Password Managers for Mac Users in 2024

We all have so many passwords to keep track of! If you’re still not using a password manager, make it your New Year’s resolution to start.

I last wrote about this two years ago in Notes on Password Managers. In this note, I’ll talk about the password manager I was using, what I switched to, and why I made the change.

The Landscape

First, I’ll mention the password managers that everyone recommends:

  • For most people1Password is the standard recommendation. It’s high-quality, proven secure, and easy to use.
  • For techies the standard is Bitwarden. It’s highly functional but has a more barebones interface compared to 1Password. Unlike 1Password, it has a free basic version.

What I Was Using

For years my family and I used 1Password. All password managers have the same core features, but 1Password was the most polished and the easiest to use, especially compared to competitors like Bitwarden or Lastpass. It is trustworthy, and has a well-documented security design.

So why did I switch?

Starting in 2019, 1Password began to focus on the enterprise market. They developed great features for big-company customers, like automatic AWS sign-in, SSO, and fingerprint auth for SSH.

Unfortunately, development stalled on consumer-facing features and fixes, which has become frustrating for technical users like me and consumers like my family.

Requests by technical users are met with friendly but vague corporate responses. For example, there’s a long thread asking for the techie-favorite Orion browser to be supported, which took months, with the Orion developers reporting that they had been ignored. Meanwhile, the enterprise Arc browser was instantly supported. Posts questioning this were removed from the support forum.

More recently they added telemetry, which has not been well-received.

Development of the browser plugin, arguably the most important part for consumers, has also stalled. In May 2022, 1Password released a major update changing how passwords are organized, with a new concept called Collections. As of January 2024, the browser extension still doesn’t support these changes, creating a confusing situation.

In short, development stalled on features users care about.

What I Am Using Now

I’ve switched to Apple’s built-in password manager, which I am calling iCloud Passwords. Unfortunately, it doesn’t have an official name. You can find documentation here for Mac, here for iPhone, and here for Windows (!!). Over the last two years, the Authentication Experience team at Apple has thoroughly improved this feature.

_Apple-provided screenshot. Not my accounts._

This is a password manager, not for other data like 1Password. For items like software licenses and health insurance cards, I am considering Apple Secure Notes or encrypted disk images.

iCloud Passwords does passwords very well:

  • Reliable autofill that doesn’t block fields I am trying to fill in
    • It has the best autofill implementation that I’ve seen
  • Excellent passkey support that could eliminate passwords
    • 1Password can do this, but I never got it to work
  • Free, built-in sync across Apple devices
  • Selective password sharing

However, there’s no dedicated app! It’s only a settings panel. You should install this unofficial Shortcut for easy access on your iPhone and Mac.

Apple needs to make this an official named product with its own app. If they do, it will likely become the go-to password manager for Apple users. For now, it remains hidden in Settings.

And it has become a favorite among Apple tech nerds. It helps that the lead developer engages on Mastodon, building goodwill.

You can import from 1Password, but I’m manually moving over passwords as needed. There are too many old, dead passwords in my 1Password vault.

So far, I’m very happy with the switch.

The Very Short Intro to Mastodon

This is a very short primer for people who want to move from Twitter to Mastodon.

For most users Mastodon works a lot like Twitter. You sign up, and start using it. You can follow people and be followed. You can post (tweet), you can “boost” (re-tweet), and you have a timeline of posts from the people you follow.

Screenshot of a Mastodon home page

The main obstacle that people have when signing up for Mastodon is that the first step is “choosing a server”. That sounds complicated. What does it mean?

Unlike Twitter, Mastodon is not one company or service. There are many Mastodon services. But it doesn’t matter which service you sign up for. Services can communicate with each other. Think about email: you may have Gmail and your friend uses Hotmail, but you can still send email back and forth. It doesn’t matter that you are on two different services. The same is true of Mastodon.

