How to Find Duplicate Passwords in iCloud Keychain

Yesterday was World Password Day, and we reminded readers of The Rocket Yard of several important things to remember about creating and maintaining passwords. One of the key points of our post was to use multiple passwords — in other words, don’t use the same password for many online accounts. This is very critical to remember; many people use the same email account as the user ID for numerous accounts, and using the same password for those accounts is a security nightmare. If one account is compromised, hackers have your user ID and password for all of those accounts. It’s smart to use unique passwords for every account, so how can you determine which accounts are using a duplicated password?

The key is iCloud Keychain (pun intended). iCloud Keychain is available to all macOS and iOS devices, and is a cloud-based secure repository of user IDs and passwords for websites and apps.

To view iCloud Keychain on iOS, launch Settings, then scroll down to Passwords & Accounts. Tap that, tap Website & App Passwords, and then authenticate with Touch ID, Face ID or a passcode. Accounts that are using the same password as others are marked with a warning triangle icon (see image at right, above and image below).

In iCloud Keychain, accounts using the same password are highlighted with a warning triangle

In iCloud Keychain, accounts using the same password are highlighted with a warning triangle

Tapping on an individual account marked with the warning triangle displays the current user ID and password (blanked out in the image below), as well as some tips on where that same password is being used. There’s also a link to the website to make it more simple for you to change the password to something stronger.

Tap a single entry to see the existing user ID and password and a link for changing the password

Tap a single entry to see the existing user ID and password and a link for changing the password

In this case, a tap on the Change Password link informed me that the site was no longer running, so I deleted the user ID and password. Cleaning up the passwords in this way is a good idea. For websites or apps that still work properly, the link may take you to a password reset page, a home page, or even a “404” (address not found) page. Regardless of the destination, attempt to log in with your current user ID and password, then find the location to change your password.

How can you generate a new password that is both robust and unique? Safari and iCloud Keychain work hand in hand to generate passwords that are very difficult to guess, and the new passwords are stored in iCloud Keychain for autofill or future reference. Changing a password on one website produced the following dialog in Safari — clicking Use Strong Password filled the new password and confirmation fields with the generated password, then saved it to iCloud Keychain.

Safari creates a strong password that can be entered into the new password field and automatically saved in iCloud Keychain

Safari creates a strong password that can be entered into the new password field and automatically saved in iCloud Keychain

For some reason, the macOS equivalent to iOS Passwords & Account settings does not provide the same reused password warning as iOS. At this time, it’s still necessary to use an iPhone, iPad or iPod touch running iOS 12 to find duplicate passwords. Hopefully, this will be addressed in macOS 10.15, which we expect to hear about at WWDC 2019 in June.



LEAVE A COMMENT


  • Why should one use Keychain if they have a password manager? Keychain is selected in my macOs Mojave Prefs/iCloud setting but the above action returns No Saved Passwords. Mike