In the latest versions of OS X and iOS, Apple's new iCloud Keychain provides one of the most important pieces of functionality for security-conscious users: a password manager.

Unfortunately, it's kind of a mess. iCloud Keychain does accomplish the most basic things you'd expect a password manager to do, but it often does so in an awkward manner. Important functionality is hard enough to find that it may be effectively hidden from the average user, particularly on iPhones and iPads.

Ultimately, iCloud Keychain can be put to good use if you've carefully examined what it does well and doesn't do well. It works best as a complement to a complete service like 1Password or LastPass, but it just isn't convenient and robust enough to act as a standalone password manager.

The short version is that iCloud Keychain does a good job of automatically entering passwords in websites on Apple's Safari browser, both with iOS devices and Macs. It does not work with any third-party browsers on OS X or iOS. It cannot fill in passwords on an iOS app unless the developer of that app has done some legwork to integrate with iCloud Keychain. Worse, it stores the passwords in an inconvenient location on iOS, making it hard to copy and paste passwords for those cases when iCloud Keychain can't automatically fill them in. Finally, it lacks some of the basic features that make standalone password managers more than just password managers, such as syncing of encrypted notes across both desktops and mobile devices.

Setting it up

iCloud Keychain is available in OS X Mavericks for Mac computers and iOS 7.0.3 for iPhones, iPads, and iPod Touches. When you set up any such device, you'll be asked if you want to use iCloud Keychain. With the first device, you'll choose either a four-digit numeric code or a complex password to secure the keychain. To add any subsequent device to iCloud Keychain, you can type in the passcode or approve the new device from a device that already runs the password manager.

You can also set up iCloud Keychain without any passcode or password. Apple states in a support document that this allows you to store passwords "only locally" on your devices, but it's clear from our tests that the system stores passwords in the cloud no matter what. The difference is that without a passcode there won't be a permanent backup of your keychain that you can restore if you happen to lose all of your Apple devices. You'll also have to approve any new device from an existing device, with no option to access the keychain with just the passcode. We covered this and other security aspects of iCloud Keychain in a previous article this week.

For myself, I don't mind storing some website passwords with iCloud, but I prefer to keep my most crucial credentials (banking, credit cards, etc.) in 1Password. But let's just say you want to trust all your passwords to Apple. How can you use iCloud Keychain effectively?

Work within Apple's limitations

First off, make sure you always use Safari. When you fill in passwords or create new Web accounts, iCloud Keychain will offer to save your passwords and create new, complex ones if you need them. While most password generators will let you change the default length and composition of the password, iCloud Keychain in Safari always makes passwords of 12 letters and numbers and three dashes:

If you want a longer password, you'll have to come up with it yourself, which sort of defeats the purpose of having an automatic generator. But since iCloud Keychain will sync your password across devices, that's perhaps not a huge deal. You can just bang a bunch of random characters into the keyboard without worrying about remembering them.

Still, I prefer the 1Password approach better:

If you want your passwords in iCloud Keychain to be automatically filled in on Safari on any Mac or iOS device you use, you'll have to click a couple of settings. In Safari on Mac, go to Preferences and then Passwords and click the box that says, "Autofill user names and passwords." If you want, also click the box next to, "Allow Autofill even for websites that request passwords not be saved."

As John Siracusa notes in the Mavericks review, "enabling this override requires that the Mac be configured to lock the screen when idle. Second, Safari still fails to auto-fill passwords on some websites, most notably Apple’s own icloud.com."

Once you get out of Safari, things become less convenient. On the Mac, 1Password has a standalone desktop application, a Menubar tool, and extensions for every major browser. That makes generating passwords and filling them in easy no matter what you're using.

iCloud Keychain's non-Safari functionality is found in the Mac's Keychain Access tool:

This is where you'd go if you need to copy a password to paste into a non-Safari browser or a desktop application. (You can also copy passwords into the Mac's clipboard from within Safari by going into Preferences and selecting the Passwords tab.) For example, let's open my Twitter password entry in Keychain Access:

If I click "Show password," I will be asked to enter my keychain password, which happens to be the same long passphrase I use to unlock my computer. If I enter that correctly, the Twitter password will become visible, and I can copy it. Somewhat frustratingly, clicking that lock on the bottom right opens up a password generator that lets you create passwords of arbitrary length and composition:

I say that it's frustrating because the same option doesn't appear in Safari, where it would be more useful.

iOS syncing limited to passwords, excludes secure notes

Let's switch gears and look at iOS. This is where iCloud Keychain starts to get simultaneously more useful and more frustrating.

Because of the restrictions Apple places on third-party applications for iOS, password managers can't automatically log you into websites on Safari. They can include a browser within their app, but not integrate with an iPhone's or iPad's default browser.

Apple is Apple, so it doesn't face those restrictions. iCloud Keychain is thus the only password manager to integrate with Safari on iOS (barring some jailbreak tweak I'm not aware of).

iCloud Keychain won't integrate with most third-party apps today, since developers have to add that integration themselves. "Developers can update their apps to work with iCloud Keychain," Apple says. "Passwords saved by those apps are then kept up to date on all devices that use the app and [are] running iOS 7.0.3 or later or OS X Mavericks v10.9 or later."

In Safari on iOS, iCloud Keychain works as well as it does on the Mac, filling in logins and helping you generate passwords for new ones. As on the Mac, you have to click some settings to make sure it works. Head into Settings/Safari/Passwords & Autofill and click "Names and Passwords" and "Always Allow."

The process of copying a password into the iOS clipboard so that it can be filled into an application other than Safari seems unnecessarily difficult to figure out. But if you go into Settings/Safari/Passwords & Autofill/Saved Passwords, click an entry, then type your phone's passcode, you'll see a list of logins in alphabetical order. There's no way to search the list, so just scroll until you find the entry you want, click it, and you'll see something like this:

There's no indication on the screen that the password can be copied, but if you hold your finger down on the user name or password, you'll receive that option. Unfortunately, you can't click on the website itself. After becoming accustomed to 1Password, I assumed clicking a website in a password manager's login list would automatically open the browser and fill in the login. With iCloud Keychain, that's not the case. You can't even copy the URL and paste it into Safari manually.

What's also frustrating is that the password entries don't contain any notes you might have made in your keychain entry on the Mac. In the screenshots earlier in this article, you can see iCloud Keychain on the Mac lets you add comments to individual logins or make standalone secure notes.

As we described in our article, "The secret to online safety: Lies, random characters, and a password manager," a strong personal security strategy may include making up nonsensical answers to security questions, which are too easy to break if you use standards like "Mother's maiden name." A good password manager will let you store any additional information you need for each login and sync it across both desktop and mobile. iCloud Keychain doesn't do that.

Useful, but not as useful as it should be

iCloud Keychain is indeed a useful addition to OS X and iOS, especially for people who use Safari across both operating systems. On iOS, iCloud Keychain fills the chief gap in third-party password managers—the lack of integration with Safari. For something that comes free with the operating system, that's a nice feature. Combined with the automatic password generator (despite its non-customizability), iCloud Keychain can help people who don't already use a password manager improve their defenses against hackers.

But in almost every other way, iCloud Keychain falls short of the functionality one expects from a paid password manager. The lack of cross-browser support, the password generator's limitations, the inconvenient locations of keychain information, and the failure to sync secure notes across desktop and mobile are all entries for the cons column. It's possible Apple will fill in all the gaps someday, but as of now, people who take security seriously aren't likely to find everything they want in iCloud Keychain.