Passwords versus Passkeys

Traditional multi-factor authentication involves three methods of authentication, at least two of which are required for protection. They include something you know (a password), something you have (usually a code from an authenticator app or text message), and something you are (biometric authentication). Most systems primarily use the first two, but that leaves room for attack because someone could acquire your password and an authentication code through nefarious means.

Passkeys change the model. Instead of how passwords and codes use words and numbers that can be copied and shared, passkeys are pairs of cryptographic keys: a public key and a private key. Websites keep the public key, and the private key is stored securely within a device or encrypted vault, such as in the Secure Enclave in Apple’s chips or a 1Password vault. Authenticating with a website requires providing the private key that matches the account’s public key, something that Apple users with modern devices can usually initiate with Touch ID or Face ID.

Instead of generating security with something you have and something you know, passkeys rely on possession (do you have the device?) and presence (are you physically in front of the device?). This approach is fundamentally more secure than passwords because the private key can’t be phished, copied, or used remotely, and you must be physically present to unlock your device. Nor can you be tricked into providing a passkey to a malicious website. (Neither approach protects against physical coercion.)

Where Can You Use Passkeys?

In practice, since you use passkeys primarily to sign into websites, passkeys are stored alongside account details in your password manager. For Apple users, Safari (in iOS 16 or macOS 13 Ventura and later) with Apple’s Passwords app provides the most integrated passkey experience. However, most independent password managers, such as 1Password, Bitwarden, and Dashlane, also enable you to store, share, and enter passkeys and can take over for or work alongside Apple’s Passwords. They provide consistent passkey functionality across all major Web browsers, although experiences may vary slightly due to differences in how they handle authentication prompts and platform integration.

You’ll also find robust support in the Password Manager built into Google Chrome and other Chromium-based browsers, including Arc, Brave, Edge, Opera, and Vivaldi. Firefox’s native passkey support is more limited, but third-party password managers work well with Firefox. 

Although website support for passkeys was initially slow, an increasing number of sites now support them. That includes the big three of Apple, Google, and Microsoft, of course, as well as Amazon, Best Buy, Discord, eBay, GitHub, Intuit, Netflix, Notion, PayPal, Robinhood, Stripe, Target, Walmart, and WhatsApp.

Setting Up Passkeys

The process of setting up passkeys varies a little by website, but is generally remarkably easy. You may be prompted to create a passkey while signing in, or you may need to navigate to the security options associated with your account.

Google offers both approaches. Setting up a passkey for a Google Account can be as simple as agreeing to do so while logging in. If you’re already logged in, Google’s Passkeys and security keys page lets you make one. Once you click Create a Passkey, you’ll be prompted to save it in either Apple’s Passwords or another password manager like 1Password. That’s it.

Note that if you use both Passwords and another password manager, you can save the passkey in only one, and only that one can use it to sign in later. However, most sites that support passkeys let you add multiple passkeys, so you could save separate passkeys in different password managers.

Signing in with Passkeys

Similarly, using a passkey to sign in is trivially simple. You navigate to the website’s login page, enter your username, choose the passkey sign-in option if necessary, and then authenticate.

Exactly how you authenticate depends on the device you’re using and your password manager. On the Mac, Passwords will ask you to use Touch ID if available (above) or a dialog otherwise (below, left). 1Password, once unlocked for the session, presents a dialog with a Sign In button (below right).

On the iPhone and iPad, an authentication dialog appears at the bottom of the screen asking if you want to sign in with your passkey. Tap Continue and authenticate with Face ID or Touch ID (with a fallback to your passcode if necessary).

Unsurprisingly, Apple makes it particularly easy to sign in to Apple websites like iCloud.com using a passkey. As soon as you navigate to such a site in Safari, the device prompts you to sign in using your current Apple Account username and an implicit passkey.

When using other browsers or another Mac that lacks access to your passkey, selecting the passkey sign-in option displays a QR code that you need to scan with an iPhone or iPad that has the passkey stored on it.

Managing and Sharing Passkeys

As noted, passkeys are stored in accounts managed by a password manager. In fact, passkeys are currently stored alongside passwords in each account. There’s nothing to see or edit, although you can delete passkeys like any other data. Although deleting the passkey on your device guarantees that it can’t be used to sign in again, it’s best to also delete the passkey at the website where you created it to avoid confusion.

Passkeys are automatically synced among all your devices by the password manager so you can take advantage of them everywhere, but note that syncing is specific to just one password manager—for instance, iCloud Keychain doesn’t sync with 1Password or other third-party managers. The authentication method varies by device, but the overall experience remains the same. 

You can also share passkeys with other people in your family or workgroup, just as you would with password-only accounts. They can log in to your passkey-protected accounts because they can prove possession (they have the passkey) and presence (they’re authenticating). In essence, you’re saying, “This person is authorized to act as the account holder.”

Passkey Concerns

Although passkeys are a big step forward in usability and security compared to passwords, they’re not without limitations or concerns, which have slowed adoption:

• Account recoverability: Because passkeys are tied to devices, if a user loses all their devices and doesn’t have a cloud backup option (such as registering a new iPhone to an existing Apple Account or adding a new device to a 1Password account), it’s impossible to recover an account. This is primarily a concern for those who have only a single device and no one with whom to share.
• Sharing hurdles: If you want to give someone else passkey access to an account—perhaps a shared bank account—you must log in on their device and then create an additional passkey that is stored on their device. 
• Lack of portability: Although passkeys can be synced between devices using the same platform (iCloud Keychain, 1Password account, etc.), there’s no way to export a passkey from one platform and import it into another. You have to recreate passkeys from scratch for each platform. Vendors are working on the problem, but as you can imagine, enabling export/import opens up security concerns. 
• User confusion: People are, understandably, still unfamiliar with passkeys, leading many to avoid them on principle. It hasn’t helped that using passkeys is slightly different on every website. The industry is working to standardize the user experience, but we’re not there yet.
• Passwords still exist: No major websites allow passkey-only accounts. Since all accounts still have passwords that can be stolen, passkeys aren’t increasing security nearly as much as they could.
• Enterprise support: Large organizations want to know if a passkey was generated on a secure device, if it can be revoked or rotated, and if the user employing the passkey has truly been verified. Support for these requirements is still evolving.
• Digital inheritance: When passkey-only accounts become commonplace in the future, passkeys may be more challenging to manage in situations involving the user’s death. For now, the solution is to share passkey-protected accounts with family members in advance using a password manager. The industry would do well to establish standards around this inevitability.

