The New Apple Passwords App

from space video distribution to Mac computers

Apple has been steadily improving their built-in support for managing user passwords and other authentication info so that it’s now in the same ballpark as commercial apps like 1Password and LastPass. Since the release of iOS and iPad 18, and macOS 15, the Passwords app is included as a free system app.

Passwords provides a user interface for capabilities previously spread about in the Apple operating systems. You can find and manage all the passwords you saved in Safari or various apps, your WiFi connection passwords, and any Passkeys. Some new capabilities can improve your security and make life easier.

Window from the Apple Passwords app on a Mac, showing a password

Figure 1 – Passwords app on Mac or iPad

If you use Safari as your browser, there’s a good chance you already have a bunch of passwords collected from various sites.

If you use a different browser, there are extensions for Chrome/Edge or Firefox. The Chrome and Edge browser extension will even work on a Windows computer through iCloud for Windows.

Entry screen to the Passwords app on iPhone

Figure 2 – Passwords app on iPhone in Dark mode

Here’s what you’ll find in the areas listed in the left column of the Passwords app:

  • All includes a searchable list of passwords sorted by the website name, App, or label
  • Passkeys are an alternative to password that are tied to your Apple ID account
  • Codes is an alternative way to do 2-factor authentication without getting a code by email or text
  • Wi-Fi is a collection of all the credentials you’ve collected from the Wi-Fi networks you’ve joined
  • Security will warn of passwords that have been in a data leak, have been reused, are too short, are commonly used, or violate other no-no’s – worth an occasional check and update
  • Deleted contains any credentials you’ve thrown away in the last 30 days
  • Shared Groups allows you to have common passwords inside a group, primarily for sharing in a family or with a spouse

More on these later!

Should You Use the Passwords App?

If you are currently writing your passwords down on paper, or just reusing a few simple ones over and over, absolutely. I’d recommend it for anyone who is a mostly-Apple user who doesn’t already have a password app that they love.

As mentioned, if you’ve been saving passwords in Safari (including using the browser on your iPhone), you’ve already sort of been using the app, and you’ll find your passwords stored in there. It’s worthwhile to occasionally open the Passwords app to see if you have any security warnings. It’s useful for a few other things, as well.

I recommend also making sure Passwords is turned on in your iCloud settings (Settings > <Your Name> > iCloud > Passwords should be On) so your credentials will be synced across all your devices.

How Do I Launch the Passwords App?

Icon for Apple's Passwords appThe easiest way is to use Spotlight. On the Mac, you get to the search window by pressing <Command + Space> on the keyboard, or by clicking the spyglass icon in the menu bar. On the iPhone or iPad, pull down (drag your finger from near the top downward) on the home screen and type next to the spyglass. Start typing “Passwords” and you should see the app icon (yellow, green, and blue keys) with the name Passwords. That’s an easy way to launch any app you have installed, without having to go searching through icons!

You can also launch it by finding the App icon and tapping (on iPhone or iPad) or double-clicking (on Mac) to launch it. 

Walking Through the App

Passwords "All" listing on iPhone app

FIgure 3 – All Passwords on iPhone

The App is called Passwords, but there is more to than that. Wi-Fi Passwords are normally just that, one password for each Wi-Fi network. A more “normal” password is associated with a particular computer or website, and has a username paired with it (the app calls these User Name and Password). 

Using just a User Name and Password for security isn’t very safe, even with the help of a complex password. Most sites require some sort of two-factor authentication (or 2FA in IT jargon). Common methods are to send an email with a code, or to text you a code, after you attempt to log in.

These are more secure, but it’s probably not all that hard for a committed creep to get access to your email or your texts. Also, you have to wait for the email or text to arrive each time you log in. Apple usually makes it easy to paste in the access code once it arrives, if the website on the other end cooperates, and will even dispose of the message once used, if you allow it. But all those waits add up.

