[RGS1811]

The most disturbing thing about iCloud Keychain is that you can get access to all of your stored passwords just by unlocking a device linked to your Apple ID. Not just the ability to log in with them, the actual plaintext.

[falcolas]

Urm, if you have the ability to log in with a password to a website, you require the plain text password. Keychain also prompts for your user password before allowing plaintext access, not just the fact you're logged in.

Not sure what else is expected in this case, you'd get the same behavior from most other password managers.

[RGS1811]

Keychain doesn't prompt for your user password on iOS. Just your unlock code. That's what bothers me.

[nextstep]

But iOS won’t reveal the plaintext password from the keychain to the user (it will only autocomplete forms).

[lotsofpulp]

It will if you go to settings->accounts and passwords.

[hrktb]

you still get a password or touch if prompt before showing the passwords.

[lotsofpulp]

I assume RGS1811 was worried about someone using your finger for TouchID or face for FaceID, involuntarily. I also worry about that, especially if you get knocked out or black out or something, but I think the solution is to not have important login info in the keychain at all, such as access to money (bank apps), email, or other uses that can be used to verify your identity or steal from you.

[jsjohnst]

Don’t use a basic unlock code then. I use an XKCD style passcode to unlock mine.

[geocar]

This isn't unique to Apple: Google has adopted the same policy.

It's not clear what the best solution is here, or if the best way to have the conversation about it follows hyperbole like "the most disturbing thing".

I think password managers are on the whole a good thing because people are using more (stronger) passwords.

I also think the password manager could (at least on trusted hardware like an iPhone) provide some protection from the attacks you're alluding to, such as a tarpit that slows access to the password database, but they certainly won't offer any protection on a desktop machine without specialised hardware and it might be difficult to get right -- difficult enough that new security vulnerabilities are introduced instead.

What exactly do you propose?

[discreditable]

I think Firefox's solution is a little better. You can set a master password which is used to encrypt the password database. To unlock you have to enter the password. You can browse without unlocking.

[geocar]

Both the iPhone and Google Chrome ask for authentication before showing the passwords.

Firefox works similarly: Once you unlock it, you see all the passwords. On an iPhone or Google Chrome, you have to click each password you want to see.

[sowbug]

Fortunately, Chrome for Linux and Chrome OS don't ask. Both OSes trust users to control access at the session level.

[gok]

You need a second factor (physical access to a device already in the circle) to add a device to the iCloud Keychain.

Edit: I see you are worried about devices already linked

[matthewmacleod]

I don't believe this is entirely accurate – a further auth prompt is always required before revealing plain-text passwords.