Nonetheless, the perfect shouldn’t be the enemy of the good. Passkeys improve on passwords in both usability and security, and the best way to get to an easier, more secure future is to start using passkeys wherever possible today.

For more information on all the great Apple products, features, and services, give us a call!  940-767-MACS (6227).  Or stop by MacTech Solutions, 4020 Rhea Rd, Suite 3B, Wichita Falls.  We’re open Monday thru Friday, 10am to 6pm

(Featured image by iStock.com/tanit boonruen)

The post Why Passkeys Are Better than Passwords (And How to Use Them) first appeared on MacTech Solutions.

The effort and inconvenience that different people are willing to endure also vary. Higher levels of security often necessitate significant effort and inconvenience. We have divided our list of suggestions—roughly organized from easiest to hardest—into two sections: actions we believe everyone should take and security measures mainly for those most concerned and willing to tolerate some fuss.

Before we delve into the details, it is important to remember that privacy and security are not the same thing. Privacy refers to the proper collection, use, and governance of personal data. Security, conversely, is concerned with protecting data from unauthorized access and malicious threats. It entails defending data against external dangers, while privacy ensures that the management and use of that data adhere to agreed-upon standards.

Security Improvements for Everyone

These actions are generally beneficial for most users. They don’t require much technical knowledge and can often be accomplished with easily accessible tools and settings:

• Keep apps and operating systems up to date: Nearly every operating system update from Apple addresses numerous security vulnerabilities, and the same is often true for major apps. Always ensure you’re running current versions to take advantage of all those security improvements.
• Enable FileVault: While all data on the internal SSDs of Macs with Apple silicon and Intel-based Macs with the T2 chip is automatically encrypted to prevent unauthorized access if the SSD is removed, it is automatically decrypted whenever the Mac boots, even before you log in. To link decryption to your user account, which makes your login password necessary to decrypt all data, enable FileVault in System Settings > Privacy & Security > FileVault. There are essentially no drawbacks.
• Improve your passcode: For nearly a decade, it has been easy to set a six-digit passcode on the iPhone and iPad, greatly enhancing security compared to the previous standard four-digit passcode (1 million possible combinations versus only 10,000). If you still use four digits, consider switching to six digits, a custom number of digits, or a custom alphanumeric passcode in Settings > Face ID/Touch ID & Passcode > Change Passcode > Passcode Options. Alphanumeric passcodes offer the highest level of security but are more challenging to type.
• Turn on biometric authentication and Stolen Device Protection: If you aren’t already using Face ID or Touch ID on your iPhone or iPad, that’s a mistake. Both provide significantly stronger security than repeatedly entering your passcode, which could be observed. Turn on biometric authentication and Apple’s Stolen Device Protection in Settings > Face/Touch ID & Passcode.
• Adopt strong password habits: If security matters at all to you, you must use a strong, unique password for each online account and never reuse a password. It’s easy and secure as long as you create and store passwords with a password manager like Apple’s Passwords or 1Password.
• Enable MFA whenever it’s available: Multi-factor authentication greatly enhances security, safeguarding you even if your password is compromised in a breach. It typically requires entering a six-digit code that you retrieve from an app or receive via text message. Apple’s Passwords and 1Password can both automatically enter MFA codes for many websites.
• Use an ad blocker: Much of today’s surveillance society relies on ads to track you. Anything you can do to block ads will enhance your privacy, so use ad blockers whenever possible. Highly regarded options include 1Blocker, AdGuard, NextDNS, and uBlock Origin.
• Enable privacy and security features in Web browsers: Safari can prevent cross-site tracking and hide your IP address, along with other privacy and security features. In Safari > Settings, review all the options in the Privacy and Security screens and enable those that are appropriate. (Keep cookies and JavaScript enabled; many sites won’t function properly without them.) If you don’t use Safari, choose Brave or Firefox instead of Google Chrome.
• Utilize secure DNS services: To enhance browsing privacy and protect against DNS leaks, configure your devices to use a privacy-focused DNS service like Cloudflare’s 1.1.1.1 or Quad9’s 9.9.9.9.
• Minimize app exposure: Be vigilant about iPhone or iPad apps that might be sharing information about you with data brokers without your knowledge. Specifically:
  • Turn off Settings > Privacy & Security > Tracking > Allow Apps to Request to Track.
  • Rescind location tracking permissions for all apps except those that require it, such as navigation or weather apps, in Settings > Privacy & Security > Location Services.
  • Delete apps you’re not using to prevent them from spying on you.

Security Improvements for the Particularly Concerned

Implementing these actions may require extra steps, specialized knowledge, or significant changes in habits. They’re primarily for those with heightened concerns or those at greater risk, such as journalists, activists, and individuals handling sensitive data:

• Use independent search engines: Google and Microsoft are known for collecting information about their users. To keep your searches private, use a search engine that prioritizes privacy, such as DuckDuckGo, Brave Search, Kagi, or Startpage.
• Protect network traffic: While we used to recommend ensuring you were using secure HTTP (HTTPS) connections, that’s now the bare minimum. For greater privacy while browsing the Web with Safari, turn on iCloud Private Relay in Settings/System Settings > Your Name > iCloud > Private Relay. (This requires an iCloud+ subscription and won’t encrypt traffic from most non-Apple apps.) More broadly, you can safeguard all your traffic by using a trusted VPN service like Mullvad VPN, NordVPN, or ProtonVPN.
• Activate Advanced Data Protection: End-to-end encryption (E2EE) keeps your online data private from everyone, including cloud providers. However, it requires you to manage your encryption keys, which means no one can help recover your data if you lose those keys. You can enable E2EE with Apple services using Advanced Data Protection; turn it on in Settings/System Settings > Your Name > iCloud > Advanced Data Protection.
• Use encrypted messaging: The iMessage system used by Apple’s Messages app for blue bubble conversations is highly secure, particularly with Advanced Data Protection enabled. However, for the most secure messaging with E2EE, look to Signal. While WhatsApp also offers E2EE, its backups might not be encrypted, and its parent company, Meta, is one of the most egregious privacy abusers on the planet.
• Regularly review and revoke permissions: Periodically check and manage app permissions on your device to ensure that no apps have unnecessary access to sensitive information, such as your contacts or location. Work through the options in Settings/System Settings > Privacy & Security and revoke permissions for anything that seems inappropriate. Apps that require additional permissions will always prompt you again.
• Encrypt cloud-stored data: To ensure that cloud storage services like Box, Dropbox, Google Drive, and OneDrive cannot read your data, use the free and open source Cryptomator to encrypt it first.
• Use encrypted email: While it’s impossible to ensure that email will remain private because you can’t control your recipients’ actions, the most privacy-focused email services are ProtonMail and Tuta Mail. They employ E2EE for emails sent to other users of the same service and allow the encryption of email messages sent to any external recipient.
• Reduce reliance on cloud services: If you have general concerns about cloud services, consider exploring peer-to-peer alternatives that remove the need for a central provider. You can find peer-to-peer solutions for file storage, file sharing, chat and messaging, videoconferencing, collaborative documents, cloud-based notes, and more.
• Avoid social media: Posting on social media, especially on platforms owned by large corporations, allows those companies to create a comprehensive profile of you that is shared with advertisers and is vulnerable to data breaches. Further, any information you disclose about yourself could be exploited by hackers in social engineering attacks targeting your accounts. Consider replacing social media with independent forums devoted to your interests and private messaging spaces for friends and family.

