[_1tem]

Important to note that not all password managers are equal. Using Apple’s built-in password manager is more secure because it is inherently tied to your biometrics and authentication is hardware-based, i.e Secure Enclave. This is categorically different from web services like Bitwarden or 1Password authenticated by login email and 2FA codes. Even if someone got into your Apple ID they still would be unable to view or sync your passwords without biometrics.

[politelemon]

Absolutely the opposite. Using Apple's built in one is less secure because it is within the ecosystem that you are subject to; if you are locked out of said ecosystem, you are locked out of everything. Password managers should never ever be inside your ecosystem. That is why people often manage the database syncing themselves and relying on the database own strength, eg kdbx.

[_1tem]

To insure against being locked out of my Apple ID I simply export and store my own backups periodically. Good idea regardless of which provider you use.

[anonyme-honteux]

It's not a good thing at all that what manages the secrets of my digital life is hardware based... on the hardware of one single vendor

[_1tem]

You have to trust your device manufacturer anyway.

[watermelon0]

iCloud syncs passwords between your devices.

If someone can login via your Apple ID, which means that the person knows username/password, and can also convince you to provide them with 2FA code that gets shown on your existing device, they can just add a new device to your account, and get passwords to sync to it.

[alehlopeh]

If someone knows your username and password and can convince you to give them a TOTP code, then yeah they can log in to your account. That’s hardly iCloud-specific.

[_1tem]

iCloud Passwords is more secure than that. Even a TOTP code and password is not enough to initiate a password sync. You also need to biometrically authenticate a previously synced device

[pohuing]

Thinking about it, what happens if you lose your eyes or your fingercups(say for example from frostbite). Are you just screwed or is there a recovery method

[_1tem]

I make my own encrypted backups from CSV exports.

[_1tem]

Nope. Check the Apple documentation, that’s not how it works. Even if Mallory gets your Apple ID and 2FA code you still need biometrics from a nearby device to initiate password sync.

This is a special requirement for Passwords that does not apply to other encrypted data in your Apple account.