{
	"id": "a711114c-192a-412b-a946-a5d535f58ab1",
	"created_at": "2026-04-06T00:06:28.181512Z",
	"updated_at": "2026-04-10T13:11:33.550564Z",
	"deleted_at": null,
	"sha1_hash": "c04ce72f6a356b63dfe57d58bf3c3eab03db7e29",
	"title": "Six Ways to Decrypt iPhone Passwords from the Keychain",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 937127,
	"plain_text": "Six Ways to Decrypt iPhone Passwords from the Keychain\r\nBy Vladimir Katalov\r\nPublished: 2018-12-18 · Archived: 2026-04-05 18:42:16 UTC\r\nIn Apple’s world, the keychain is one of the core and most secure components of macOS, iOS and its derivatives\r\nsuch as watchOS and tvOS. The keychain is intended to keep the user’s most valuable secrets securely protected.\r\nThis includes protection for authentication tokens, encryption keys, credit card data and a lot more. End users are\r\nmostly familiar with one particular feature of the keychain: the ability to store all kinds of passwords. This\r\nincludes passwords to Web sites (Safari and third-party Web browsers), mail accounts, social networks, instant\r\nmessengers, bank accounts and just about everything else. Some records (such as Wi-Fi passwords) are “system-wide”, while other records can be only accessed by their respective apps. iOS 12 further develops password auto-fill, allowing users to utilize passwords they stored in Safari in many third-party apps.\r\nIf one can access information saved in the keychain, one can then gain the keys to everything managed by the\r\ndevice owner from their online accounts to banking data, online shopping, social life and much more.\r\nApple offers comprehensive documentation for developers on keychain services, and provides additional\r\ninformation in iOS Security Guide.\r\nIn this article we assembled information about all existing methods for accessing and decrypting the keychain\r\nsecrets.\r\nMethod 1: Interactive (iOS Settings)\r\nHave you ever tried opening [Settings] | [Passwords \u0026 Accounts] | [Website \u0026 App Passwords]? In order to access\r\nthat screen, you will have to enter your screen lock passcode (or authenticate via the Touch ID or Face ID) even if\r\nthe device is unlocked. On this screen, you’ll be able to interactively browse through the list of your stored\r\npasswords. The “interactive” part stands for the lack of proper exporting. In order to export a particular password,\r\nyou’ll have to copy it to the clipboard or send it via AirDrop. There is no way to export more than one password at\r\nonce.\r\nWhen browsing the passwords in iOS settings, you will quickly realize something is missing. Do you have\r\nFacebook or Twitter app installed on your iPhone? If you do, can you see your Facebook or Twitter password in\r\nthe Settings? Unless you have used either password in Safari (e.g. for the purpose of single sign-on), you won’t\r\nsee those passwords in iOS settings. This is simply because those types of passwords are not saved by their\r\nrespective apps. The apps are using authentication tokens instead.\r\nhttps://blog.elcomsoft.com/2018/12/six-ways-to-decrypt-iphone-passwords-from-the-keychain/\r\nPage 1 of 9\n\nCredit card data is saved at a different location:\r\nhttps://blog.elcomsoft.com/2018/12/six-ways-to-decrypt-iphone-passwords-from-the-keychain/\r\nPage 2 of 9\n\n[Settings] | [Safari] | [AutoFill] | [Saved Credit Cards]\r\nFor some reason, iOS does not allow viewing or editing Wi-Fi passwords. You can do that in macOS, though.\r\nComplexity: easy\r\nPros: no need for additional software\r\nCons: need access to physical device (unlocked); one-by-one copy-paste (no export of all records at once); Web\r\nsite passwords and credit cards only\r\nMethod 2: macOS Keychain Tool\r\nIf you have a Mac in addition to an iPhone and your passwords are synced through iCloud (more on that later),\r\nyou can use the built-in Keychain Access tool on the Mac. This tool also displays one item at a time, and you will\r\nhave to enter the keychain password every time. Thankfully, on newer Macbooks you can use Touch ID instead of\r\nthe password.\r\nComplexity: easy\r\nPros: no need for additional software; all keychain data is available\r\nCons: need access to iCloud-synced Mac; one-by-one copy-paste (entering keychain password every time)\r\nNotes: keychain password is also needed\r\nMethod 3: Decrypting the Full macOS Keychain\r\nhttps://blog.elcomsoft.com/2018/12/six-ways-to-decrypt-iphone-passwords-from-the-keychain/\r\nPage 3 of 9\n\nInstead of manually browsing through the records and exporting passwords one by one, you can use Elcomsoft\r\nPhone Digger to extract all of them. You will need to copy the user’s and system keychain files from the Mac\r\nbeing analyzed. In order to decrypt the user keychain, you will require the user’s password. The system keychain\r\nis decrypted with a key file accessible with admin privileges.