Ultimately, enhancing privacy and security is your responsibility. Apple and other companies may offer tools to assist, but it’s up to you to implement them and stay vigilant against new threats. We’re also happy to provide advice and assistance.

Protect Your Digital Life with Confidence

Staying safe online doesn’t have to be complicated — and you don’t have to figure it out alone.

At MacTech Solutions, we’re passionate about helping you protect your digital life.

Whether you need help securing your Mac, your iPhone, or your online accounts, we’re here for you.

Stop by MacTech Solutions in Finishing Touch Plaza in Wichita Falls — and let’s make sure your digital world stays safe, private, and protected.

For more information on all the great Apple products, features, and services, give us a call!  940-767-MACS (6227).  Or stop by MacTech Solutions, 4020 Rhea Rd, Suite 3B, Wichita Falls.  We’re open Monday thru Friday, 10am to 6pm

(Featured image by iStock.com/andreusK)

The post Protect Your Digital Life: Quick Privacy and Security Tips You Can Use Now first appeared on MacTech Solutions.

1. Update your old iPhone to the latest version of iOS. If you have an Apple Watch, update it to the latest version of watchOS. This process can take some time, so it may be best done overnight before you move data to your new iPhone.
2. Make sure you know your Apple ID and password, and if you have an Apple Watch, its passcode. You will likely have to enter them at least once during this process.
3. Back up your old iPhone to iCloud or your Mac. (If you back up to a Mac, be sure to encrypt the backup, or else it won’t include saved passwords, Wi-Fi settings, browsing history, Health data, and call history.) Or back up to both, for safety’s sake. We prefer iCloud backups because they’re easier and don’t introduce additional variables, like flaky USB cables. If you don’t usually back up to iCloud, Apple will give you temporary iCloud storage to make a backup when moving to a new iPhone. To initiate an iCloud backup, go to Settings > Your Name > iCloud > iCloud Backup and tap Back Up Now.
   
4. If you have an Apple Watch, you don’t need to unpair it from your old iPhone at this point in the process. (Later, if the automatic transfer has not worked, you can unpair it manually and pair it again later. If you end up taking the manual route and have a cellular Apple Watch, you’ll be asked if you want to keep or remove your plan. If you’re keeping your Apple Watch to re-pair with your new iPhone, keep the plan.)
5. You shouldn’t need to worry about transferring a SIM card. If you ordered your new iPhone through Apple and connected to your cellular carrier account during purchase, activating the new iPhone should cause it to take over your phone number. The same should be true if you’ve purchased directly through your carrier. Besides, it’s likely that iPhone 16 models sold in the US will rely on eSIM and lack SIM trays like the iPhone 15, so only non-US users might need to transfer the SIM card from the old iPhone to the new one. Even then, it’s better to contact your carrier and get them to activate the new SIM in the new iPhone because old SIMs don’t always support all current cellular features, such as full 5G support.
6. Transfer your data, settings, apps, and purchased content in one of these three ways. None of them will be quick, despite the first one’s name, so initiate the transfer only when you have plenty of time:
   • Quick Start: With the Quick Start feature, content from your old iPhone copies directly from your old iPhone to your new one. We recommend this technique because it’s more likely to preserve app logins, something that’s less true when restoring from an iCloud backup. Put your iPhones next to each other (plugged into power), use the old iPhone to scan the animation on the new one, and then follow the rest of the steps.
     
   • iCloud: With this technique, the new iPhone will download your content from your old iPhone’s iCloud backup. Once you’ve joined a Wi-Fi network on the new iPhone and tapped the Restore from iCloud Backup button, you’ll have to select the correct backup—likely the most recent one you just made. Keep your new iPhone plugged into power the entire time to ensure that all your content syncs during this step.
   • Finder or iTunes: With this approach, you’ll restore your old iPhone’s content from a backup made to your Mac. Connect your new iPhone to your Mac using an appropriate cable, open a Finder window (or iTunes on an old Mac), select your device in the left-hand sidebar, click Restore Backup, and choose the appropriate backup—likely the most recent one.
7. Perform post-transfer tasks. Ensure that you can make and receive a phone call. If necessary, pair your Apple Watch with the new iPhone. You’ll also need to pair your Bluetooth accessories—including AirPods—with your new iPhone. Plus, some app data needs to sync to your new iPhone, so open the Mail, Contacts, and Calendar apps and check if they have your data. It could take a few minutes for them to fill up. Apps may request notification permissions again, and you may need to download content and in-app purchases.
8. If you use two-factor authentication with an app like 1Password, Authy, or Google Authenticator, ensure you can get your 2FA codes using your new iPhone. 1Password and Authy are good about providing access to 2FA codes from multiple devices—just log in to your account from each device—but Google Authenticator may require some additional setup since it didn’t initially offer any way to transfer codes to a new phone.
9. Finally, if necessary, set up single sign-on for work or school. If your workplace or school uses a security system like Duo, you’ll likely want to activate your new iPhone and deactivate the old one. Using any device, navigate to a standard single sign-in login screen from your organization, look for a link for managing your logins, click that link, and follow the prompts.

Although Apple works hard to make the process of transferring from an old iPhone to a new one as painless as possible, some things may fail to transfer seamlessly. For that reason, we strongly recommend holding onto your old iPhone for a week or so to ensure the new one can do everything the old one could. During that time, put the new iPhone through its paces with an eye toward checking every app you need.

For more information on all the great Apple products, features, and services, give us a call!  940-767-MACS (6227).  Or stop by MacTech Solutions, 4020 Rhea Rd, Suite 3B, Wichita Falls.  We’re open Monday thru Friday, 10am to 6pm

(Featured image by iStock.com/valiantsin suprunovich)

The post What You Need to Know Before Switching to a New iPhone first appeared on MacTech Solutions.