A password with a Verification Code is the next step up in convenience since it eliminates the wait and the danger of interception. There’s more about that in the Codes section below.

Continuing the climb upward is sophistication and security is Sign in with Apple. Sign in with Apple is an option for some websites and applications when you first set up an account. When you connect, it will either use the email associated with your Apple ID, or you can use Hide My Email to send a unique one, and Apple will manage the password part. The primary negative for me is remembering that I used Sign in with Apple rather than User Name and Password. I can now check in the Passwords app to be sure. 

Passkeys are the newest form of authentication supported in the app. Passkeys are similar to  in security and simplicity to use, but don’t require the website or application developer to have anything specific to Apple. Passkeys already have two factors baked in, as access with a passkey requires you to use an Apple device you own and your ability to log into that device.

The Passwords app supports all these authentication methods in one place. You can also use it to store random other bits of information like lock combinations or security system PINs.

Here’s a bit more detail on the innards of the app in the order of the buttons on the interface.

All

The first tab in the app is somewhat unintuitively labeled All. This is intended to be the collection of all your passwords, except for WiFi passwords. When you click on/touch the All button, you’ll see a list of Titles and User Names (the User Name is often an email address these days) for each password. By default, the list is alphabetical by Title. A click (I’m going to say click, though for iPhone or iPad it’s touch) on the up/down arrow symbol lets you reverse the order or sort by the date the password was created, the date the password was last modified, or to by the associated website.

Below are the fields you’ll see on a typical Password card in All. If you used Sign in with Apple on a site you’ll see Apple Account and Email on the card instead of User Name and Password . Sign in with Apple will show up in the security area, as well. 

Title

Each password has a card, like an address card in Contacts. At the top is the Title. The app will pull an icon from the website, if it finds one, and perhaps a more readable name (e.g., Facebook) than the full web address. You can replace or modify the Title if you click the Edit button.

User Name

You may well have several different User Names for a given website, but each will have its own card and Password. There can only be one User Name on a card.

Password

The Password is normally presented as a series of dots, but if you mouse over or touch it, the Password will appear. A touch (on “Copy Password”) or click will copy it. In Edit mode, the password will be visible.

Edit mode also gives you a Change Password… button that will take you to the associated website, and even try to take you to the appropriate page. 

Interestingly, if you screenshot your iPhone with a password showing, the resulting image won’t have the password. Apple is watching out for you.

Website

Password Card in edit mode

Figure 4 – Password Card in edit mode

The website field is pretty obvious for passwords in your browser, but it also often applies for Applications. Lots of Apps have web versions now, of course. The Passwords app may or may not be able to automatically fill credentials in an app, but you can easily copy the saved credentials from Passwords.

Unlike User Name, you can have multiple websites for a given password. This can be really handy to eliminate having multiple copies of a given password, along with the hassle of changing the saved versions multiple times if the password changes.

For instance, Redstone Federal Credit Union uses both https://redfcu.org and https://redfcuonline.org on their website, and a customer may end up needing to log in on both pages. This will save two separate password entries with the same User Name and Password. The Passwords app will warn you you’ve reused a password. When you change your password on one page, autofill in Safari will still attempt to use your old password when you go to the page with the other URL. If you instead go to the Passwords app and add the different URLs in the Websites field, you can delete the other versions, and future updates will work as you’d hope. Click next to Website (where it says login.comcast.net in Figure 4) and you’ll see how to add more website names.

In addition to allowing multiple websites, you can have a password with no websites. That means you can use the Passwords app to save, say, a lock combination, or the PIN for a security system.

Group

The Group capability is especially useful. You can share a password with a set of people as long as they have Apple IDs. So you could have a group for the whole family (e.g., the Netflix login), another for you and your spouse, and perhaps create one to share the AirBNB passcode with another couple you’re traveling with.

A password can only be in one Group, and you can’t currently nest Groups. But the capability is a big step forward.

