The Complete Guide to Apple's New Passwords App: Passkeys, Verification Codes and More

Are your passwords scattered among multiple web browsers, dedicated utilities, the Notes app and a plethora of paper stickies hanging from the edges of your computer screen? Believe me, better ways exist to store -- and easily recall -- all of that sensitive information.

Apple's new Passwords app brings all your passwords and passkeys under one secure umbrella and is available now in iOS 18, iPadOS 18 and MacOS Sequoia. If you're ready to tame your tangle of passwords, this guide covers the main features of the Passwords app and how to easily access your critical information when you need it. It primarily covers Passwords from the point of view of the MacOS app, but the basics apply to the iPhone and iPad apps, too.

For more of what you can find in iOS 18 and MacOS Sequoia, read how to get more from your iPhone with nine unique iOS 18 features and eight real-world uses for iPhone mirroring in iOS 18 and MacOS Sequoia.

The Passwords app is the best kind of feature facelift

If the Passwords app sounds familiar, that's because storing passwords isn't new to Apple's operating systems. The app accesses a set of low-level Keychains that the operating systems use to store sensitive information such as credentials for websites and apps and security certificates.

Until now, this was difficult to access -- you had to open the more technical Keychain Access app (which is still available) or dig into system settings or Safari's preferences to find them.

The Passwords app on MacOS Sequoia has the same look and approach as the Reminders app.

Screenshot by Jeff Carlson/CNET

The new Passwords app pulls all that data together into a simple interface that lets you add and edit passwords, generate automatic verification codes, create passkeys and share selected entries with other people. If you've used Apple's Reminders app, the look and approach will be familiar. If you enable iCloud Keychain (in Settings > [Your Name] > iCloud > Saved to iCloud > Passwords and Keychain), the encrypted data securely syncs to the Passwords app on each of your devices.

It runs as a standalone app and ties into Safari to autofill site passwords. You can also access your passwords from a menu bar item. If your preferred browser on the Mac is Chrome or a Chromium-based browser such as Opera, you can install the iCloud Passwords extension for Chrome; Apple doesn't offer an official add-on for Firefox or DuckDuckGo, so be mindful of extensions that claim to work with iCloud Passwords.

How to save a new website password in Safari

Most of your passwords are likely for signing into websites such as your bank, online stores and other outlets. When you sign up for an account at a new site using Safari, Passwords prompts you to create a randomly generated secure password. Choose Use Strong Password, which creates a new entry in the app.

The Passwords app can suggest a strong password when you sign up for a new site.

Screenshot by Jeff Carlson/CNET

The Passwords app doesn't need to be open for this to work, since it's integrated at the system level.

How to create a new password in the Passwords app

The advantage of having a standalone Passwords app is to give you a better way to create and manage these passwords. Most of the time you'll be prompted to create a new password, there will be times when you'll need to manually do it.

1. Open the Passwords app and authenticate with your system password, Touch ID, Face ID or device passcode.
2. Click the + button or choose File > New Password.
3. Enter a title for the entry.
4. Type your user name in the User Name field (which could be an email address, depending on what the app or service requires).
5. Click the Password field and choose a secure password option that appears. You can also type directly into the field, but too often people use easily guessed or repeated passwords -- stick with the randomized ones the Passwords app is suggesting.
6. If you have any other information, such as recovery codes or details about an app purchase, enter those in the Notes field.
7. Click Save.

Create a new entry with a secure password in the Passwords app.

Screenshot by Jeff Carlson/CNET

When you create a password using this method, there's no Website field -- Passwords lean heavily on the process of capturing login information when you're using the site's fields to sign up or log in. You can add a link separately by clicking the Edit button in the entry you created and then typing or pasting the address in the Website field.

How to autofill your information using Passwords

The next time you return to a site and need to sign in, you'll be prompted to use Passwords to autofill your stored information. Select the account that appears in the pop-up and then authenticate using Touch ID or Face ID, depending on your device.

With a password saved in the Passwords app, you can use Touch ID (or Face ID, depending on the device) to fill in the login information.

Screenshot by Jeff Carlson/CNET

If the autofill prompt doesn't appear, go to the Passwords Menu Bar item and search for the site there. Select it and then click the User Name or Password fields (or one and then the other) to copy the content and paste it into your browser.

How to set up automatic verification codes

Having a secure password is just the first security step in this day and age. Many sites now recommend (or outright require) a two-factor authentication option as well. Sometimes this is the mobile number you use for texting to receive a one-time code that expires after a set amount of time. Or it could be an automatic verification code that randomizes every 30 seconds.

To set up 2FA on a site, sign in to it and access your account settings. Look for an option such as "Sign up for two-factor authentication" or similar. Enter your phone number or email address -- the type depends on what the site is using -- and send it. The site then sends a verification code in the method you supplied.

Set up a verification code that gets saved into the Passwords app.

Screenshot by Jeff Carlson/CNET

That might be all the site requires. The next time you sign in, you'll be prompted to authenticate using that method, in which case you'll get a new code.

The system can automatically delete a text message or email containing the code when you're done with it -- after all, that number combination will never work again. Go to System Settings > General > AutoFill & Passwords and turn on Verification Codes: Delete After Use.

There may also be another level of authentication that doesn't rely on sometimes spotty SMS networks and email servers. The site may accept a continuously changing code that is tied to your account, which can be generated at filled in using the Passwords app. Here's how to set that up:

1. In the two-factor authentication process, you'll likely be given a QR code to set up a verification code. Control-click the code and choose Set Up Verification Code from the contextual menu.
2. In the Passwords app, which automatically opens, select the entry for that site.
3. Click Add Verification Code.