MacTech Solutions is just a phone call away!  940-767-MACS (6227).  MacTech Solutions, 4020 Rhea Rd, Suite 3B, Wichita Falls.  We’re open Monday thru Friday, 10am to 6pm

(Featured image by iStock.com/May_Chanikran)

The post Share 2FA Setup for Team Access to a Single Account first appeared on MacTech Solutions.

Be sure to visit us online at MacTech-Solutions.com, or stop by 4020 Rhea Rd, Suite 3B, Monday-Friday, 10am to 6pm

(Featured image based on an original by iStock.com/ipuwadol)

Social Media: 1Password is tremendously helpful for entering website passwords, but a little-known feature also enables it to enter your Mac login password for changing system settings, installing apps, and more.

The post Use 1Password to Enter Your Mac Login Password first appeared on MacTech Solutions.

• People you trust report receiving email that you didn’t send.
• Social media friend requests are made to people you don’t know, or messages you don’t recognize are sent from your account.
• Although you’re certain you have the correct password, you can’t log in to an account.
• You become aware of your personal data appearing in places it shouldn’t.
• Unknown charges or transfers appear in a bank or credit card account.

However, attackers will also try to fool you into thinking an account has been compromised to get you to enter passwords or financial information on a website designed to steal data. Don’t assume you’ve been hacked just because you received a phishing email saying so or because you see unexpected notifications claiming your computer is infected. No legitimate entity will ever send such email, and the only notification about malware you should ever see would come from anti-malware software you installed.

(Speaking of malware, dealing with that is a topic for another day—we’re focusing on online accounts in this article. Nonetheless, if one of your accounts has been compromised, it’s also worth scanning your Mac with the free version of Malwarebytes or VirusBarrier Scanner, just in case.)

First off, don’t panic. It’s important to take a deep breath, document everything you see with screenshots (press Command-Shift-5), and move quickly to regain control over whatever accounts were hacked and prevent others from falling prey to the attacker.

When you suspect an account has been compromised, try to verify the problem. Do the following:

• Alert techs: If the account in question is for work, immediately alert your IT department and follow their instructions. If it’s a personal account, contact us. Tell whoever is helping you that you have screenshots you can send and be ready to forward any suspicious messages you have as well.
• Gather evidence: Ask the person who told you about the problem to forward the message they received to another of your email addresses, or to a close friend or family member so you can see what’s being said in your name. Scrutiny of the fake message may reveal information about what has happened, though you may need help from someone with more technical experience.
• Examine email: Since email account breaches are the most concerning (because they can be used to reset passwords elsewhere), scan your email for messages you didn’t send or replies to such messages. Along with the Inbox, look in the Sent mailbox and the Trash. Also, check your settings and filters to ensure incoming messages aren’t being forwarded elsewhere and then deleted.
• Check social media: Connect to all your social media accounts—even those you don’t use regularly—and look for posts, friend requests, messages, or anything else that suggests an attacker has been impersonating you.
• Audit accounts: Log in to important accounts and look for suspicious activity, such as login attempts from unfamiliar locations or IP addresses or changes to account settings.

If you find evidence to suggest that one or more of your accounts have been compromised, follow these steps:

• Immediately change the passwords for any affected accounts. We always recommend using a password manager like 1Password to generate strong, random passwords.
• Whenever possible, turn on two-factor authentication.
• If available for the account in question, follow advice from the service. Apple, Facebook, Google, Instagram, Microsoft, and Twitter all have advice on how to respond, as will many other companies.
• Review account settings for unauthorized changes, especially recovery options like backup phone numbers and email addresses.
• Look through your accounts in your password manager and change the passwords for the most important ones and any that might be related.
• If you can’t get into an account because the password has been changed, make sure you have sole control of your email account and then trigger a password reset.
• For affected financial accounts, along with changing the password, immediately call the institution and ask for their help locking the account to prevent any transfers.
• If your email account was used to send phishing messages to contacts, you should alert any friends, family, and colleagues who might have received the messages that your account was hacked and that the previous message wasn’t from you.

Security breaches are stressful, we know, but it’s imperative that you deal with them right away. The longer you wait, the more damage the attacker can cause, including stealing your money, impersonating you, scamming your friends and family, and compromising your employer’s systems. We’re here to help.

(Featured image by iStock.com/PUGUN SJ)

The post Help! My Account Has Been Hacked—What Should I Do? first appeared on MacTech Solutions.

(Featured image by iStock.com/Prae_Studio)

The post After “Mother of All Breaches,” Update Passwords on Compromised Sites first appeared on MacTech Solutions.

(Featured image based on an original by iStock.com/Kostiantyn Filichkin)

The post Avoid Confusion by Setting iPhone Password Autofill to Only One App first appeared on MacTech Solutions.

Although 1Password is the most popular password manager for Apple users, we’ve mentioned LastPass as an alternative in previous articles, so here’s what happened and how LastPass users should react. For those who don’t use LastPass, we also discuss ways your organization can improve its online security by learning from LastPass’s mistakes and misfortunes.

The Breach

According to LastPass, the breach started in August 2022 when an attacker compromised a developer’s account. The attacker then leveraged information and credentials from that initial breach to target another LastPass employee’s account, where they were able to steal data from cloud-based storage that LastPass used for backup.

The main lesson here is that a dedicated attacker will probe all points of access into a company’s digital infrastructure—everyone must be mindful of security at all times. It also seems that LastPass may have been paying more attention to its on-premises production systems than its cloud-based backup storage. Any organization can learn from that error—if backups contain sensitive data, they should be equally protected.

What Was Stolen

LastPass says that the stolen data included unencrypted customer account information such as names, addresses, and phone numbers, but not credit card details. In the customer vaults, LastPass did secure usernames, passwords, secure notes, and form-filled data using 256-bit AES encryption, so they can be decrypted only with a unique encryption key derived from each user’s master password. However, for inexplicable reasons, LastPass failed to encrypt website URLs associated with password entries.

Because LastPass left this information unencrypted, it’s now available for the attacker to use (or sell for others to use) in targeted phishing attacks. A forged password reset request from an unusual website you regularly use has a better chance of fooling you than a generic one for a big site that millions of people use. It’s even possible that the unencrypted website URLs could lead to extortion attempts, as in the infamous Ashley Madison data breach.

The larger lesson is that a high-value attack target like LastPass should never have stored customer data in unencrypted form. If your company handles customer data along these lines, ensure that it’s always stored in encrypted form. You may not be able to prevent attackers from accessing your network, but if all the data they can steal is encrypted, that limits the overall damage that can ensue.

