Where exactly is Apple ID password stored?

Excluding in a password manager such as Keychain, technically, the Apple Account password isn’t stored anywhere. A password hash or a passkey is stored.

On macOS, the password hash is stored in what amounts to a local LDAP database, the same sort of authentication database used for network authentication with a directory server.

Apple typically uses a password or passcode as a path to the data decryption key. No password or passcode provided means no decryption means no data access.

Why “technically” not stored? The provided password is hashed using a cryptographic algorithm, and the hash is then compared against the previously-saved password hash. The password hash algorithm used is intentionally designed to be exceedingly difficult to derive the clear-text password from a hash. And a password manager can have cleartext passwords, though using passkeys is preferred there.

Oh, and that massive password leak wasn’t news. It was a collection of data from old leaks that leaked again. Complete nothing. The hype around the inclusion of Apple accounts (and the associated passwords to other sites) was clickbait too, as that inclusion is normal in most any dump, as lots of people use their Apple accounts.

Yes, the previous password dumps can be problematic. Re-using passwords is, however, a precarious strategy at best and best avoided, just as soon as one site leaks they all leak. This is why password managers with generated passwords or passkeys are useful, and why enabling two-factor authentication is important.

If you want to know some of where your credentials have previously leaked, use the Apple Security Recommendations feature that is available on all recent versions, and also review what is available in haveibeenpwned.com website.

More reading: Apple Platform Security - Apple Support

gomobel wrote:

Thanks Mr Hoffman, that's really useful.

I do have 2FA activated, it's just that I found the whole process of password protection a bit frustrating in cases such as forgetting. I would have expected the Passwords or Keychain apps to store the information, like they do for other logins such as webpages and WiFi networks. These easily unlock with administrator privileges, however the iCloud password is never revealed for some reason.

There is an Apple Account t password, and most Apple Accounts can be used with iCloud. There isn’t a separate iCloud password, it’s all tied to an Apple Account. Some of us might be using two separate Apple Accounts for our stuff and our iCloud data, if our Apple Accounts are of a certain vintage. Others and particularly newer accounts will usually have everything tied to one Apple Account.

But as for your question: Apple does not save the Apple Account password, as they don’t need to save it.

The cleartext password is not saved.

Your expectation that cleartext passwords are saved is an older security scheme, weaker, and is vulnerable to people rummaging the password storage to enlarge an existing security breach.

There are services that do this and do store cleartext passwords, unfortunately. And password managers fundamentally do have to store cleartext passwords, or preferably passkeys, or digital certificates.

Apple typically uses the password or passcode as a decryption key for the data, and may store the password hash for some operations, but does not store the password anywhere. By using the password as the data decryption key, the password does not need to be stored, nor does the password hash. Either the decryption works and the password is good, or the decryption fails and the password is bad.

Outside of a password manager usage, looking up a cleartext password in a file usually means the implementor messed up. Bad.

MrHoffman wrote:

Excluding in a password manager such as Keychain, technically, the Apple Account password isn’t stored anywhere. A password hash or a passkey is stored.

About this – where exactly is this stored? I have tried locating the different mentions to Apple Account / iCloud in my keychain but still unsuccessful.

In modern security, a cleartext password is not stored. Not outside of a password manager where that is needed, or in somebody’s notebook of passwords or yellow-sticky notes, or in somebody’s own memory.

Apple uses password hashes where they need that, and does not store the passwords where they can avoid it. Apple security is usually robust against the security attack you’re attempting here, too; looking for cleartext passwords.

As for your security profile more generally, here is how to adjust it: Better Securing Your Data, and Apple Acco… - Apple Community

gomobel wrote:

MrHoffman wrote:

Excluding in a password manager such as Keychain, technically, the Apple Account password isn’t stored anywhere. A password hash or a passkey is stored.

About this – where exactly is this stored? I have tried locating the different mentions to Apple Account / iCloud in my keychain but still unsuccessful.

Unless you at some point stored it manually, or accepted to it being stored after logging in to an Apple website such as iCloud.com or even music.apple.com or tv.apple.com when asked it won't be there.

It is not stored there by default.

If it were stored, you can see the plain password in the passwords App by tapping on the ******.

Phil0124 wrote:

…

Unless you at some point stored it manually, or accepted to it being stored after logging in to an Apple website such as iCloud.com or even music.apple.com or tv.apple.com when asked it won't be there.

It is not stored there by default.

If it were stored, you can see the plain password in the passwords App by tapping on the ******.

And Apple has been storing passkeys for some accesses too, which avoids the whole cleartext password.

gomobel wrote:

A few weeks ago, after reading about a massive password leak that affected Google, Apple, and other big tech giants, I panicked and changed my Apple ID password – and decided to keep all my devices connected to avoid the hassle of having to log-in, again, in iPhone, iPad, Mac, etc.

Forbes is well known for click-bait headlines....

Once you've forgotten it, is it just impossible to reveal?

Yes.

If you want to protect your account, make sure you have Two-Factor Authentication enabled. Also, consider using passkeys where they are available.

About the security of passkeys - Apple Support

gomobel wrote:

Hiya!

I've just had a bit of an odd problem and after searching the web for a while I really haven't figured out an answer, and I thought that maybe posting it here would help, at least to get some pointers in the right direction.

A few weeks ago, after reading about a massive password leak that affected Google, Apple, and other big tech giants, I panicked and changed my Apple ID password – and decided to keep all my devices connected to avoid the hassle of having to log-in, again, in iPhone, iPad, Mac, etc.

Apple has NEVER had a massive password leak. Neither has Google. Neither has Microsoft. I don’t know what your source is, but it is BS. There have been massive password leaks, like the US Government’s Human Resources department that leaked personal information about ALL government employees, including the CIA; Equifax, that leaked account and credit information of 140 million users; several large healthcare providers that actually prevented them from treating patients.

Lawrence Finch wrote:

Apple has NEVER had a massive password leak. Neither has Google. Neither has Microsoft. I don’t know what your source is, but it is BS.

Forbes, based on the link. And we know how they feel about Apple.

IdrisSeabright wrote:

Lawrence Finch wrote:

Apple has NEVER had a massive password leak. Neither has Google. Neither has Microsoft. I don’t know what your source is, but it is BS.

Forbes, based on the link. And we know how they feel about Apple.

The original source of that reporting was apparently another entity, Cybernews. Not Forbes.

Forbes and Cybernews are among the information sources that I’d prefer to verify their reporting first, before acting.

Follow-up from the time:

• https://www.bleepingcomputer.com/news/security/no-the-16-billion-credentials-leak-is-not-a-new-data-breach/

With the increasing AI slop, and longstanding efforts towed market manipulation and hype, with short deadlines, and the need for clickbait, there can be a lot of rubbish and clangers in the Apple echo chambers and the security echo chambers, unfortunately.

Thanks for the clarification. I've stopped reading Forbes. I am familiar with Cybernews but I will keep in mind what you've said.