Passwords versus Passkeys

Traditional multi-factor authentication involves three methods of authentication, at least two of which are required for protection. They include something you know (a password), something you have (usually a code from an authenticator app or text message), and something you are (biometric authentication). Most systems primarily use the first two, but that leaves room for attack because someone could acquire your password and an authentication code through nefarious means.

Passkeys change the model. Instead of how passwords and codes use words and numbers that can be copied and shared, passkeys are pairs of cryptographic keys: a public key and a private key. Websites keep the public key, and the private key is stored securely within a device or encrypted vault, such as in the Secure Enclave in Apple’s chips or a 1Password vault. Authenticating with a website requires providing the private key that matches the account’s public key, something that Apple users with modern devices can usually initiate with Touch ID or Face ID.

Instead of generating security with something you have and something you know, passkeys rely on possession (do you have the device?) and presence (are you physically in front of the device?). This approach is fundamentally more secure than passwords because the private key can’t be phished, copied, or used remotely, and you must be physically present to unlock your device. Nor can you be tricked into providing a passkey to a malicious website. (Neither approach protects against physical coercion.)

Where Can You Use Passkeys?

In practice, since you use passkeys primarily to sign into websites, passkeys are stored alongside account details in your password manager. For Apple users, Safari (in iOS 16 or macOS 13 Ventura and later) with Apple’s Passwords app provides the most integrated passkey experience. However, most independent password managers, such as 1Password, Bitwarden, and Dashlane, also enable you to store, share, and enter passkeys and can take over for or work alongside Apple’s Passwords. They provide consistent passkey functionality across all major Web browsers, although experiences may vary slightly due to differences in how they handle authentication prompts and platform integration.

You’ll also find robust support in the Password Manager built into Google Chrome and other Chromium-based browsers, including Arc, Brave, Edge, Opera, and Vivaldi. Firefox’s native passkey support is more limited, but third-party password managers work well with Firefox. 

Although website support for passkeys was initially slow, an increasing number of sites now support them. That includes the big three of Apple, Google, and Microsoft, of course, as well as Amazon, Best Buy, Discord, eBay, GitHub, Intuit, Netflix, Notion, PayPal, Robinhood, Stripe, Target, Walmart, and WhatsApp.

Setting Up Passkeys

The process of setting up passkeys varies a little by website, but is generally remarkably easy. You may be prompted to create a passkey while signing in, or you may need to navigate to the security options associated with your account.

Google offers both approaches. Setting up a passkey for a Google Account can be as simple as agreeing to do so while logging in. If you’re already logged in, Google’s Passkeys and security keys page lets you make one. Once you click Create a Passkey, you’ll be prompted to save it in either Apple’s Passwords or another password manager like 1Password. That’s it.

Note that if you use both Passwords and another password manager, you can save the passkey in only one, and only that one can use it to sign in later. However, most sites that support passkeys let you add multiple passkeys, so you could save separate passkeys in different password managers.

Signing in with Passkeys

Similarly, using a passkey to sign in is trivially simple. You navigate to the website’s login page, enter your username, choose the passkey sign-in option if necessary, and then authenticate.

Exactly how you authenticate depends on the device you’re using and your password manager. On the Mac, Passwords will ask you to use Touch ID if available (above) or a dialog otherwise (below, left). 1Password, once unlocked for the session, presents a dialog with a Sign In button (below right).

On the iPhone and iPad, an authentication dialog appears at the bottom of the screen asking if you want to sign in with your passkey. Tap Continue and authenticate with Face ID or Touch ID (with a fallback to your passcode if necessary).

Unsurprisingly, Apple makes it particularly easy to sign in to Apple websites like iCloud.com using a passkey. As soon as you navigate to such a site in Safari, the device prompts you to sign in using your current Apple Account username and an implicit passkey.

When using other browsers or another Mac that lacks access to your passkey, selecting the passkey sign-in option displays a QR code that you need to scan with an iPhone or iPad that has the passkey stored on it.

Managing and Sharing Passkeys

As noted, passkeys are stored in accounts managed by a password manager. In fact, passkeys are currently stored alongside passwords in each account. There’s nothing to see or edit, although you can delete passkeys like any other data. Although deleting the passkey on your device guarantees that it can’t be used to sign in again, it’s best to also delete the passkey at the website where you created it to avoid confusion.

Passkeys are automatically synced among all your devices by the password manager so you can take advantage of them everywhere, but note that syncing is specific to just one password manager—for instance, iCloud Keychain doesn’t sync with 1Password or other third-party managers. The authentication method varies by device, but the overall experience remains the same. 

You can also share passkeys with other people in your family or workgroup, just as you would with password-only accounts. They can log in to your passkey-protected accounts because they can prove possession (they have the passkey) and presence (they’re authenticating). In essence, you’re saying, “This person is authorized to act as the account holder.”