Password Card in edit mode

Figure 5 – Password Card in edit mode

Contributed By

This field will only show up for passwords that have been added to a Group. It shows who shared them with the Group and is the “owner” of the credentials.

Notes

Notes only appear in Edit mode, or if a Note has been added. It’s a place to add any info connected to the credentials, such as a phone number, when you first paid for a subscription, a hint to yourself on any security question answers, or really anything you want to type.

Security

The Security area of a password card varies depending on the kind of credential. It may include security warnings, possibly with a link to fix a weakness. It may tell you your password is a Strong Password that is long and difficult to guess. There’s more about Security below in the main Security section.

Passkeys

A Passkey is a more-secure alternative to a password. Though it can be somewhat confusing to initially set up (mostly hard to find where it’s available in settings on a given website), future logins to the site will work with FaceID or TouchID on your Apple devices, with fallback to the system password or Passcode. The Passkeys.Directory site lists known websites that support Passkeys, and will tell you how to add one for a site. Generally, the trick is to log in normally, and then go into login settings to see if you can create a passkey.

You can think of a passcode as a really super long password written in computer language that your Apple devices use to talk with computers on the other end on your behalf.

Passkey credentials show up in the All listing, with Passkey listed in the Security section, as well as in their own Passkeys area.

Some common sites that support passkeys are: Amazon, Apple, CVS, Discord, Lowes, Home Depot, Target, Walmart, Uber, ID.me, and Login.gov.

Login.gov is the US Government site used to authenticate to several government sites including Social Security, USA Jobs, and the Veterans Administration (but not the IRS, who use ID.me). Their description of creating a Passkey is “Add face or touch unlock.” Amazon calls it a Passkey, but sometimes will still send a One-Time Password (OTP) by text. Your mileage may vary.

To set up a Passkey, find the setting for it on the target website (use Safari to most reliably work with the Password App), most likely in Account security settings under two-factor authentication. When you click to enable it, you’ll be asked to authenticate to your device with FaceID, TouchID, or a Password/Passcode. You may be asked to assign a label (e.g., Apple Passkey).

Once complete, when you go back to that site you’ll be asked to authenticate like you were going to an Apple site, with no need for a site-specific password, a text, or an email. Details will vary a bit from site to site.

Codes

Passkeys already have two factors baked in, as access with a passkey requires you to use an Apple device you own and your ability to log into that device.

Another option, though,  is to generate your own codes. This used to require a separate authentication app to run on your phone or computer. Now it’s available through the Codes section of Passwords.

The Codes section of the Mac Passwords app, with  an Authentication code for X

Figure 6 – The Codes section of the Mac Passwords app; I’ve quit using my X/Twitter account but it did support a Verification Code

Once you set up a Verification Code for a site, the Passwords app will create a new 6-digit code for that site each minute. When you are logging in, you’ll typically be asked for your User Name, Password, and Verification Code. Safari (or other browsers with a plugin) can normally autofill all three, requiring TouchID, FaceID, or your device password/PIN. The code of the minute will be added to the Password call listed in All, as well as in Codes.

Codes are similar in security to Passkeys, are slightly more difficult to set up, and a bit more of a hassle to use. If you have the choice of using one or the other, I’d recommend creating a Passkey. The only benefit I see of having both is that you can use a Code from your phone to securely log into a site on a computer you don’t own. Passkeys are newer, but it seems like most sites with Codes provide both.

Code setup from ID.me

Figure 7 – Code setup from ID.me

To set up a Verification Code, find the setting for it on the website, most likely in Account security settings. It may label setup “Use Code Generator” or “Set up Authentication App.” It will then offer to let you scan a QR code or enter a Secret Key or Setup Key. Choose the Secret Key. This will give you a list of letters and numbers. Copy the Secret Key. In the Passwords App, click on the Codes tab and then the “+” sign. Paste in the Setup Key, and select the website password card from the resulting list. Copy the current code.