Potential Problems

By default, LastPass requires master passwords to be at least 12 characters in length. Plus, LastPass applies 100,100 iterations of the PBKDF2 password-strengthening algorithm to make it harder for brute-force attacks to crack passwords. The company says:

If you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology. Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture. There are no recommended actions that you need to take at this time.

Unfortunately, LastPass increased the master password minimum length only in 2018 and did not require users with shorter master passwords to reset them at that time. Similarly, the PBKDF2 setting now uses 100,100 iterations, but it previously used 5000, and some long-time users report it being set to 500.

LastPass was correct to increase the default level of security for new accounts as hardware cracking capabilities became faster. However, allowing users to continue using insecure master passwords that were too short and not forcing higher PBKDF2 iteration counts was a major mistake. If your organization steps up its security policies, bite the bullet and ensure that no accounts or users are grandfathered in with old, insecure options.

By not recommending any actions, LastPass missed an opportunity to encourage users to increase their security through multifactor authentication. LastPass also downplayed the concern over phishing attacks. That was likely a decision made by PR (and possibly Legal), but the company could have served users better. Should your organization ever be involved in a breach, make sure that someone involved in the transparency discussions represents the users’ best interests alongside those of the organization. And consider requiring multifactor authentication!

Finally, it’s worth noting that other companies significantly increase the security of their systems by mixing passwords with additional device-based keys. Apple does this by entangling device passcodes and passwords with the device’s unique ID, and 1Password strengthens your passwords with a secret key. LastPass has no such additional protection.

What LastPass Users Should Do

There are two types of LastPass users in this situation: those who had long, secure master passwords and 100,1000 iterations of PBKDF2 and those who didn’t:

• Strong master password users: Despite LastPass’s claim that you don’t need to do anything, we recommend enabling multifactor authentication. (For instructions, click Features & Tools and then Multifactor Authentication in the LastPass support portal.) You could change your master password too, but that won’t affect the data that was already stolen. That horse has already left the barn, whereas enabling multifactor authentication would prevent even a cracked master password from being used in the future.
• Weak master password users: Sorry, but you have work to do. Immediately change your master password and increase your PBKDF2 iterations to at least 100,100. We also recommend enabling multifactor authentication because LastPass is such an important account. Next, go through all your passwords and change at least those for important websites. Start with the critical accounts that could be used to impersonate you, like email, cell phone, and social media, plus those that contain financial data.
  

Regardless of the strength of your master password, be on high alert for phishing attacks conducted through email and text messages. Because the stolen data included both personal information and URLs to websites where you have accounts, phishing attacks may be personalized to you, making them harder to detect. In short, don’t follow links in email or texts to any website where you have to log in. Instead, navigate to the website directly in your browser and log in using links on the site. Don’t trust URL previews—it’s too easy to fake domain names in ways that are nearly impossible to identify.

Should you switch from LastPass to another service, like 1Password? It comes down to whether you believe LastPass has both a sufficiently secure architecture despite not entangling the master password with some device-based key and sufficiently robust security practices despite having been breached. It would not be irrational to switch, and we would recommend switching to 1Password. Other password managers like Bitwarden and Dashlane may be fine too. If you have to change numerous passwords and choose to switch, it may be easier to change the passwords after switching—see how the process of updating a password compares between LastPass and 1Password or whatever tool you end up using.

We realize this is an extremely worrying situation for LastPass users, particularly those with weak master passwords or too-few PBKDF2 iterations set. Only you can reset your passwords, but if you need assistance switching to another password manager, don’t hesitate to contact us.

(Featured image by LastPass)

The post LastPass Security Breach: Here’s What to Do first appeared on MacTech Solutions.

Keep Your Devices Updated

One important thing you can do to protect your security is to install new operating system updates and security updates soon after Apple releases them. Although the details seldom make the news because they’re both highly specific and highly technical, you can get a sense of how important security updates are by the fact that a typical update addresses 20–40 vulnerabilities that Apple or outside researchers have identified. Some are even zero-day vulnerabilities that are already being exploited in the wild.

It’s usually a good idea to wait a week or so after an update appears before installing it, on the off chance that it has undesirable side effects. Although such problems are uncommon, when they do happen, Apple pulls the update quickly, fixes it, and releases it again, usually within a few days.

Use a Password Manager

We’ll keep banging the password manager drum until the replacement for passwords, passkeys, have become ubiquitous, and that will take years. Until then, if you’re still typing passwords in by hand or copying and pasting from a list you keep in a file, please switch to a password manager like 1Password or LastPass. Even Apple’s built-in password manager and iCloud Keychain are fine, if not as fully featured as the others. A password manager offers five huge benefits:

• It generates strong passwords for you. Mypassword1 can be hacked in seconds.
• It stores your passwords securely. An Excel file on your Desktop is a recipe for disaster.
• It enters passwords for you. Wouldn’t that be easier than typing them in manually?
• It audits existing accounts. How many of your accounts use the same password?
• It lets you access passwords on all your devices. Finally, easy logins on your iPhone!

A bonus benefit for families is password sharing. It allows, for example, a married couple to share essential passwords or parents and teens to share specific passwords.

In short, using a password manager is faster, easier, more secure, and just all-around better. If you need help getting started, get in touch.

Beware of Phishing Email

Individuals and businesses alike frequently suffer from security lapses caused by phishing, forged email that fools someone into revealing login credentials, credit card numbers, or other sensitive information. Although spam filters catch many phishing attempts, you must always be on your guard. Here’s what to watch for:

• Any email that tries to get you to reveal information, follow a link, or sign a document
• Messages from people you don’t know, asking you to take an unusual action
• Direct email from a large company for whom you’re an anonymous customer
• Forged email from a trusted source asking for sensitive information
• All messages that contain numerous spelling and grammar mistakes

When in doubt, don’t follow the link or reply to the email. Instead, contact the sender another way to see if the message is legit.

Avoid Sketchy Websites

We won’t belabor this one, but suffice it to say that you’re much more likely to pick up malware from sites on the fringes of the Web or that cater to the vices of society. The more you can avoid sites that provide pirated software, “adult” content, gambling opportunities, or sales of illicit substances, the safer you’ll be. That’s not to say that reputable sites haven’t been hacked and used to distribute malware, but it’s far less common.

If you are concerned after spending time in the darker corners of the Web, download a free copy of Malwarebytes or VirusBarrier Scanner and scan for malware manually.

Never Respond to Unsolicited Calls or Texts

Although phishing happens mostly via email, scammers have also taken to using texts and phone calls. Thanks to weaknesses in the telephone system, such texts and calls can appear to come from well-known companies, including Apple and Amazon. Even worse, with so much online ordering, fake text messages pretending to help you track packages are becoming more common.