Passkey Concerns

Although passkeys are a big step forward in usability and security compared to passwords, they’re not without limitations or concerns, which have slowed adoption:

• Account recoverability: Because passkeys are tied to devices, if a user loses all their devices and doesn’t have a cloud backup option (such as registering a new iPhone to an existing Apple Account or adding a new device to a 1Password account), it’s impossible to recover an account. This is primarily a concern for those who have only a single device and no one with whom to share.
• Sharing hurdles: If you want to give someone else passkey access to an account—perhaps a shared bank account—you must log in on their device and then create an additional passkey that is stored on their device. 
• Lack of portability: Although passkeys can be synced between devices using the same platform (iCloud Keychain, 1Password account, etc.), there’s no way to export a passkey from one platform and import it into another. You have to recreate passkeys from scratch for each platform. Vendors are working on the problem, but as you can imagine, enabling export/import opens up security concerns. 
• User confusion: People are, understandably, still unfamiliar with passkeys, leading many to avoid them on principle. It hasn’t helped that using passkeys is slightly different on every website. The industry is working to standardize the user experience, but we’re not there yet.
• Passwords still exist: No major websites allow passkey-only accounts. Since all accounts still have passwords that can be stolen, passkeys aren’t increasing security nearly as much as they could.
• Enterprise support: Large organizations want to know if a passkey was generated on a secure device, if it can be revoked or rotated, and if the user employing the passkey has truly been verified. Support for these requirements is still evolving.
• Digital inheritance: When passkey-only accounts become commonplace in the future, passkeys may be more challenging to manage in situations involving the user’s death. For now, the solution is to share passkey-protected accounts with family members in advance using a password manager. The industry would do well to establish standards around this inevitability.

Nonetheless, the perfect shouldn’t be the enemy of the good. Passkeys improve on passwords in both usability and security, and the best way to get to an easier, more secure future is to start using passkeys wherever possible today.

For more information on all the great Apple products, features, and services, give us a call!  940-767-MACS (6227).  Or stop by MacTech Solutions, 4020 Rhea Rd, Suite 3B, Wichita Falls.  We’re open Monday thru Friday, 10am to 6pm

(Featured image by iStock.com/tanit boonruen)

The post Why Passkeys Are Better than Passwords (And How to Use Them) first appeared on MacTech Solutions.

The effort and inconvenience that different people are willing to endure also vary. Higher levels of security often necessitate significant effort and inconvenience. We have divided our list of suggestions—roughly organized from easiest to hardest—into two sections: actions we believe everyone should take and security measures mainly for those most concerned and willing to tolerate some fuss.

Before we delve into the details, it is important to remember that privacy and security are not the same thing. Privacy refers to the proper collection, use, and governance of personal data. Security, conversely, is concerned with protecting data from unauthorized access and malicious threats. It entails defending data against external dangers, while privacy ensures that the management and use of that data adhere to agreed-upon standards.

Security Improvements for Everyone

These actions are generally beneficial for most users. They don’t require much technical knowledge and can often be accomplished with easily accessible tools and settings:

• Keep apps and operating systems up to date: Nearly every operating system update from Apple addresses numerous security vulnerabilities, and the same is often true for major apps. Always ensure you’re running current versions to take advantage of all those security improvements.
• Enable FileVault: While all data on the internal SSDs of Macs with Apple silicon and Intel-based Macs with the T2 chip is automatically encrypted to prevent unauthorized access if the SSD is removed, it is automatically decrypted whenever the Mac boots, even before you log in. To link decryption to your user account, which makes your login password necessary to decrypt all data, enable FileVault in System Settings > Privacy & Security > FileVault. There are essentially no drawbacks.
• Improve your passcode: For nearly a decade, it has been easy to set a six-digit passcode on the iPhone and iPad, greatly enhancing security compared to the previous standard four-digit passcode (1 million possible combinations versus only 10,000). If you still use four digits, consider switching to six digits, a custom number of digits, or a custom alphanumeric passcode in Settings > Face ID/Touch ID & Passcode > Change Passcode > Passcode Options. Alphanumeric passcodes offer the highest level of security but are more challenging to type.
• Turn on biometric authentication and Stolen Device Protection: If you aren’t already using Face ID or Touch ID on your iPhone or iPad, that’s a mistake. Both provide significantly stronger security than repeatedly entering your passcode, which could be observed. Turn on biometric authentication and Apple’s Stolen Device Protection in Settings > Face/Touch ID & Passcode.
• Adopt strong password habits: If security matters at all to you, you must use a strong, unique password for each online account and never reuse a password. It’s easy and secure as long as you create and store passwords with a password manager like Apple’s Passwords or 1Password.
• Enable MFA whenever it’s available: Multi-factor authentication greatly enhances security, safeguarding you even if your password is compromised in a breach. It typically requires entering a six-digit code that you retrieve from an app or receive via text message. Apple’s Passwords and 1Password can both automatically enter MFA codes for many websites.
• Use an ad blocker: Much of today’s surveillance society relies on ads to track you. Anything you can do to block ads will enhance your privacy, so use ad blockers whenever possible. Highly regarded options include 1Blocker, AdGuard, NextDNS, and uBlock Origin.
• Enable privacy and security features in Web browsers: Safari can prevent cross-site tracking and hide your IP address, along with other privacy and security features. In Safari > Settings, review all the options in the Privacy and Security screens and enable those that are appropriate. (Keep cookies and JavaScript enabled; many sites won’t function properly without them.) If you don’t use Safari, choose Brave or Firefox instead of Google Chrome.
• Utilize secure DNS services: To enhance browsing privacy and protect against DNS leaks, configure your devices to use a privacy-focused DNS service like Cloudflare’s 1.1.1.1 or Quad9’s 9.9.9.9.
• Minimize app exposure: Be vigilant about iPhone or iPad apps that might be sharing information about you with data brokers without your knowledge. Specifically:
  • Turn off Settings > Privacy & Security > Tracking > Allow Apps to Request to Track.
  • Rescind location tracking permissions for all apps except those that require it, such as navigation or weather apps, in Settings > Privacy & Security > Location Services.
  • Delete apps you’re not using to prevent them from spying on you.

