Stop Using iCloud Keychain! Read This

in #waiviolast year (edited)

Why would you want to keep your passwords away from iCloud Keychain?

  1. You become married to the Apple ecosystem. If you are using multiple platforms (such as MacOS, Windows, Linux, iOS, Android like I do) or want to be flexible, you need to migrate away from iCloud Keychain because your passwords are not transferable across non-Apple devices.
  2. All your iCloud Keychain passwords can be easily seen by anyone who happens to have the password for your MacOS system or iPhone password. Never give out your password to anyone! (Today my spouse was bringing her iPhone to a repair place, so we backed up and erased the system completely because they need to access the phone from inside, but that's for another story). Password managers have a separate master password and 2FA enabled in case of logging in from a different device.
  3. Apple is playing along with the governments around the world. Even though they pretend to be "pro-privacy", that's just PR marketing bullshit. But that's also for another story. Having your passwords outside that ecosystem encrypted will add an additional layer of privacy/protection for personal sovereignty. Of course, for super sensitive passwords like seed phrases to your hardware wallets, you would never want them stored anywhere close to the computer, and that will be also another story.
  4. Having passwords in a dedicated password manager is just as easy as in the iCloud keychain. It is an important step towards your independence.

I believe Bitwarden is the best free, open-source password manager available on the market. Migrating to a password manager (such as Bitwarden or 1Password) may be challenging for many people, especially for MacOS users because exporting existing passwords from iCloud is blocked. But is it? I did this operation myself some time ago and helped my relative recently, so I want to share the knowledge with the community.

So below I listed the procedures how that will help you with migration from Chrome and Safari.

Before you do any migration, make sure you are connected to a secure Wi-Fi network at home because you will be uploading the password file in raw format. There is a layer of encryption from HTTPS, but that may not be secure enough if in the public hotspot.

image

(Image by vicky gharat from Pixabay)

1. Migrating from Chrome

Migrating passwords from Chrome is pretty easy. If you didn't use Chrome on your Mac, you can skip this, and go to section 2.

1.1. Export Passwords from Chrome

  1. Open Chrome. Click on the 3-dot icon in the toolbar and select 'Settings'.
  2. Click on 'Passwords'.
  3. Look for the section called 'Saved Passwords'. Click on the 3-dot icon next to it. A drop-down menu will appear. Click 'Export Passwords'.
  4. Before you can export your passwords, you need to type in your computer password. Press 'OK' once you've typed it in.
  5. Chrome will now ask you where you want to save the file containing all of your passwords. Choose a location and click 'Save'.

Ref: https://nordpass.com/blog/how-to-export-chrome-passwords/

1.2. Importing the Chrome Password File into Bitwarden

  1. In the Web Vault, select Tools from the top navigation bar.
  2. Select Import Data from the left-hand Tools menu.
  3. From the Format dropdown, choose a Chrome (csv) (see What file formats does Bitwarden support for import?).
  4. Select the Choose File button and add the file to import or copy/paste the contents of your file into the input box.

Warning: Import to Bitwarden can't check whether items in the file to import are duplicative of items in your Vault. This means that importing multiple files will create duplicative Vault items if an item is already in the Vault and in the file to import.

  1. Select the Import Data button to complete your import.
  2. Verify that the import operation was successful. It is a good idea to put the newly imported passwords into a folder on the Bitwarden, such as "Imported from Chrome"
  3. After successful import, delete the import source file from your computer. This will protect you in the event your computer is compromised.

Ref: https://bitwarden.com/help/article/import-from-chrome/

1.3. Delete all Passwords on Chrome after import

  1. Open a Chrome Window.
  2. Click on the three dots on the top right corner. Select Settings.
  3. Select Passwords. Here you'll see a number of saved passwords for various websites.
  4. To delete an individual password, click on the three dots next to it and select Remove.
  5. To delete all passwords, go to Clear Browsing Data from Settings -> Advanced and select Passwords.

Ref: https://www.privateinternetaccess.com/blog/how-to-delete-your-saved-passwords-on-every-browser/

2. Migrating from Safari and iCloud Keychain

If you have been using iCloud Keychain, there is no simple solution here, unfortunately. However, there is still a hacky way.
Apple, for security reasons, doesn't allow exporting their keychain passwords through a dedicated feature, suggesting that a person would have to manually do it themselves, going through every password one by one.