\r\nComplexity: medium\r\nPros: all keychain data (both user and system keychain) is available\r\nCons: need access to iCloud-synced Mac\r\nNotes: user logon and keychain passwords are also needed\r\nMethod 4: Extract Keychain from Encrypted iTunes Backups\r\nhttps://blog.elcomsoft.com/2018/12/six-ways-to-decrypt-iphone-passwords-from-the-keychain/\r\nPage 4 of 9\n\nIf you have access to the iPhone, you can create a password-protected iTunes backup. The “password-protected”\r\npart is absolutely mandatory. If you won’t set a password, or if you are analyzing an existing backup without a\r\npassword, the keychain will not be accessible. In order to view the keychain, load the backup into Elcomsoft\r\nPhone Breaker and use the [Explore keychain] feature. You can notice that many of the keychain items are not\r\ndecrypted. This is because those keychain records have a higher protection class, and can be accessed only by the\r\ndevice they were created on (a hardware specific key is required to decrypt).\r\nThis is not the only problem. If you don’t know the backup password for an existing backup, breaking it will not\r\nbe easy. While we used to see recovery speeds of tens of thousands passwords per second for iOS 4-10.1, recent\r\nversions of iOS such as iOS 11 and 12 brought that number down to just about a hundred passwords per second\r\nwith a powerful GPU. However, if you have the device itself and it is running iOS 11 or iOS 12, you can simply\r\nreset the backup password by using the “Reset All Settings” command. Note that this wipes Wi-Fi passwords but\r\nnot the user’s passwords stored in the keychain.\r\nComplexity: medium\r\nPros: just iTunes backup (with known password) is needed, or device itself\r\nCons: breaking iOS 10.2+ password (if set) is virtually impossible; not all the records can be decrypted\r\nNotes: for iOS 11+, backup password can be reset (but Wi-Fi passwords are lost then)\r\nMethod 5: Jailbreaking and Physical Acquisition\r\nhttps://blog.elcomsoft.com/2018/12/six-ways-to-decrypt-iphone-passwords-from-the-keychain/\r\nPage 5 of 9\n\nThis is the dirtiest but the most powerful of all methods. If you have a device that can be jailbroken (at the time of\r\nthis writing, jailbreaks exists for iOS versions up to and including iOS 11.3.1), you would be able to decrypt all\r\nkeychain records including those with the highest protection class. Just use Elcomsoft iOS Forensic Toolkit. If you\r\nmanaged to install a jailbreak (this is not easy on some versions of iOS), the rest will be a matter of a few clicks.\r\nThe GrayKey device by GrayShift allows extracting the keychain (as well as the copy of the file system) from\r\nnon-jailbroken iPhones, but it costs $15K and is available only to select agencies in select countries (US, Canada,\r\nUK, Australia and New Zealand for now). It also works for a limited number of iOS versions (the compatibility\r\nlist is kept secret for some reason).\r\nhttps://blog.elcomsoft.com/2018/12/six-ways-to-decrypt-iphone-passwords-from-the-keychain/\r\nPage 6 of 9\n\nComplexity: hard\r\nPros: allows to get access to 100% keychain records\r\nCons: need access to the (unlocked) device; jailbreaking is required\r\nNotes: GrayKey allows keychain extraction for iOS 11.4 as well and probably even some iOS 12 versions –\r\nwithout jailbreak, but available to Law Enforcement onlyt (in a limited number of countries); also, it is pricy\r\nMethod 6: iCloud Keychain\r\nSince iOS 7, the keychain can be synced with other devices through iCloud. This is good news since iCloud\r\nextraction does not require access to the device itself. However, you will need the user’s Apple ID and password,\r\nas well as the one-time code from the second authentication factor (unless you are performing the extraction on an\r\nalready trusted device). In addition, you will need the screen lock passcode or system password to one of the iOS\r\nor macOS devices enrolled into the “trusted circle”.\r\nMany keychain items are not synced to iCloud. Apple’s Set up iCloud Keychain article reads: “iCloud Keychain\r\nremembers things, so that you don’t have to. It auto-fills your information—like your Safari usernames and\r\npasswords, credit cards, Wi-Fi networks, and social log-ins—on any device that you approve”. Previous version of\r\nthat article said that only the passwords are synced, which is not true; some applications (such as Facebook and\r\nLinkedIn at least) sync authentication tokens as well. The tokens are more difficult to use than passwords; you\r\ncannot use them manually to access the desired web site or application. However, they are somewhat superior to\r\npasswords as their use will allow you bypass the second authentication factor (if 2FA is used).\r\niCloud Keychain can be obtained with Elcomsoft Phone Breaker that you used to explore the local (iTunes)\r\nkeychain. The downloaded keychain look just like the keychain from the iTunes backup. The number of records\r\nwill be different as some records will be missing. In return, you may see a few extra records you did not see in the\r\nlocal backup.