Security Improvements for the Particularly Concerned

Implementing these actions may require extra steps, specialized knowledge, or significant changes in habits. They’re primarily for those with heightened concerns or those at greater risk, such as journalists, activists, and individuals handling sensitive data:

• Use independent search engines: Google and Microsoft are known for collecting information about their users. To keep your searches private, use a search engine that prioritizes privacy, such as DuckDuckGo, Brave Search, Kagi, or Startpage.
• Protect network traffic: While we used to recommend ensuring you were using secure HTTP (HTTPS) connections, that’s now the bare minimum. For greater privacy while browsing the Web with Safari, turn on iCloud Private Relay in Settings/System Settings > Your Name > iCloud > Private Relay. (This requires an iCloud+ subscription and won’t encrypt traffic from most non-Apple apps.) More broadly, you can safeguard all your traffic by using a trusted VPN service like Mullvad VPN, NordVPN, or ProtonVPN.
• Activate Advanced Data Protection: End-to-end encryption (E2EE) keeps your online data private from everyone, including cloud providers. However, it requires you to manage your encryption keys, which means no one can help recover your data if you lose those keys. You can enable E2EE with Apple services using Advanced Data Protection; turn it on in Settings/System Settings > Your Name > iCloud > Advanced Data Protection.
• Use encrypted messaging: The iMessage system used by Apple’s Messages app for blue bubble conversations is highly secure, particularly with Advanced Data Protection enabled. However, for the most secure messaging with E2EE, look to Signal. While WhatsApp also offers E2EE, its backups might not be encrypted, and its parent company, Meta, is one of the most egregious privacy abusers on the planet.
• Regularly review and revoke permissions: Periodically check and manage app permissions on your device to ensure that no apps have unnecessary access to sensitive information, such as your contacts or location. Work through the options in Settings/System Settings > Privacy & Security and revoke permissions for anything that seems inappropriate. Apps that require additional permissions will always prompt you again.
• Encrypt cloud-stored data: To ensure that cloud storage services like Box, Dropbox, Google Drive, and OneDrive cannot read your data, use the free and open source Cryptomator to encrypt it first.
• Use encrypted email: While it’s impossible to ensure that email will remain private because you can’t control your recipients’ actions, the most privacy-focused email services are ProtonMail and Tuta Mail. They employ E2EE for emails sent to other users of the same service and allow the encryption of email messages sent to any external recipient.
• Reduce reliance on cloud services: If you have general concerns about cloud services, consider exploring peer-to-peer alternatives that remove the need for a central provider. You can find peer-to-peer solutions for file storage, file sharing, chat and messaging, videoconferencing, collaborative documents, cloud-based notes, and more.
• Avoid social media: Posting on social media, especially on platforms owned by large corporations, allows those companies to create a comprehensive profile of you that is shared with advertisers and is vulnerable to data breaches. Further, any information you disclose about yourself could be exploited by hackers in social engineering attacks targeting your accounts. Consider replacing social media with independent forums devoted to your interests and private messaging spaces for friends and family.

Ultimately, enhancing privacy and security is your responsibility. Apple and other companies may offer tools to assist, but it’s up to you to implement them and stay vigilant against new threats. We’re also happy to provide advice and assistance.

Protect Your Digital Life with Confidence

Staying safe online doesn’t have to be complicated — and you don’t have to figure it out alone.

At MacTech Solutions, we’re passionate about helping you protect your digital life.

Whether you need help securing your Mac, your iPhone, or your online accounts, we’re here for you.

Stop by MacTech Solutions in Finishing Touch Plaza in Wichita Falls — and let’s make sure your digital world stays safe, private, and protected.

For more information on all the great Apple products, features, and services, give us a call!  940-767-MACS (6227).  Or stop by MacTech Solutions, 4020 Rhea Rd, Suite 3B, Wichita Falls.  We’re open Monday thru Friday, 10am to 6pm

(Featured image by iStock.com/andreusK)

The post Protect Your Digital Life: Quick Privacy and Security Tips You Can Use Now first appeared on MacTech Solutions.

Starting in macOS 15 Sequoia, iOS 18, iPadOS 18, and visionOS 2, Passwords is now a real app rather than being trapped inside Safari, System Settings, and Settings. If you have resisted using a password manager or don’t wish to continue subscribing to an alternative, give Apple’s Passwords a try. It makes creating, maintaining, and entering passwords faster, easier, and more secure than doing it by hand. Those already using a password manager can export their accounts and import into Passwords.

