can use Safari and other apps on any device to access and use the saved login.

System Settings Generates Confusion

Starting in macOS 12, Apple added a Passwords section to System Preferences (later called System Settings). This mirrors the display and functionality in Safari settings, so you can similarly create new entries and generate passwords as in Safari. Why in two places? Maybe because some folks don’t use Safari.

On the mobile side, iOS 17 and earlier provided an equivalent Settings screen called Accounts & Passwords, Passwords & Accounts, or simply Passwords, where one can generate and manage logins.

Notably, the Passwords pane in these settings areas on all devices consistently lacks Wi-Fi passwords. Up until macOS 14, these are only accessible via Keychain Access.

However, on mobile devices running at least iOS 16, if a Wi-Fi password was entered manually upon connecting to the network (as opposed to shared automatically by another device), one can view the information about the network and reveal its password.

Native Passwords App

Finally, in macOS 15, iOS 18, and iPadOS 18, Apple launched a standalone Passwords app. This consolidates the functionality of password storage previously shown in Keychain, Settings, and/or Safari. Safari can still offer strong passwords and Keychain Access can still generate them, but all management is in Passwords.

Plus, in addition to website logins, Passwords supports passkeys, Wi-Fi network passwords, and verification codes, as well as a separate list of Security Recommendations. And, a boon for users who prefer other browsers besides Safari, Apple offers iCloud Passwords extensions for Chrome and Firefox. For Windows users, you’re covered, too.

Generate Fantastic Passwords with 1Password

In my opinion, using Apple’s first-party password solution is not sufficient. For me, it fails in three ways, covering generation, storage, and security:

1. Passwords cannot automatically generate passwords that satisfy some websites’ requirements, such as of including special characters. This forces the user to discover the requirement and modify the generated password. Apple follows a standard rubric for generating strong passwords on devices that use iCloud Keychain.
2. Passwords doesn’t support various other private information types, like bank account numbers, email servers settings, and application licensing details. A third-party app called Access can fill this gap. As of this publication, it costs $10 per year or $25 forever.
3. Passwords, which primarily uses biometrics to unlock, falls back only to the user’s computer password or device passcode and lacks a secondary private key to encrypt its data. The app, which provides easy sharing with others, therefore relies on the weakest password in the chain to keep information secure.

This isn’t good enough for me and so I continue to recommend 1Password, which costs $36 per year for an individual or $60 for a family. This app satisfies more websites’ unique password requirements, supports many types of records with pre-built templates, and offers a Secret Key as a secondary private key for encryption.

The combination of information you know (your account password) and information you have (your secret key) enable 1Password to be nearly impossible to crack. Add multiple users to a family plan and someone else can reset your password if you forget it, so you don’t lose your data.

To generate a password in 1Password, the browser extension does so automatically when creating an account. You just need to select the suggested password and it will offer to save it in your vault.

If the website fails to honor this selection, you can click the browser extension and copy a generated password. And if all else fails, open the app, create a new login item, and the password field will offer one.