\r\nComplexity: medium\r\nPros: does not require access to device; access keychain data from all synced devices\r\nCons: iCloud credentials (including second factor) and device passcode are needed, as well as iCloud Security\r\nCode for accounts without 2FA; many records are not available\r\nNotes: if all requirements are met, you can also get access to iMessage in iCloud and iCloud-synced Health data\r\nConclusion: the Benefits of Keychain Decryption\r\nThere can be many situations when you may need access to keychain data even if you are not working for the law\r\nenforcement. If you do, you know better how important this data can be.\r\nIf you ever reset your device, this operation completely wipes the keychain without the chance of recovery. If you\r\nhappened to have a single iTunes backup and forgot to set a password on it, you are out of luck. In this case,\r\niCloud keychain may be your only hope if you had it enabled.\r\nhttps://blog.elcomsoft.com/2018/12/six-ways-to-decrypt-iphone-passwords-from-the-keychain/\r\nPage 7 of 9\n\nIf you reset network settings on your device, this deletes the Wi-Fi passwords. If you have a lot of saved networks,\r\njust make sure to save them in advance.\r\nIt is worth adding a short note for our readers from the law enforcement. If you manage to extract the keychain,\r\nthe next thing you may want to do is generating a wordlist/dictionary from the passwords discovered in the\r\nkeychain. This wordlist will be extremely effective when attacking passwords to other data (documents, databases,\r\nor systems) of the device/account owner, especially if you use Distributed Password Recovery.\r\nApple, EDPR, EIFT, Elcomsoft Distributed Password Recovery, Elcomsoft iOS Forensic Toolkit, Elcomsoft\r\nPhone Breaker, Elcomsoft Phone Digger, Elcomsoft Phone Viewer, EPB, EPD, iCloud, iOS, iTunes, jailbreak,\r\nkeychain, Keychain Access, macOS\r\nElcomsoft Distributed Password Recovery\r\nBuild high-performance clusters for breaking passwords faster. Elcomsoft Distributed Password Recovery offers\r\nzero-overhead scalability and supports GPU acceleration for faster recovery. Serving forensic experts and\r\ngovernment agencies, data recovery services and corporations, Elcomsoft Distributed Password Recovery is here\r\nto break the most complex passwords and strong encryption keys within realistic timeframes.\r\nElcomsoft Distributed Password Recovery official web page \u0026 downloads »\r\nElcomsoft iOS Forensic Toolkit\r\nExtract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords\r\nand encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical\r\nacquisition options for all 64-bit devices running all versions of iOS.\r\nElcomsoft iOS Forensic Toolkit official web page \u0026 downloads »\r\nhttps://blog.elcomsoft.com/2018/12/six-ways-to-decrypt-iphone-passwords-from-the-keychain/\r\nPage 8 of 9\n\nElcomsoft Phone Breaker\r\nGain full access to information stored in FileVault 2 containers, iOS, Apple iCloud and Windows Phone devices!\r\nDownload device backups from Apple iCloud and Microsoft OneDrive servers. Use Apple ID and password or\r\nextract binary authentication tokens from computers, hard drives and forensic disk images to download iCloud\r\ndata without a password. Decrypt iOS backups with GPU-accelerated password recovery.\r\nElcomsoft Phone Breaker official web page \u0026 downloads »\r\nElcomsoft Password Digger\r\nElcomsoft Password Digger is a Windows tool to decrypt information stored in Mac OS X keychain. The tool\r\ndumps the content of an encrypted keychain into a plain XML file for easy viewing and analysis. One-click\r\ndictionary building dumps all passwords from the keychain into a plain text file, producing a custom dictionary\r\nfor password recovery tools. The custom dictionary helps breaking passwords to encrypted documents or backups\r\nfaster.\r\nElcomsoft Password Digger official web page \u0026 downloads »\r\nSource: https://blog.elcomsoft.com/2018/12/six-ways-to-decrypt-iphone-passwords-from-the-keychain/\r\nhttps://blog.elcomsoft.com/2018/12/six-ways-to-decrypt-iphone-passwords-from-the-keychain/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.elcomsoft.com/2018/12/six-ways-to-decrypt-iphone-passwords-from-the-keychain/"
	],
	"report_names": [
		"six-ways-to-decrypt-iphone-passwords-from-the-keychain"
	],
	"threat_actors": [
		{
			"id": "08c8f238-1df5-4e75-b4d8-276ebead502d",
			"created_at": "2023-01-06T13:46:39.344081Z",
			"updated_at": "2026-04-10T02:00:03.294222Z",
			"deleted_at": null,
			"main_name": "Copy-Paste",
			"aliases": [],
			"source_name": "MISPGALAXY:Copy-Paste",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775433988,
	"ts_updated_at": 1775826693,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c04ce72f6a356b63dfe57d58bf3c3eab03db7e29.pdf",
		"text": "https://archive.orkl.eu/c04ce72f6a356b63dfe57d58bf3c3eab03db7e29.txt",
		"img": "https://archive.orkl.eu/c04ce72f6a356b63dfe57d58bf3c3eab03db7e29.jpg"
	}
}