What You’ll Find in Passwords

We’ll focus on the Mac version here, but the other versions are nearly identical apart from their screen sizes.

The left-hand sidebar, reminiscent of Reminders, provides categories of accounts:

• All: Select All to see all your accounts, regardless of what shared group they may be in.
• Passkeys: If you have any passkeys for large websites like Apple, Google, and others, they’ll appear here.
• Codes: Passwords can create, store, and enter two-factor authentication codes for sites that support them. If you need to look one up manually because Passwords couldn’t autofill it, you’ll find the associated account here.
• Wi-Fi: This category contains stored passwords for all the known Wi-Fi networks on your device. Because known Wi-Fi networks aren’t synced between devices, the number of these will vary between your devices.
• Security: If you have any accounts with weak passwords, accounts you previously shared and stopped sharing, or accounts whose passwords were leaked in a security breach, they’ll appear here. Edit these accounts and click the Change Password button to start the process; when the password changes, they’ll disappear from this category.
• Deleted: Any accounts you delete stay here for 30 days before being deleted for good. You can delete any of these accounts immediately or restore them to their previous group.
• Shared Groups: If you use Family Sharing, you automatically get a Family Passwords group to simplify sharing important accounts with your family members. But you can also share accounts with other groups of Apple device owners. To move an account to a group, choose it from the Group pop-up menu.

The middle pane lists the accounts in the selected category. You can sort the list using the menu with vertical arrows, search for a specific account, and manually add a new one with the + button. Otherwise, scroll through the list and click an account to view it in the right-hand pane.

At the top of the right-hand pane is an AirDrop button and an Edit button. Click AirDrop to share an account with someone nearby or Edit to make changes or set up a two-factor verification code. If you want to copy information, click the User Name, Password, Verification Code, or Website item to get a Copy menu. The password becomes visible when you mouse over it. Clicking Website also offers an Open Website option and lets you add more sites where the password should autofill.

Setup Requirements

Most people shouldn’t need to do anything to start using Passwords. However, if you have trouble, check the following items:

• Turn on Password AutoFill: If your device isn’t entering passwords for you, turn on AutoFill Passwords and Passkeys in Settings/System Settings > General > AutoFill & Passwords. Also, ensure that Passwords is enabled in the AutoFill From section if multiple password managers are installed.
• Turn on iCloud Keychain: If you want your passwords to sync securely among your devices, which makes life a lot easier, go to Settings/System Settings > Your Name > iCloud > Passwords and turn on Sync This Device.
• Set up iCloud Passwords for other browsers: Apart from Safari, Chromium-based Web browsers (Arc, Brave, Google Chrome, Microsoft Edge, etc.) can access and autofill your saved passwords if you install Apple’s iCloud Passwords Chrome extension. (There’s also now an iCloud Passwords add-on for Firefox.) The overall experience is not as seamless as in Safari, requiring a once-per-launch code, and you have to create new accounts in Safari or manually in Passwords, but it works.
  
• Configure settings: Choose Passwords > Settings (or look in Settings > Apps > Passwords for iOS 18 and iPadOS 18) to access options. Generally speaking, it’s fine to keep them all turned on.
  

If you have additional questions, check Apple’s documentation for detailed instructions for all the platforms on which Passwords runs. But realistically, Passwords is easy to use, and although the app itself is new, the underlying password management features and syncing have been in place for years, so they’re stable and reliable  

For more information on all the great Apple products, features, and services, give us a call!  940-767-MACS (6227).  Or stop by MacTech Solutions, 4020 Rhea Rd, Suite 3B, Wichita Falls.  We’re open Monday thru Friday, 10am to 6pm

(Featured image by iStock.com/designer491)

The post Passwords Becomes a Real App in macOS 15 Sequoia, iOS 18, and iPadOS 18 first appeared on MacTech Solutions.

MacTech Solutions is just a phone call away!  940-767-MACS (6227).  MacTech Solutions, 4020 Rhea Rd, Suite 3B, Wichita Falls.  We’re open Monday thru Friday, 10am to 6pm

(Featured image by iStock.com/May_Chanikran)

The post Share 2FA Setup for Team Access to a Single Account first appeared on MacTech Solutions.

We constantly recommend using a password manager like 1Password, BitWarden, or Dashlane. But many people resist committing to yet another app or paying for yet another service. Isn’t Apple’s built-in iCloud Keychain password management good enough?

The answer now is yes, thanks to two recent changes:

• In iOS 17.3, Apple added Stolen Device Protection, which leverages biometric authentication—Face ID or Touch ID—to protect users against thieves who would surreptitiously learn someone’s passcode, steal their iPhone, and then take over their digital lives. One of the worst aspects of that attack was that the iPhone passcode was sufficient to access the user’s stored passwords, so the thief could get into everything.
• Until mid-2023, Apple’s built-in password management worked only in Safari, which was problematic for users who rely on other browsers. Then Apple updated its iCloud Passwords extension for Google Chrome to work not just in Windows, but also in Mac browsers based on Google Chrome running in macOS 14 Sonoma. There’s also now an iCloud Passwords add-on for Firefox.

If you aren’t yet using a password manager, try iCloud Keychain.

