Apple iCloud Keychain in OS X Mavericks gets mixed reviews

Security researchers have mixed opinions about the new password manager Apple has included with Mavericks, the latest version of the Mac OS X operating system.

[Apple’s iOS 7 patches 80 vulnerabilities]

The new iCloud Keychain stores all website usernames and passwords, credit card numbers and Wi-Fi network information and keeps the data up to date across all of a person’s Apple devices, including the iPhone and iPad. The data is protected through 256-bit AES encryption.

The optional feature, which only works through Safari and with Apple products, makes it possible to log into websites without having to remember separate passwords. Third-party password managers with similar and more advanced features include LastPass and 1Password.

Apple’s manager could become popular among customers who use multiple devices from the vendor. Those who may have other products, such as an Android smartphone or tablet or a Windows PC, would have to use a password manager from another company.

“I don’t see why a pure Mac/iPhone user would select any other solution, except if he/she was worried about higher levels of security such as two-factor authentication,” Wolfgang Kandek, chief technology officer for Qualys, said Wednesday in an email.

“Of course cross-platform users such as Mac/Android or iPhone/PC will still have to look for a third party solution, but for the pure Apple users, iCloud Keychain offers an attractive proposition.”

Nevertheless, there was some nitpicking among experts. What they didn’t like was Apple letting people choose to create only a four-digit security code for adding devices to the keychain. The password is also used to verify a person’s identity for other actions, such as recovering the keychain if a device is lost.

“A four-digit protection PIN is not really a protection PIN. Any computer could break a four-digit encryption PIN in less than one hour,” Daniel Palacio, chief executive for Authy, which provides a two-factor authentication platform, said.

Apple does give customers the option of having a more complex code automatically generated for them. However, studies show that people tend to choose simple passwords when given the option.

A feature experts would have liked to see in Keychain was a password generator for websites. Products from vendors providing password vaults typically give customers the option of choosing a long string of characters that can include, letters, numbers and symbols.

[Apple iMessage research sparks corporate security debate]

Kandek said such a feature is important because “we tend to be very bad at selecting strong passwords.”

Tyler Reguly, manager for security research at vulnerability management vendor Tripwire, said password managers in general were “scary,” because a lot of high-value information is in one place.

In addition, by placing the manager in the browser, vendors are putting it in software that is a primary target for hackers.

“If that product is compromised, all of your accounts are compromised. For that reason, I don’t use a password vault,” Reguly said.

Whether people use Keychain will depend on whether they trust Apple, Chester Wisniewski, senior security adviser for Sophos, said.

“Your reputation is the most important thing when storing someone’s passwords,” he said. “It’ll be interesting to see if users that wouldn’t normally use a password vault, will use this simply because it’s in iCloud and ready to go.”

Like many vendors, Apple has had its share of criticism when it comes to security. Russian security research Vladimir Katalov recently found that a person with someone’s Apple ID and password could remotely download all the data from iCloud without the owner’s knowledge, ZDNet reported.

While stealing the Apple ID and password first is difficult, it’s possible through email phishing techniques.