For texts, avoid following links unless you recognize the sender and it makes sense that you’d be receiving such a link. (For instance, Apple can text delivery details related to your orders.) Regardless, never enter login information at a site you’ve reached by following a link because there’s no way to know if it’s real. Instead, if you want to learn more, navigate the company’s site manually by entering its URL, then log in.

For phone calls from companies, unless you’re expecting a call back from a support ticket you opened, don’t answer. Let the call go to voicemail, and if you feel it’s important to respond, look up the company’s phone number elsewhere and talk with someone at that number rather than the one provided by the voicemail.

Let’s raise a glass to staying safe online in 2023!

(Featured image by iStock.com/Bet_Noire)

The post These New Year’s Resolutions Will Improve Your Digital Security in 2023 first appeared on MacTech Solutions.

However, with the release of iOS 15, iPadOS 15, and macOS 12 Monterey, Apple has at long last created a coherent platform-wide interface—the bluntly named Passwords—for viewing, editing, and deleting passwords on each of its platforms. You might wonder if you need a separate password manager anymore. First, let’s dispense with two common scenarios:

• Start if you’re new to password management: If you have so far resisted adopting a password manager, you should start using Passwords on your Apple devices immediately. In all likelihood, you already have some login credentials stored there.
• Don’t switch if you like your password manager: If you’re already using another password manager that you like, there’s no reason to switch to Apple’s password manager. It’s fine, but it doesn’t offer any capabilities beyond most independent password managers.

Those who are already using a password manager but aren’t entirely happy with it or would prefer not to pay for it face a tougher decision. How much your password manager is worth to you is a question only you can answer, but would Apple’s Passwords provide the features you need? Here’s what it can do:

• Create strong passwords: Safari suggests strong passwords when it detects that you’re creating a new login. In iOS and iPadOS, make sure Settings > Passwords > AutoFill Passwords > AutoFill Passwords is enabled. On the Mac, make sure Safari > Preferences > Autofill > User Names and Passwords is selected.
  
• Manage passwords: To see all your passwords, look in Settings > Passwords in iOS 15 and iPadOS 15, and in System Preferences > Passwords in Monterey. Tap or click one to view its details; once inside, use Edit to make changes. You can delete an unused login while editing or from the list. In iOS and iPadOS, swipe left on a login and tap Delete; on the Mac, Control-click the login and choose Delete.
  
• Sync passwords: Passwords are most useful when they’re accessible on all your devices. That will be true as long as Settings > Your Name > iCloud > Keychain > iCloud Keychain is enabled in iOS and iPadOS, and System Preferences > Apple ID > iCloud > Keychain is selected on the Mac. And, of course, all your devices must be signed in to the same iCloud account.
• Autofill passwords: As long as the autofill settings mentioned earlier are active, Safari will offer to autofill passwords when you log in to a site whose credentials you’ve stored. iOS and iPadOS apps also support autofill through the keyboard.
  
• Support two-factor authentication (2FA): This new feature allows you to add the setup secret (usually a scanned QR code or manually entered key) that enables the creation and automatic entry of 2FA codes.
  
• Import and export passwords: In the Passwords preference pane on the Mac, you can now import and export passwords, simplifying migration.
• Report questionable passwords: We all have passwords that are easily guessed or reused on multiple sites—the Passwords interface calls out such passwords so you can change them.
  
• Share passwords: If you need to share a password with a family member or colleague, the Share button lets you do that via AirDrop. Passwords are saved into the recipient’s keychain directly.
• Detect compromised passwords: Both Settings > Passwords > Security Recommendations and System Preferences > Passwords have a Detect Compromised Passwords option. Select it to be alerted if any of your login credentials are compromised in a site’s security breach.

That’s a solid set of features, and for many people, it will be sufficient. However, independent password managers like 1Password and LastPass have evolved over many years and boast very real advantages:

• Multiple platforms and Web browsers: Apple’s password management features focus on Apple operating systems and Safari. There is an iCloud Passwords Chrome extension for Windows, and Web browsers in iOS and iPadOS can tie into the system-wide password features. But for broad support across platforms and use within browsers other than Safari, stick with an independent password manager.
• Data beyond Web logins: Want to store your bank account numbers, driver’s license, credit cards, vaccination card, and the like in your password manager? Many independent password managers support secure storage of types of data beyond logins. They also often let you leave notes on items and include file attachments—a screenshot of a screen summarizing login requirements, for instance.
• Families and teams: Although Apple is inching in this direction with the forthcoming Digital Legacy program, in which you can specify someone as a Legacy Contact so they can access to your iCloud account in the event of your death, the group sharing features of independent password managers are much more useful here and now. Share key passwords with your spouse or your college-bound child to ensure that everyone will have the access they need to shared accounts.
• One-time password sharing: 1Password added this feature recently, and there are independent sites like 1ty.me and onetimesecret.com that provide it as well. In essence, it lets you securely share a single password with anyone else, embedding it in a link that can be viewed only once. That prevents passwords from being sent around in email or text messages where they could be stolen.

In the end, Apple’s new password management features are like so many other built-in features. They offer the basic capabilities that most users need while leaving plenty of room for enterprising developers to offer compelling additional features. Use Apple’s Passwords or another password manager, whichever you prefer. Just don’t rely on a simple text file or physical notebook to manage passwords. It’s more work, easily lost, and far less secure.

(Featured image by iStock.com/peshkov)

The post Should You Use Apple’s New Password Manager in iOS 15, iPadOS 15, and macOS 12 Monterey? first appeared on MacTech Solutions.

1Password offers numerous benefits, including:

• Automatic generation of strong passwords so you don’t have to invent them
• Secure storage of passwords, even if your Mac or iPhone were stolen
• Automatic entry of usernames and passwords that’s much easier than manual entry
• Auditing of existing accounts to see how many use the same password
• Easy access to all your passwords from all your devices (Mac, iOS, Windows, Android)
• Sharing of passwords among a family or a workgroup

The hardest part of getting started with 1Password, like any password manager, is overcoming the inertia of trying something new. Here’s what you’ll need to do.

1: Sign Up for a 1Password Account

In this step, you’ll decide which 1Password plan is most appropriate. For individuals, 1Password costs $2.99 per month, or 1Password Families is $4.99 per month for a family of five. For businesses, 1Password Teams adds features and admin controls for $3.99 per user per month, or 1Password Business provides significantly more admin controls for $7.99 per user per month. You can compare the individual and family accounts, along with the Teams and Business plans, but if you’re still unsure which to pick, ask us for help.