Passwords Basics

Apple integrated iCloud Keychain into macOS, iOS, and iPadOS at a low level, so you mostly interact with your passwords in Safari. But first, make sure to enable iCloud Keychain so your passwords sync between your devices. On the Mac, you do that in System Settings > Your Name > iCloud > Passwords & Keychain. On an iPhone or iPad, it’s in Settings > Your Name > iCloud > Passwords and Keychain.

If you’re using a browser other than Safari, install the iCloud Passwords extension or add-on and activate it by clicking it in the toolbar and entering the verification code when prompted.

When it comes to website accounts, there are two main actions: creating a login and logging in to a site:

• Create a new login: When you need to create an account on a new website, after you enter whatever it wants for email or username, Safari creates a strong password for you. Unfortunately, the iCloud Passwords extension or add-on on the Mac can’t generate passwords—you can either create a strong password manually or switch to Safari temporarily to let it create one. When you submit your credentials, you’ll be prompted to save them.
  

• Autofill an existing login: The next time you want to log in to a site for which you’ve saved credentials, Safari or your other browser on the Mac displays a pop-up with logins matching the domain of the site you’re on. On the iPhone or iPad, you might get an alert at the bottom of the screen or have to pick a choice in the QuickType bar above the keyboard.
  

For basic usage, that’s it! However, iCloud Keychain can make mistakes. The site shown above asks for both an email address and a username and wants the email address for logging in, but iCloud Keychain remembered the username instead. Happily, Apple makes it easy to fix such unusual missteps. On the Mac, open System Settings > Passwords, or on the iPhone or iPad, open Settings > Passwords. Here’s where you find and edit your saved logins.

Open the desired login by double-clicking it on the Mac or tapping it on the iPhone or iPad, then click or tap Edit and make any desired changes.

iCloud Keychain provides additional features and options:

• A search field at the top of the Passwords window or screen helps you find logins if scanning the full list is frustrating.
• You can use commands in the + menu to create new passwords and shared groups. On the Mac, commands in the ••• menu let you import and export passwords; the iPhone and iPad use that menu to bulk-select passwords for deletion and show generated passwords.
• Shared groups let you share a subset of passwords with family or colleagues. Choosing New Shared Group triggers an assistant that walks you through naming the group, adding people from Contacts, and choosing which passwords to share. You can move passwords between groups at any time.
• The Security Recommendations screen displays logins exposed in known breaches and points out logins with weak passwords. Check those and update them as necessary.
• In Password Options, you can turn off autofill, but why would you? Another option automatically deletes verification codes you receive in Messages after it inserts them with autofill.
• On websites that support two-factor authentication, you can set up a login to autofill the verification code. During setup on the site, you’ll get a QR code you can scan with an iPhone or iPad if you’re using a Mac; if you’re using an iPhone or iPad, touch and hold the QR code and choose Add Verification Code in Passwords. Once you finish configuring the login, you’ll have to enter the six-digit verification code on the site to link it with the login.
  

Overall, iCloud Keychain provides the password management features that most people need, and it’s a massive security improvement over keeping a document of your passwords on your desktop.

Give us a call today!  940-767-MACS (6227)  

MacTech Solutions, 4020 Rhea Rd, Suite 3B, Wichita Falls. Open Monday thru Friday, 10am to 6pm

(Featured image by iStock.com/loooby)

Social Media: Apple’s iCloud Keychain password manager keeps improving, and we now recommend it, especially for those not already using a third-party password manager. Here’s how to use iCloud Keychain to store and enter secure passwords.

The post Apple’s iCloud Keychain Password Management Is All Many People Need first appeared on MacTech Solutions.

The rationale behind password expiration policies was that if an attacker were to steal a password database and decrypt some passwords, they would work for only a limited period, lessening the risk of unauthorized access. Even if an attacker gained access to an account, they could remain undetected only if they didn’t change the password, and that access wouldn’t last indefinitely.

Over time, security experts realized that the problem wasn’t so much how long an attacker could remain undetected but allowing users to set weak passwords that could be decrypted. It turns out that users often choose weaker passwords when they know they will have to change them, perhaps by tweaking a previous password for easier memorization. This fact hasn’t been lost on attackers, making it easier for them to figure out future passwords. In other words, attempting to increase security by requiring users to change passwords paradoxically reduces security.

The National Institute for Standards and Technology (NIST) is a US government agency that develops cybersecurity standards and best practices for the federal government that large corporations and other institutions tend to follow. In 2017, NIST changed its guidelines to say, “Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).” In a FAQ, NIST explains:

Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets have been compromised since attackers can apply these same common transformations.

Of course, if there’s evidence of unauthorized access or a breach of the password database, all passwords should be invalidated and everyone should be required to create a new password immediately—that’s entirely different than requiring passwords to be changed on a schedule.

Interestingly, NIST also doesn’t recommend password composition requirements—such as requiring the password to contain a letter, number, and special character—because users tend to devise predictable techniques to meet such requirements, such as appending an exclamation point to every password. Instead, NIST encourages longer passwords because a long password that’s easily remembered and typed can be stronger than a shorter password composed of random characters. Password managers can generally create both types.

