With iOS 12, iCloud Keychain has become a more useful password manager for your iPhone with strong password suggestions, password reuse auditing, and Siri support. However, before you jump ship from your current password manager, you should consider all the reasons why iCloud Keychain doesn't make sense as your primary password manager.
While iCloud Keychain did get more useful features in iOS 12, it's still fairly limited when compared to third-party options. It did have a huge advantage with its ability to auto-fill passwords, but with iOS 12, third-party password managers can now take advantage of the AutoFill feature. Also, the ability to generate strong passwords and identify weak ones are welcome additions to iCloud Keychain, but they are either already possible on third-party managers or implemented better by them.
Overall, iCloud Keychain is a good password manager — but not the best. With the ability to auto-fill along with a host of other features, third-party password managers simply crush iCloud Keychain. While choosing Apple's built-in iCloud Keychain won't hurt you or compromise your security, you would be missing out.
Apple allows third-party password managers access to the AuthenticationServices framework, which lets them integrate their apps with Password AutoFill in iOS 12. With it, apps like 1Password can show you your login credentials for an app or website via the password QuickType bar — a service that was previously limited to iCloud Keychain only — so that you can login quickly without visiting your password manager or using the share sheet option (if even there).
You could easily decide to use iCloud Keychain as your password manager in iOS 11 because of the convenience of AutoFill, but it's much harder to justify now that all third-party managers can do the same thing.
In iOS 12, iCloud Keychain gains the ability to detect weak passwords stored in its database. The feature notifies you of the weak password and offers the options to change it. The problem lies with its weak password detection, specifically, how limited it actually is.
A password is labeled weak in iCloud Keychain only if it's reused by another account in the same database. However, other forms of weak passwords exist that Apple should not ignore. Accounts may use simple passwords from leaked website databases, contain less than eight characters, or use no uppercase letters, numbers, or special characters. All of these types of passwords are easily hacked.
Compare this to third-party password manager such as LastPass which can audit your entire database to determine weak passwords, not just reused ones, and it's obvious iCloud Keychain isn't your best option.
Changing a weak password in iCloud Keychain is also not as fleshed out as in other password managers. When you select the "Change Password on Website" button for the weak password, it opens a Safari WebView window within Settings. The problem is the many websites don't let mobile sites access the change password feature. While you can combat this by requesting the desktop version, not all sites allow an iPhone to access the desktop version either. Therefore, you would need to go on your computer to change the password.
This is not the case with all third-party password managers. Dashlane has a feature known as "Password Changer" which let you change multiple passwords without ever leaving the app. If the site supports the feature, with one button you can change the password, desktop version not required. And, like LastPass, it can audit the password as well, making it easy to see which password need to be changed.
The biggest gripe with iCloud Keychain is that when you compare feature lists, it doesn't compete against other third-party password managers. Managers such as LastPass, 1Password, and Dashlane alert you of security breaches to your accounts. Several apps support the ability to share a select number of passwords with others and set up emergency access in case something happens to you.
There are apps which let you stored other files such as images and pictures for quick access to private items such as your driver license and passport. And they all allow you save far more types of information and specific information for each entry.
Keychain lacks these features and limits you to only storing your username and password for a specific account. Its only advantages are its convenience of already being installed and being able to suggest strong passwords when first signing up for an account. But with third-party support for AutoFill, downloading an app isn't such a big deal. As for strong passwords, you could even use Apple's suggestion if you want by copying it to your third-party manager instead.
Overall, if iCloud Keychain really wishes to compete against big-name password managers, it needs to further bridge the gap between itself and its competition. While I don't believe Apple is trying to make the best password manager in the world, for many iOS users, this will be the only manager they know. We hope that by understanding the limitation, they will make a better choice.