Once you’ve decided on a plan, click through to the associated page linked above and sign up. Of course, if your family or business already uses 1Password, the person who created the account should invite you first.

Make sure to create a master password that’s strong yet easily typed because you’ll need to enter it regularly (or use Touch ID, Face ID, or an Apple Watch) to unlock 1Password. Since you’re putting all sorts of valuable eggs in your 1Password basket, be sure to download and fill out your Emergency Kit in case something happens to you. It also contains the QR code that makes it easy to sign in on new devices.

2: Install the 1Password Apps and Extensions

Next, install the 1Password app on each of your devices and connect it to your 1Password account. 1Password provides instructions for each, but in short:

• Mac: Download and install the app, sign in to your 1Password account in your Web browser, click your name at the top right, and choose Get the Apps. Click “Add your account directly,” and let your browser open 1Password. Enter your master password and click Sign In.
• iPhone/iPad: Download and open the app, and tap 1Password.com > Scan Setup Code. Then find the Setup Code ➊ and scan it using the camera. Enter your master password and tap Done. Next, go to Settings > Passwords > AutoFill Passwords, enable AutoFill Passwords ➋, select 1Password ➌, and deselect Keychain.
  
• Web Browser: The 1Password X extension makes it easier to sign in to sites using Safari, Google Chrome, Firefox, Microsoft Edge, and Brave. The 1Password app installs the Safari extension for you; the rest you’ll need to get manually.

With any security solution, there’s a tradeoff between ease of use and security. 1Password provides options so you can adjust that tradeoff to your liking.

• Mac: In 1Password > Preferences > Security, you can enable unlock using an Apple Watch if you have both an Apple Watch and a Mac with a Secure Enclave. Also, set the various Auto-Lock checkboxes as you desire—if your Mac is in a shared space, err on the side of more security; if only you and trusted people can access it, you can be less strict.
  
• iPhone/iPad: Tap the Settings button, then Security, and enable Touch ID or Face ID. They let you avoid entering your master password to access 1Passsord while maintaining a high level of security.
  

3: Save and Fill Passwords

Now it’s time to start using 1Password. The first thing you’ll need to do is save your website logins as you go—you’ll need to do this only once per site. Again, 1Password provides instructions for both the Mac and the iPhone or iPad, but here’s a summary:

• Mac: Whenever you enter your username and password in a Web login form, 1Password will ask you to save your credentials. Click the Save In 1Password button and edit the title of the login button if desired. If you don’t yet have an account at the site, enter your username, click the 1Password icon in the password field, and choose Use Selected Password to accept the strong password 1Password has generated for you. Finally, click Save.
  
• iPhone/iPad: When you tap a username or password field, either in an app or in a website in Safari, the iOS keyboard will appear. Tap the key icon ➊, and then tap Create Login ➋. Enter your credentials. If you don’t yet have an account at the site, enter your desired username ➌ and tap the gear icon ➍ to generate a strong password. Finally, tap Save & Fill ➎.
  

With logins saved in 1Password, when you want to sign in to one of those sites in the future, it has just become extremely easy.

• Mac #1: If you’re already looking at a website’s login fields, click the 1Password button in a username or password field and then choose the login you want to fill.
  
• Mac #2: Alternatively, click the 1Password button in the browser’s toolbar. If 1Password’s suggestions aren’t right, type a few characters from the site name in the Search field. Click the AutoFill button for the desired result to load that site and auto-fill your credentials.
  
• iPhone/iPad: Tap a username ➊ or password field in an app or Web page. Your username appears above the keyboard; tap it to fill in the username and password and tap Go if necessary. If you have multiple logins at that site, tap the key icon ➋ to choose a different one ➌.
  

We’ve just scratched the surface of what 1Password can do. If you explore the 1Password support site, you can learn how to enter two-factor authentication codes (1Password calls them one-time passwords) automatically, create and share vaults with others, add and auto-fill credit card information, and use the Watchtower feature to see which of your logins use weak or duplicate passwords.

(Featured image assembled from originals by 1Password) 

The post Getting Started with 1Password first appeared on MacTech Solutions.

Keep Your Devices Updated

One of the most important things you can do to protect your security is to install new operating system updates and security updates soon after Apple releases them. Although the details seldom make the news because they’re both highly specific and highly technical, you can get a sense of how important security updates are by the fact that a typical update addresses 20–40 vulnerabilities that Apple or outside researchers have identified.

It’s usually a good idea to wait a week or so after an update appears before installing it, on the off chance that it has undesirable side effects. Although such problems are uncommon, when they do happen, Apple pulls the update quickly, fixes it, and releases it again, usually within a few days.

Use a Password Manager

We’ve been banging this drum for years. If you’re still typing passwords in by hand, or copying and pasting from a list you keep in a file, please switch to a password manager like 1Password or LastPass. Even Apple’s built-in iCloud Keychain is better than nothing. A password manager has five huge benefits:

• It generates strong passwords for you. Password1234 can be hacked in seconds.
• It stores your passwords securely. An Excel file on your Desktop is a recipe for disaster.
• It enters passwords for you. Wouldn’t that be easier than typing them in manually?
• It audits existing accounts. How many of your accounts use the same password?
• It lets you access passwords on all your devices. Finally, easy login on your iPhone!

A bonus benefit for families is password sharing. It allows, for example, a married couple to share essential passwords or for parents and teens to share certain passwords.

In short, using a password manager is more secure, faster, easier, and just all-around better. If you need help getting started, get in touch.

Beware of Phishing Email

Individuals and businesses alike frequently suffer from security lapses caused by phishing, forged email that fools someone into revealing login credentials, credit card numbers, or other sensitive information. Although spam filters can catch many phishing attempts, it’s up to you to be on your guard at all times. Here’s what to watch for:

• Any email that tries to get you to reveal information, follow a link, or sign a document
• Messages from people you don’t know, asking you to take an unusual action
• Direct email from a large company for whom you’re an anonymous customer
• Forged email from a trusted source asking for sensitive information
• All messages that contain numerous spelling and grammar mistakes

When in doubt, don’t follow the link or reply to the email. Instead, contact the sender in some other way to see if the message is legit.

Avoid Sketchy Websites

We won’t belabor this one, but suffice it to say that you’re much more likely to pick up malware from sites on the fringes of the Web or that cater to the vices of society. To the extent that you can avoid sites that provide pirated software, “adult” content, gambling opportunities, or sales of illicit substances, the safer you’ll be. That’s not to say that reputable sites haven’t been hacked and used to distribute malware too, but it’s far less common.