If you’re forced to change a website password periodically, it’s easiest to use a password manager to generate and enter a new strong password, and you won’t have to memorize the new password. For the very few passwords you must remember and type manually, aim for longer passwords that won’t trip up your fingers while typing or require numerous switches of iPhone uppercase and numeric keyboards. To aid memorization, perhaps consider choosing words for your password from categories with many possibilities. For instance, if your initial password is gouda-purple-1989-New-York, the next one could be cheddar-black-2011-Des-Moines. Both are strong in their own right, but only you would know the categories used for each portion.

Of course for more information, you can always reach out to us directly at Mac Tech Solutions, 4020 Rhea Rd, Suite 3B in Wichita Falls, 10am to 6pm, Mon-Fri.  And we’re always available 24/7 at MacTech-Solutions.com

(Featured image based on an original by iStock.com/designer491)

Social Media: Security experts no longer recommend password expiration policies that require users to change their passwords periodically. Here’s why.

The post Changing Passwords Periodically Doesn’t Increase Security first appeared on MacTech Solutions.

• People you trust report receiving email that you didn’t send.
• Social media friend requests are made to people you don’t know, or messages you don’t recognize are sent from your account.
• Although you’re certain you have the correct password, you can’t log in to an account.
• You become aware of your personal data appearing in places it shouldn’t.
• Unknown charges or transfers appear in a bank or credit card account.

However, attackers will also try to fool you into thinking an account has been compromised to get you to enter passwords or financial information on a website designed to steal data. Don’t assume you’ve been hacked just because you received a phishing email saying so or because you see unexpected notifications claiming your computer is infected. No legitimate entity will ever send such email, and the only notification about malware you should ever see would come from anti-malware software you installed.

(Speaking of malware, dealing with that is a topic for another day—we’re focusing on online accounts in this article. Nonetheless, if one of your accounts has been compromised, it’s also worth scanning your Mac with the free version of Malwarebytes or VirusBarrier Scanner, just in case.)

First off, don’t panic. It’s important to take a deep breath, document everything you see with screenshots (press Command-Shift-5), and move quickly to regain control over whatever accounts were hacked and prevent others from falling prey to the attacker.

When you suspect an account has been compromised, try to verify the problem. Do the following:

• Alert techs: If the account in question is for work, immediately alert your IT department and follow their instructions. If it’s a personal account, contact us. Tell whoever is helping you that you have screenshots you can send and be ready to forward any suspicious messages you have as well.
• Gather evidence: Ask the person who told you about the problem to forward the message they received to another of your email addresses, or to a close friend or family member so you can see what’s being said in your name. Scrutiny of the fake message may reveal information about what has happened, though you may need help from someone with more technical experience.
• Examine email: Since email account breaches are the most concerning (because they can be used to reset passwords elsewhere), scan your email for messages you didn’t send or replies to such messages. Along with the Inbox, look in the Sent mailbox and the Trash. Also, check your settings and filters to ensure incoming messages aren’t being forwarded elsewhere and then deleted.
• Check social media: Connect to all your social media accounts—even those you don’t use regularly—and look for posts, friend requests, messages, or anything else that suggests an attacker has been impersonating you.
• Audit accounts: Log in to important accounts and look for suspicious activity, such as login attempts from unfamiliar locations or IP addresses or changes to account settings.

If you find evidence to suggest that one or more of your accounts have been compromised, follow these steps:

• Immediately change the passwords for any affected accounts. We always recommend using a password manager like 1Password to generate strong, random passwords.
• Whenever possible, turn on two-factor authentication.
• If available for the account in question, follow advice from the service. Apple, Facebook, Google, Instagram, Microsoft, and Twitter all have advice on how to respond, as will many other companies.
• Review account settings for unauthorized changes, especially recovery options like backup phone numbers and email addresses.
• Look through your accounts in your password manager and change the passwords for the most important ones and any that might be related.
• If you can’t get into an account because the password has been changed, make sure you have sole control of your email account and then trigger a password reset.
• For affected financial accounts, along with changing the password, immediately call the institution and ask for their help locking the account to prevent any transfers.
• If your email account was used to send phishing messages to contacts, you should alert any friends, family, and colleagues who might have received the messages that your account was hacked and that the previous message wasn’t from you.

Security breaches are stressful, we know, but it’s imperative that you deal with them right away. The longer you wait, the more damage the attacker can cause, including stealing your money, impersonating you, scamming your friends and family, and compromising your employer’s systems. We’re here to help.

(Featured image by iStock.com/PUGUN SJ)

The post Help! My Account Has Been Hacked—What Should I Do? first appeared on MacTech Solutions.

(Featured image by iStock.com/Prae_Studio)

The post After “Mother of All Breaches,” Update Passwords on Compromised Sites first appeared on MacTech Solutions.

Back Up All Your Devices

The most important thing you can do to stave off the slings and arrows of digital doom is to make regular backups. Bad things happen to good people, such as a Mac’s SSD failing, an iPhone accidentally falling off a boat, an Apple Watch breaking in a fall, or loss due to theft, fire, or flood. With a good backup strategy, you can recover from nearly any problem.