Return to Safari and click the field asking for the verification code. A Passwords pop-up will appear for you to authenticate by entering the current code. If that doesn't appear, go to the Passwords app, click the Verification Code field and choose Copy Verification Code. Then paste it into the field in Safari.

The next time you log into that site, using Autofill will also apply the current verification code.

Set up a rotating random verification code that gets stored in Passwords and is available when signing in to a site.

Screenshot by Jeff Carlson/CNET

On the iPhone, the process is similar: When presented with a QR code, touch and hold it, then choose to Add Verification Code in "Passwords".

What are passkeys and how do I use them?

What if I told you we could just forget about passwords altogether? No more requirements that a password include at least 12 characters and numbers and special characters, not be a password you've used previously and also reference your favorite movie genre as expressed in prime numbers.

That's the promise of passkeys, a way of authenticating you using the secure hardware you're already using. With a passkey in place, you can sign into a site or app using Face ID or Touch ID on your iPhone, iPad, Mac or Vision Pro -- without typing a single character.

Setting up a passkey is similar to a 2FA method: Sign in to your account on a service that supports passkeys, view your account security settings and look for an option to create a passkey or security key. You'll get a prompt to store the passkey using Touch ID or Face ID (depending on the device you're using).

When you next sign in to that site, you won't see a password field at all: it prompts you to use the passkey instead.

With a passkey set up for a site and stored in the Passwords app, you don't have to deal with passwords at all.

Screenshot by Jeff Carlson/CNET

Not only are they more convenient, but passkeys are also more secure. One of the biggest problems with passwords today isn't the danger that someone will somehow break into your devices and steal yours -- it's the industrial-scale theft of thousands or millions of passwords from the companies you've created passwords for as a result of hackers breaking into those servers. That's useful for sites such as Amazon, Shopify and Uber, for example, which contain valuable sensitive information about their customers and are frequent targets for hackers.

Share selected passwords in groups

Your passwords are private, but sometimes you need to share them with someone. For example, let's say you and your spouse share a login to access a regular food delivery service. You can add the site's login information to a shared group in Passwords so you both have access to it. If you need to change that password, it's automatically updated in the Passwords app on their devices too. If you're using a passkey on your devices, they can also log in using a passkey that's created for their devices, securely tied to their Apple Account.

Sharing passwords involves creating a new shared group and then adding passwords to it:

1. In the Passwords app, click the + button that appears when you move the pointer over Shared Groups, or choose File > New Shared Group.
2. Type a Group Name.
3. Click the Add People button and choose the person from your contacts. Repeat if you're creating a group with several people.
4. Click Create.
5. In the next screen, search for (or scroll to locate) the password you want to share, and click the checkbox for it. Repeat for all of the passwords to share.
6. Click Move.
7. Optionally notify the other person by sending them a text message. Click Notify via Messages. Or click Not Now to not send a text -- they will still see the group invitation in their Passwords app.

Share selected passwords with someone else who is also using the Passwords app.

Screenshot by Jeff Carlson/CNET

Share a single password with someone

One great new feature in Passwords is a handy way to share a Wi-Fi password without divulging the password itself: You show someone a QR code that grants them access.

You can also share a password with someone near you over AirDrop:

1. In the Passwords app, go to the password you want to share.

2. Click the Share button and authenticate to grant permission.

3. In the AirDrop window that appears, click the icon of the person near you.

When the other person accepts, the password is added to their Passwords app.

To share a single password with someone nearby, the Passwords app uses AirDrop for the transfer.

Screenshot by Jeff Carlson/CNET

Import passwords from other services

What if you already use another password app, such as 1Password or Bitwarden? You can export your passwords into the Passwords app on the Mac. But there are a few caveats.

First, the Passwords app accepts only a CSV (comma-separated values) file, which is just a big unencrypted text file. Your current password tracker should be able to export the file, then go to File > Import Passwords in the Passwords app and select it.

Then, and this is crucial, remember to securely delete that CSV file so all your passwords aren't sitting around vulnerable. You can do that in the Finder by deleting the file, which puts it into the Trash. Next, open the Trash, right-click or Control-click the file and choose Delete Immediately.

The other thing to keep in mind about importing passwords is that not everything may come over. 1Password, for example, stores items such as secure notes and credit cards that are not imported into the Passwords app.

What the Passwords app doesn't offer

When Apple announced the Passwords app as part of iOS 18 and MacOS Sequoia, some people wondered if the company had just "Sherlocked" other password keepers. The term comes from an old MacOS feature called Sherlock, which lets you search your computer for more than just file names. Other search utilities did the same thing, but when Apple built the feature into the system, it killed the market for many of those third-party apps.

On the surface, it sure sounds like Apple Sherlocked utilities such as 1Password, Bitwarden and LastPass (although LastPass and its poor security have done more damage to itself). Although Passwords assumes the core functions of storing and applying passwords, other apps still have their own advantages:

Sharing between platforms: Other apps have iOS, MacOS, Windows and Android apps. Sharing between family members on different platforms: Similarly, if you want to share passwords with someone who isn't in the Apple ecosystem, a third-party app is the alternative. Other types of secure information: If you want to store sensitive data like notes, documents, credit cards and bank account numbers in one place, look to another app.