If you are concerned after spending time in the darker corners of the Web, download a free copy of Malwarebytes or DetectX Swift and scan for malware manually.

Never Respond to Unsolicited Calls or Texts

Although phishing happens mostly via email, scammers have also taken to using phone calls and texts. Thanks to weaknesses in the telephone system, such calls and texts can appear to come from well-known companies, including Apple and Amazon. Even worse, with so much online ordering happening, fake text messages pretending to help you track packages are becoming more common.

For phone calls from companies, unless you’re expecting a call back from a support ticket you opened, don’t answer. Let the call go to voicemail, and if you feel it’s important to respond, look up the company’s phone number elsewhere, and talk with someone at that number rather than one provided by the voicemail.

For texts, avoid following links unless you recognize the sender and it makes sense that you’d be receiving such a link. (For instance, Apple can text delivery details related to your orders.) Regardless, never enter login information at a site you’ve reached by following a link because there’s no way to know if it’s real. Instead, if you want to learn more, navigate manually to the company’s site by entering its URL yourself, then log in.

Let’s raise a glass to staying safe online in 2021!

(Featured image based on originals from Tim Mossholder and Jude Beck on Unsplash)

The post 5 New Year’s Resolutions That Will Improve Your Digital Security first appeared on MacTech Solutions.

Guess what? Such an approach is extremely dangerous on today’s Internet. First off, no one is explicitly targeted. The bad guys get passwords by stealing them by the millions from Web sites with lax security. Then they use sophisticated hardware that can try over 350 billion passwords per second to decrypt as many of the stolen passwords as possible. All passwords under 13 characters can be cracked easily by such hardware.

Next, imagine you have a password on a shopping site whose passwords are stolen. The attackers can log in to that site, change your shipping address, and order items with your stored credit card. But they won’t stop there. They’ll use automated software to try that username and password combination on lots of other high-profile sites: Google, Apple, Amazon, eBay, Facebook, many banks, and so on. If they can get in anywhere, they’ll take over the account and exploit it in any way they can, which could involve stealing money, ordering goods, or using it to reset passwords and lock you out of other accounts. It can get ugly fast.

Use a password manager to generate, store, and enter strong passwords, one for each site, and you’ll never have any of these problems. A sufficiently strong password (16 characters minimum, but we recommend 20 when possible) will withstand cracking efforts for centuries, and if you have a different password for every site, even one password being compromised won’t expose any of your other accounts to abuse.

Here then are five reasons for using a password manager:

1. Generate strong passwords: A password should be random, or it should be a long collection of words (think 30+ characters). Password managers can generate such passwords for you, so it’s easy to make a new one for each Web site.
2. Store passwords securely: If you’re going to put all your eggs in one basket, you want that basket to be well protected. Password managers employ their own strong encryption and various other techniques to ensure that your passwords are safe.
3. Enter passwords for you: No one can remember and type long, random passwords, but having a password manager enter the password for you is even easier than typing a weak password. Log in faster than ever before!
4. Audit existing accounts: Password managers learn the credentials you use for existing accounts, and they can tell you which passwords are weak and which have been reused.
5. Access passwords on all your devices: It’s even harder to type passwords on an iPhone or iPad, but good password managers have apps for mobile devices that sync with your password archive so all your passwords are available whenever you need them.

There are many different password managers, but for most people, there are three main choices. If you use only Safari on the Mac and in iOS, Apple’s built-in iCloud Keychain feature may be sufficient.

If you’re mostly an Apple user but also need support for Windows and Android, or if you want to share some passwords with family members or your workgroup, 1Password is the best choice. It costs $3 per month for an individual or $5 per month for a family, with team and business accounts as well. 1Password also offers add-ons for non-Apple browsers like Chrome and Firefox.

And if 1Password is too expensive, or if you’re platform agnostic, LastPass offers a solid set of features for free. Additional features and password sharing cost $3 per month for individuals and $4 per month for families, and again, team and enterprise accounts are available.

If you need help choosing among these three or setting them up, particularly in the context of a small business, get in touch with us. And if you’d like us to write more about each of these options, just drop us a note and we’ll see what we can do.

(Featured image by CMDR Shane on Unsplash)

The post 5 Reasons Why You Should Be Using a Password Manager first appeared on MacTech Solutions.

It would be nice to think that all companies properly encrypt their password databases, but the sad reality is that many have poor data security practices. As a result, passwords gathered in a breach are often easily cracked, enabling the bad guys to log in to your accounts. That may not seem like a big deal—who cares if someone reads the local newspaper under your name? But since many people reuse passwords across multiple sites, once one password associated with an email address is known, attackers use automated software to test that combination against many other sites.

This is why we keep beating the drum for password managers like 1Password and LastPass. They make it easy to create and enter a different random password for every Web site, which protects you in two ways.

• Because password managers can create passwords of any length, you don’t have to rely on short passwords that you can remember and type easily. The longer the password, the harder it is to crack. A password of 16–20 characters is generally considered safe; never use anything shorter than 13 characters.
• Even if one of your passwords was compromised, having a different password for every site ensures that the attackers can’t break into any of your other accounts.

But password security hasn’t always been a big deal on the Internet, and many people reused passwords regularly in the past. Wouldn’t it be nice to know if any of your information was included in a data breach, so you’d know which passwords to change?

A free service called Have I Been Pwned does just this (“pwned” is hacker-speak for “owned” or “dominated by”—it rhymes with “owned”). Run by Troy Hunt, Have I Been Pwned gathers the email addresses associated with data breaches and lets you search to see if your address was stolen in any of the archived data breaches. Even better, you can subscribe to have the service notify you if your address shows up in any future breaches.

Needless to say, you’ll want to change your password on any site that has suffered a data breach, and if you reused that password on any other sites, give them new, unique passwords as well. That may seem like a daunting task, and we won’t pretend that it isn’t a fair amount of work, but both 1Password and LastPass offer features to help.

In 1Password, look in the sidebar for Watchtower, which provides several lists, including accounts where the password may have been compromised in a known breach, passwords that are known to have been compromised, passwords that you reused across sites, and weak passwords.

LastPass provide essentially the same information through its Security Challenge and rates your overall security in comparison with other LastPass users. It suggests a series of steps for improving your passwords; the only problem is that you need to restart the Security Challenge if you don’t have time to fix all the passwords at once.

Regardless of which password manager you use, take some time to check for and update compromised, vulnerable, and weak passwords. Start with more important sites, and, as time permits, move on to accounts that don’t contain confidential information.

The post Have Your Online Passwords Been Stolen? Here’s How to Find Out. first appeared on MacTech Solutions.