  1. Pick a service. I’d recommend one of the bigger ones. The bigger services are more likely to be around for a long time and your posts will have more visibility. Some that are accepting sign-ups are: masto.ai, mas.to, mastodon.world, and universeodon.com.

  2. You can use the web site of your chosen service, but you can also use an app. Popular ones are the official Mastodon app, whimsical and reliable Toot! for iPhones, and Tusky for Android.

  3. Follow people! Use the search feature to find people by name, or, if you know their Mastodon handle (which looks like this: @ns@hachyderm.io), enter that in the search box. You can also find the people that you were following on Twitter, on Mastodon. See the section below, Following People from Twitter.

So the short version is: Go to one of the following and sign up:

Then enjoy Mastodon! 🎉 🐘


Technical Notes

Following People from Twitter

You’re not the only one. A lot of people moved from Twitter to Mastodon (hashtag #TwitterMigration). If you were following a bunch of people on Twitter and would like to find them on Mastodon, use Movetodon. This is becoming less effective as Twitter tries to stop people from moving to Mastodon, but for now it still works.

Moving Servers

If you don’t like the server you picked, you can move servers. This capability is built-in to Mastodon, under Preferences → Account.

When you move servers, all of your followers move with you automatically. You can move your followed list too; there’s a nice import/export function for that.

However, your previous posts don’t move.

Picking a Server

Here’s why I said that you should sign up for one of the bigger services.

Besides those services being likely to be around for a long time, another reason is visibility. If you are on a tiny server, no one will see your posts unless they are following you, or someone who follows you “boosts” (re-tweets) your post, or your post is a message to them or a reply to a message in their feed.

Every Mastodon server has a Local Feed that you can view. The Local Feed is everything being posted by the people on that server. By signing up on a popular server, when you post, it will be available on that server’s Local Feed. It’s also a good place to find other users you might want to follow. On a less-popular server, it may be harder for your posts to be noticed and gain traction, if that matters to you.

The other reason is that some servers are known for hosting violent or objectionable content. Many of the mainstream servers block these servers (technical term: they “defederate” from these servers). The mainstream servers are not going to be blocked by other mainstream servers.

With that said, there can be good reasons to pick a specialized server. There are themed servers dedicated to specific communities. For example, if you are an astronomer, you may want to be on astrodon.social. Many of the members are professional or amateur astronomers, and the Local Feed on that server is mostly astronomy-related posts. Of course, you can post about anything, and posts can be viewed by anyone anywhere, but a server built around a specific topic can be a good way to find your community.

There are themed servers for science and technology topics, as well as regional (city/state/country) themed servers, and servers for all kinds of specific communities, such as LGBTQ+, musicians, Etsy sellers, Christians, people with specific health conditions, and so on.

A list of themed servers is at: fediverse.party/en/portal…

Most Mastodon servers list the number of users right on their home page. Beware if the server is very small. It may be run as someone’s hobby and there’s no guarantee it will be around for a long time.

Finally, you may care about how well-run the server is. You don’t want a slow server, or one that is always having technical problems. The Fediverse Observer can reveal whether the server you’re interested in is a dud. For example, this popular server has only a 65% uptime.

Wow, I’m super impressed with The Archive, a note capturing app using the Zettelkasten method. It’s so minimal that some reviewers thought it wasn’t a serious app, but it’s carefully and thoughtfully designed, fast and reliable.

zettelkasten.de/the-archi…

Notes on password managers

I recently tried the Orion web browser. What makes this browser unique is that it isn’t a reskinned version of Chrome/Chromium. Instead it uses WebKit, the same browser engine as Safari, with many of the same privacy protections. And, the killer feature: it runs extensions built for Chrome or Firefox.

One extension that I use is 1Password. Unfortunately, while the Chrome and Firefox versions of the 1Password extension do load in Orion, they don’t really work. There are lots of people asking for this on the community forum, but given 1Password’s recent focus on enterprise customers, and the likelihood that an executive at a Fortune 1000 company has ever heard of Orion, don’t expect it to be supported any time soon.