Return to the setup web page and click continue. The site will ask for the current code, and perhaps a name for this authentication method (maybe call it Apple Passwords). You should now be set up for future logins!

 

Set Up Verification Code popup in Passwords app

Figure 8 – Set Up Verification Code popup in Passwords app

Complete Code Registration on the site

Figure 9 – Complete Code Registration on the site

Wi-Fi

The Wi-Fi section gives you access to all the Wi-Fi passwords you’ve collected as you’ve moved around the world. It’s an alphabetical list by Network name (or SSID). If you are connected to Wi-Fi, that network will be at the very top. Under the network name is the security protocol the network uses. The associated card has three items: Name, Password, and QR Code. You can view or copy the password by touching or mousing the ……… If you click the Show button next to QR code, the app will generate a QR Code another user can scan with their device (iPhone, iPad, or Android phone, typically, though it will work from a computer with a camera). Or you can click the Share button in the top right corner to AirDrop or text the login info.

Wifi Tab of Passwords app

Figure 10 – Wifi Tab of Passwords app

Wi-Fi credentials were already pretty easy to find and share. If a person is in your Contacts and tries to join the Wi-Fi you are on, you’ll get a popup window asking if you want to share the password. Or you can find the password; on an iPhone go to Settings > Wi-Fi and click the Info circle next to the network. Passwords for other networks are tucked away under the Advanced or Edit button on that page. Having them a part of the Passwords app makes them much easier to find and manage.

Security

The Security tab collects all the warnings Passwords has for any of your stored credentials. I have around 200, which is embarrassing. My wife and I actually use the 1Password App to manage our passwords because it allowed password sharing before Apple Passwords was a thing, and our number of warnings is lower there. But don’t be like me. Your number of security warnings should be zero.

Security includes warnings about:

    • Compromised Passwords – These are passwords in password databases that have leaked onto the internet
    • Reused password – Reusing passwords on different sites is a bad idea, because sites have leaks sometimes. It can be okay if it’s just two versions of the same site (like google.com and gmail.com, say), but in that case you can consolidate the cards with all the sites on one card and delete the others.
    • Easily guessed password – The password is so short or simple it would be easy for a computer to quickly guess.

If you have any warning flags, I recommend cleaning them up!

Shared Groups

I already bragged about Groups in the All section. It is super useful to be able to share Passwords securely and keep them automatically synced when the passwords change. My wife and I share most of our passwords with 1Password, but leave out all the sites only one of us cares about. I think we’ll eventually move over to Apple Passwords now that most of the features compare and Apple Passwords integrates so well. The default Family Passwords group is enough for us, though I can see occasional uses for a new group for a shared trip, if everyone is on Apple devices. If you have kids, separate groups for Spouse and Family would make sense.

Summary

Security is a major Apple selling point. Making good security usable by normal humans is hard. The Passwords app is a big step forward. It combines tools that already existed and adds some new tools so a non-techie user can keep track of unique, complex passwords for each site and application they use – or, even better, start moving to Passkey so logging in just takes a thumbprint or glance at a camera.

The ability to securely share passwords through Shared Groups is a game changer for reducing spousal annoyance with passwords. Having one place to share passwords one-on-one with the Share button is also handy, though a bit riskier because it’s harder to keep track of.

The main interface for passwords is still going to be your web browser, as you log into various sites. I do recommend an occasional launch of the Passwords app to check on any security flags. 

Knowing the Passwords app exists means you seldom need to remember any password beyond your Apple ID password and device passwords or PINs. For those times when autofill doesn’t work, the app will be there for copy and paste, or at worst, read and remember a password long enough to retype. 

There’s room for growth in the app. It would be nice to have a Credit Card link to access cards and their PINs. But as a new release, Apple has done a really good job. I recommend becoming familiar with the app.

Tags: , , , ,

One Response

Leave a Reply

Your email address will not be published. Required fields are marked *