For the Mac, it’s easiest to back up with Time Machine to an external drive, but remember that an offsite or Internet backup is also essential. With iPhones and iPads, it’s easiest to back up to iCloud, which happens every night automatically if you turn it on in Settings > Your Name > iCloud > iCloud Backup, but you can also back up to your Mac if you don’t have sufficient iCloud storage space. Apple Watches automatically back up to their paired iPhones, so if you protect your iPhone, you can always restore your Apple Watch.

Keep Your Devices Updated

Another key thing you can do to protect your security is to install new operating system updates and security updates soon after Apple releases them. Although the details seldom make the news because they’re both highly specific and highly technical, you can get a sense of how important security updates are by the fact that a typical update addresses 10–30 vulnerabilities that Apple or outside researchers have identified. Some are even zero-day vulnerabilities that are already being exploited in the wild.

It’s usually a good idea to wait a week or so after an update appears before installing, on the off-chance that it has undesirable side effects. Although such problems are uncommon, when they do happen, Apple pulls the update quickly, fixes it, and releases it again, usually within a few days.

Use a Password Manager

We’ll keep banging the password manager drum until passkeys, the replacement for passwords, have become ubiquitous, which will take years. Until then, if you’re still typing passwords in by hand or copying and pasting from a list you keep in a file, please start using a password manager like 1Password or BitWarden. Even Apple’s built-in password manager and iCloud Keychain are fine, if not as fully featured as the others. A password manager offers five huge benefits:

• It generates strong passwords for you. Mypassword1 can be hacked in seconds.
• It stores your passwords securely. An Excel file on your desktop is a recipe for disaster.
• It enters passwords for you. Wouldn’t that be easier than typing them in manually?
• It audits existing accounts. How many of your accounts use the same weak password?
• It lets you access passwords on all your devices. Finally, easy logins on your iPhone!

A bonus benefit for families is password sharing. It allows couples to share essential passwords or parents and teens to share specific passwords.

Using a password manager is faster, easier, more secure, and better. If you need help getting started, get in touch.

Beware of Phishing Email

Individuals and businesses frequently suffer from security lapses caused by phishing, forged emails that fool someone into revealing login credentials, credit card numbers, or other sensitive information. Although spam filters catch many phishing attempts, you must always be on guard. Here’s what to watch for:

• Any email that tries to get you to reveal information, follow a link, or sign a document
• Messages from people you don’t know, asking you to take an unusual action
• Direct email from a large company for whom you’re an anonymous customer
• Forged email from a trusted source asking for sensitive information
• All messages that contain numerous spelling and grammar mistakes

When in doubt, don’t follow the link or reply to the email. Instead, contact the sender another way to see if the message is legit.

Never Respond to Unsolicited Calls or Texts

Although phishing happens mostly via email, scammers also use texts and phone calls. Thanks to weaknesses in the telephone system, such texts and calls can appear to come from well-known companies, including Apple and Amazon. Even worse, with so much online ordering, fake text messages pretending to help you track packages are becoming more common.

For texts, avoid following links unless you recognize the sender and it makes sense that you’d be receiving such a link. (For instance, Apple can text delivery details related to your orders.) Regardless, never enter login information at a site you’ve reached by following a link because there’s no way to know if it’s real. Instead, if you want to learn more, manually navigate to the company’s site by entering its URL, then log in.

For phone calls from companies, unless you’re expecting a call back from a support ticket you opened, don’t answer. Let the call go to voicemail, and if you feel it’s important to respond, look up the company’s phone number elsewhere and talk with someone at that number rather than the one provided by the voicemail.

Avoid Sketchy Websites

We won’t belabor this last one, but suffice it to say that you’re much more likely to pick up malware from sites on the fringes of the Web or that cater to the vices of society. The more you can avoid sites that revolve around pirated software, cryptocurrency, “adult” content, gambling, or sales of illicit substances, the safer you’ll be. That’s not to say that reputable sites haven’t been hacked and used to distribute malware, but it’s far less common.

If you are concerned after spending time in the darker corners of the Web, download a free copy of Malwarebytes or VirusBarrier Scanner and scan for malware manually.

Let’s raise a glass to staying safe online in 2024!

(Featured image by iStock.com/Bet_Noire)

The post Improve Your Digital Security in 2024 with These New Year’s Resolutions first appeared on MacTech Solutions.

(Featured image based on an original by iStock.com/Kostiantyn Filichkin)

The post Avoid Confusion by Setting iPhone Password Autofill to Only One App first appeared on MacTech Solutions.

Although 1Password is the most popular password manager for Apple users, we’ve mentioned LastPass as an alternative in previous articles, so here’s what happened and how LastPass users should react. For those who don’t use LastPass, we also discuss ways your organization can improve its online security by learning from LastPass’s mistakes and misfortunes.

The Breach

According to LastPass, the breach started in August 2022 when an attacker compromised a developer’s account. The attacker then leveraged information and credentials from that initial breach to target another LastPass employee’s account, where they were able to steal data from cloud-based storage that LastPass used for backup.

The main lesson here is that a dedicated attacker will probe all points of access into a company’s digital infrastructure—everyone must be mindful of security at all times. It also seems that LastPass may have been paying more attention to its on-premises production systems than its cloud-based backup storage. Any organization can learn from that error—if backups contain sensitive data, they should be equally protected.

