In my view, a useful backup system must be (1) chronological, (2) granular, and (3) redundant. A chronological backup system includes multiple historical snapshots of your data, allowing you to recover not only the latest version of your data but also past data that has been deleted or edited. A granular backup system allows you to selectively recover specific fragments of data from your backup without disturbing, deleting, or corrupting the rest of your current data. A redundant backup system includes multiple backups of the same data, stored in geographically distinct locations, to guard against disastrous data loss in one location.
According to these three essential criteria, iCloud Keychain is not a proper backup system. In fact, it fails to satisfy any of the criteria. iCloud Keychain stores only one version of your passwords, the latest version, so it's not chronological. You can't extract a single password from iCloud Keychain without restoring—that is, overwriting—every password, so it's not granular. And the only way you can restore your iCloud Keychain passwords is via Apple's online iCloud service, so it's not redundant. If you lose access to iCloud for some reason, such as an internet outage or an account lockout, or if your iCloud Keychain data becomes corrupted in some way—which happens!—then you're left with no alternative backup.
I think the fairest way to characterize iCloud Keychain is not as a backup system but rather as a sync system. And there's nothing inherently wrong with a system that's dedicated exclusively to syncing data between your devices. The problem is not simply that iCloud Keychain provides no backup system but also that iCloud Keychain is hostile to backup systems.
Contrast iCloud Keychain to the login keychain on your Mac. The login keychain is relatively friendly to backup systems. It consists of a single file on disk that can be copied to other disks and read by the Keychain Access app on any Mac, as long as you know the login password. And you can copy individual keychain entries—a password, secure note, key, or certificate—from one keychain to another keychain, using standard copy and paste. If you have a backup system for the Data volume on your Mac, or for your home folder on your Mac, you thereby have a backup system for the login keychain, because the login keychain is basically just an app-specific document file.
As far as I'm aware, the only way to get passwords in or out of Apple Passwords, aside from using Safari AutoFill, is to import from or export to an unencrypted comma-separated values (CSV) file. This is far from ideal, for at least two reasons. First, the lack of encryption, storing your passwords in plaintext, is of course a potential vulnerability. Second, generating CSV files from Apple Passwords is an entirely manual process. It doesn't fit well with a regular backup system for your Mac. Indeed it's totally incompatible with an automated backup system.
I use Safari password AutoFill, because it's extremely convenient, but I don't rely on Apple Passwords to store the sole copy of my passwords. When I create a new online account, I generate the (long, random) password separately, save it in my login keychain, and then enter the password in the web form for Safari to save too. This is the only way to ensure my passwords get proper backups.
Below are some quotes from the Apple developer documentation on Mac keychain APIs and implementations.
macOS has two keychain implementations:
File-based keychain
Data protection keychain
The file-based keychain has its origins on traditional Mac OS. The data protection keychain originated on iOS and came to macOS with the advent of iCloud Keychain on macOS 10.9.
The file-based keychain is on the road to deprecation. It’s not officially deprecated, but some of the APIs surrounding it are. For example,
SecKeychainCreatewas deprecated in the macOS 12 SDK. Moreover, new features, like iCloud Keychain, require the data protection keychain.
On the "road" to deprecation, Apple has made a number of significant changes to the Keychain Access app on macOS 15 Sequoia. First, they moved the app from /Applications/Utilities/ to /System/Library/CoreServices/Applications/ and automatically removed the app from your Dock if it was already there. During the WWDC beta period, every new beta version continued to remove the app from your Dock, but eventually they allowed you to keep it there. Second, even if you manage to find Keychain Access app on disk, Apple aggressively pushes you toward Passwords app instead.
Third, you can't even open Keychain app and view the list of keychain items without entering your keychain password first. But you still have to enter your password again when you select the "Show password" checkbox for a particular item (unless you add Keychain Access app under "Access Control").
Fourth, and worst, the New Secure Note item has been removed from the File menu! You can still view your old secure notes in your keychain, but you can't create new secure notes. Apple wants you to use the Notes app instead. This is extremely inconvenient, for several reasons. I want to manage all of my passwords and secure notes in one place. I need proper backups, but Notes app appears to suffer from the same hostility to backups as Passwords app. And for some reason, unlike the login keychain, locked Notes can't be locked with your login password unless you enable iCloud Keychain.
Fortunately, I have a workaround for this problem, which is to create a new password item rather than a new secure note, putting the secure note in the Password field and a dummy value in the Account Name field. Nonetheless, this is such a stupid, passive-aggressive restriction on Sequoia.
If Apple continues with the deprecation of file-based keychains, I don't know what I'll do. I suspect at that point, I'll be forced to abandon Apple software entirely for password management and move to a third-party solution. (I am fully aware of the alternatives, so please do not contact me with alternative suggestions! If I had to switch today, I'd probably choose Strongbox, which is based on the open source KeePass.)
At WWDC 2018, Craig Federighi offered an emphatic denial to the rhetorical question, "Are you merging iOS and macOS?"
In retrospect, six years later, that was clearly a lie. The merger has continued unabated. Apple's developer documentation quoted above openly admits that file-based keychains were designed for the Mac, while opaque data protection keychains were designed for iOS. Of course, iOS doesn't give users direct access to the file system, unlike macOS, so in my view the deprecation of file-based keychains is a sign that Apple is making macOS more like iOS, to the detriment of Mac users. In general, iOS itself is hostile to backup systems. Although it is possible to back up your iOS device to your Mac via USB, the backups lack granularity, one of the essential criteria that I listed at the beginning of the blog post.