So I decided to try some other password managers. To be clear: I don’t really want to switch from 1Password, and I wouldn’t do it just for Orion support. But it’s good to stay informed.

The features that are important to me are:

  • Good Mac and iOS support
  • Ability to share a subset of passwords among family members
  • A subscription is okay, if reasonably priced

Simple, right? These are my notes as I’ve tried various competitors.

Bitwarden

bitwarden.com

Bitwarden is one of those open source projects that turned into a company. Unfortunately it shows. The app is very functional, but the UI/UX is janky. We’re talking CAPTCHAs to login to the desktop app; modal dialog boxes that have to be scrolled to get to the buttons at the bottom; low-effort implementation, like an import feature that doesn’t detect duplicates; and so on. You know the deal: a programmer-designed web site bundled as an Electron app.

Feature-wise, it’s got it all. They have a family sharing plan and good pricing. It can store multiple entry types including logins, credit cards, and secure notes.

The browser extension mostly works, including in Orion. I like that it doesn’t try to autosubmit forms, but I couldn’t get it to copy one-time codes to the clipboard.

A major drawback is that you can’t set up one-time passwords from the desktop app, only from the mobile app.

Bitwarden is acceptable, but I would be annoyed by the bad UI/UX and have a nagging worry about how safe it is. You can’t judge a book by its cover, but with so little attention paid to UI/UX details, it makes me wonder how much attention they paid to details like encryption and security.

Remembear

remembear.com

This is the polar 🐻‍❄️ opposite of Bitwarden in terms of UI/UX. The grizzly bear graphics and puns are cute and polished. The UI is native, thoughtful, and friendly. It supports multiple entry types too.

It doesn’t offer a family plan, so it isn’t a true option for me. But it looked like so much fun that I had to try it.

I couldn’t get the browser extension to work in Orion. It’s also expensive (but the pricing would be fine if it was for a family plan).

NordPass

nordpass.com

Like Remembear, this is a password manager from a VPN company. Although it’s an Electron app, it’s very well designed and feels mostly native. I had a hard time getting its browser plugin to work in Safari (eventually I got it to work), and I could not get it working in Orion.

Sorry if I’m not going into much detail here, but at this point a basic UI for storing multiple item types is table stakes. NordPass passes this test, but switching from 1Password feels like a lateral move, and 1Password is more widely used, supported, and likely to continue to be supported going forward.

Dashlane

dashlane.com

Dashlane is another well-known password manager. I get the feeling it’s the second-biggest player in the Mac market, after 1Password.

It was okay as a 1Password replacement but they seem to be in some kind of transition between feature sets and user interfaces, as some of the documentation I found mentioned features that changed names or were not available in the desktop app. I was able to install the desktop app, but it is deprecated, which puts Dashlane out of contention for me and my family.

LastPass

lastpass.com

I used LastPass a few years ago. It felt similar to Bitwarden. Remember when I said that a bad UI/UX makes me wonder if they paid attention to details like encryption and security? Well, LastPass doesn’t give me confidence.

Are some of those old? Yes. Are some of them possibly not security breaches depending on your PR department’s definition of a breach? Perhaps. Am I going to try LastPass again? Nah.

The end?

I’m growing tired of installing and testing password managers. Maybe later I’ll try one of the true open source options like KeepAssXXX (I may have spelled that wrong). If so, I’ll post about it.

For now I’m a moderately unhappy long-time 1Password user. Unhappy that they are focusing on enterprise users over consumers; unhappy that they’re abandoning their native app; and wishing they had a less corporate/enterprisey response to questions on their community forum. On the other hand, it’s a proven system. I’ve already invested time and money in it, and it would take effort to move my whole family.

Hello, world!

With The End Of Twitter As We Know It® coming later this week, it’s time to check out micro.blog.