There is an open-source script that automates this operation.
I have checked the script code in detail myself for integrity and tried all segments of the code to verify the performance before executing it. Before running the script I made sure the internet was disabled. I do advise you to read the script yourself and make sure that it makes sense to you before blindly running something that will run operations on your passwords. (Disclaimer: run at your own discretion).

Resource: https://1password.community/discussion/30286/mrcs-convert-to-1password-utility/p1
Tools: https://www.dropbox.com/sh/a3skeey2zqimdlv/AAD87q6N_EJZ1YoPe5SA35a1a?dl=0

2.1. Export passwords from Safari

Step 1: Download the mrc-converter-suite from the link above. (Credit to Mike Cappella)

Step 2: Copy-paste the file Get_Safari_Passwords.applescript onto your Desktop

Step 3: Enable in your System Preferences the accessibility access to Script Editor. Make sure you turn this off after you complete this operation.

image

Step 4: Turn off Wi-Fi.

Step 5: Run the script. Make sure your Safari window is always on top. Do not touch the mouse while the script is running. This will open each stored password and copy the field one by one into the file. All your output will be stored on the Desktop as a pm_export.csv file.

image

Step 6: Reformatting the file. We will open the file pm_export.csv through excel and change it to match the Google Chrome passwords format.
The image shows how the original file looks like:

image

Rename the headers of the columns in the following way: "name", "url", "username", "password".
Delete the "Additional URLs" columns.
This will make the file format identical to Google Chrome's format.
The image shows how the reformatted file looks like:

image

Save the file. Make sure the file format is still in CSV.

Step 6: Disable the permissions for Script Editor that were enabled in Step 3.

Step 7: Enable the internet.

Step 8: Import the file into Bitwarden through a web interface as if it is a Google Chrome passwords file format. Verify that the import operation was successful. It is a good idea to put the newly imported passwords into a folder on the Bitwarden, such as "Imported from iCloud".

Step 9: Delete the password file from your computer. Empty the trash.

2.2. Delete all passwords on Safari after import

  1. Open a Safari window.
  2. Click on Safari in the menu bar and select Preferences.
  3. Go to the Passwords tab.
  4. You'll see a number of saved passwords. Select the password you want to remove and click on Remove.
  5. If you want to delete all passwords, you can click on Remove All.

Ref: https://www.privateinternetaccess.com/blog/how-to-delete-your-saved-passwords-on-every-browser/

Finishing Up

Now that you have imported the passwords from iCloud,

  • On the computer, in your browser, enable the extension of Bitwarden, and disable the browser from asking you to save passwords into its Keychain. Bitwarden, instead, will be asking that.
  • On your iPhone, set Bitwarden as your password manager in the settings and disable it.

It still makes sense to have iCloud Keychain sync enabled to sync your Wi-Fi passwords, but don't use it for anything else because you have a dedicated password manager now.


#password #2fa #authentication #cryptography #databreach #stophacker #tips #stophacker #secure #security #cybersecurityawareness #hacks #hacker #hacking #passwordmanager #explained #tech #technology #datasecurity #info #dataprotection #cyberattack #key #bitwarden #bypassicloud #problemswithicloud #icloud #chrome #google #googlechrome
#passwords

Sort:  

This is a serious issue in the Apple ecosystem and since I use MacBook so I need to be careful. Although I only use it but still more safety is always a good idea. Thanks for the post

A number of my friends were very surprised, when I showed them that all of their passwords saved in browsers can be easily accessed in browser settings.

Thank you for documenting the process of moving these to a dedicated password manager. This is a much better practice.

Also, if your phone data plan is generous enough, it makes sense to use tethering service to connect to the Internet on the go. Public WiFi routers are often compromised and can be used to install key logging software on your computer.

Congratulations @vasiliyxx! You have completed the following achievement on the Hive blockchain and have been rewarded with new badge(s) :

You distributed more than 10 upvotes.
Your next target is to reach 50 upvotes.

You can view your badges on your board and compare yourself to others in the Ranking
If you no longer want to receive notifications, reply to this comment with the word STOP

To support your work, I also upvoted your post!

 last year Reveal Comment