What Was Stolen

LastPass says that the stolen data included unencrypted customer account information such as names, addresses, and phone numbers, but not credit card details. In the customer vaults, LastPass did secure usernames, passwords, secure notes, and form-filled data using 256-bit AES encryption, so they can be decrypted only with a unique encryption key derived from each user’s master password. However, for inexplicable reasons, LastPass failed to encrypt website URLs associated with password entries.

Because LastPass left this information unencrypted, it’s now available for the attacker to use (or sell for others to use) in targeted phishing attacks. A forged password reset request from an unusual website you regularly use has a better chance of fooling you than a generic one for a big site that millions of people use. It’s even possible that the unencrypted website URLs could lead to extortion attempts, as in the infamous Ashley Madison data breach.

The larger lesson is that a high-value attack target like LastPass should never have stored customer data in unencrypted form. If your company handles customer data along these lines, ensure that it’s always stored in encrypted form. You may not be able to prevent attackers from accessing your network, but if all the data they can steal is encrypted, that limits the overall damage that can ensue.

Potential Problems

By default, LastPass requires master passwords to be at least 12 characters in length. Plus, LastPass applies 100,100 iterations of the PBKDF2 password-strengthening algorithm to make it harder for brute-force attacks to crack passwords. The company says:

If you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology. Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture. There are no recommended actions that you need to take at this time.

Unfortunately, LastPass increased the master password minimum length only in 2018 and did not require users with shorter master passwords to reset them at that time. Similarly, the PBKDF2 setting now uses 100,100 iterations, but it previously used 5000, and some long-time users report it being set to 500.

LastPass was correct to increase the default level of security for new accounts as hardware cracking capabilities became faster. However, allowing users to continue using insecure master passwords that were too short and not forcing higher PBKDF2 iteration counts was a major mistake. If your organization steps up its security policies, bite the bullet and ensure that no accounts or users are grandfathered in with old, insecure options.

By not recommending any actions, LastPass missed an opportunity to encourage users to increase their security through multifactor authentication. LastPass also downplayed the concern over phishing attacks. That was likely a decision made by PR (and possibly Legal), but the company could have served users better. Should your organization ever be involved in a breach, make sure that someone involved in the transparency discussions represents the users’ best interests alongside those of the organization. And consider requiring multifactor authentication!

Finally, it’s worth noting that other companies significantly increase the security of their systems by mixing passwords with additional device-based keys. Apple does this by entangling device passcodes and passwords with the device’s unique ID, and 1Password strengthens your passwords with a secret key. LastPass has no such additional protection.

What LastPass Users Should Do

There are two types of LastPass users in this situation: those who had long, secure master passwords and 100,1000 iterations of PBKDF2 and those who didn’t:

• Strong master password users: Despite LastPass’s claim that you don’t need to do anything, we recommend enabling multifactor authentication. (For instructions, click Features & Tools and then Multifactor Authentication in the LastPass support portal.) You could change your master password too, but that won’t affect the data that was already stolen. That horse has already left the barn, whereas enabling multifactor authentication would prevent even a cracked master password from being used in the future.
• Weak master password users: Sorry, but you have work to do. Immediately change your master password and increase your PBKDF2 iterations to at least 100,100. We also recommend enabling multifactor authentication because LastPass is such an important account. Next, go through all your passwords and change at least those for important websites. Start with the critical accounts that could be used to impersonate you, like email, cell phone, and social media, plus those that contain financial data.
  

Regardless of the strength of your master password, be on high alert for phishing attacks conducted through email and text messages. Because the stolen data included both personal information and URLs to websites where you have accounts, phishing attacks may be personalized to you, making them harder to detect. In short, don’t follow links in email or texts to any website where you have to log in. Instead, navigate to the website directly in your browser and log in using links on the site. Don’t trust URL previews—it’s too easy to fake domain names in ways that are nearly impossible to identify.

Should you switch from LastPass to another service, like 1Password? It comes down to whether you believe LastPass has both a sufficiently secure architecture despite not entangling the master password with some device-based key and sufficiently robust security practices despite having been breached. It would not be irrational to switch, and we would recommend switching to 1Password. Other password managers like Bitwarden and Dashlane may be fine too. If you have to change numerous passwords and choose to switch, it may be easier to change the passwords after switching—see how the process of updating a password compares between LastPass and 1Password or whatever tool you end up using.

We realize this is an extremely worrying situation for LastPass users, particularly those with weak master passwords or too-few PBKDF2 iterations set. Only you can reset your passwords, but if you need assistance switching to another password manager, don’t hesitate to contact us.

(Featured image by LastPass)

The post LastPass Security Breach: Here’s What to Do first appeared on MacTech Solutions.

(Featured image by iStock.com/EvgeniyShkolenko)

The post If Your Holiday Gift Was a Tech Device, It’s Time to Change the Password! first appeared on MacTech Solutions.

Keep Your Devices Updated

One important thing you can do to protect your security is to install new operating system updates and security updates soon after Apple releases them. Although the details seldom make the news because they’re both highly specific and highly technical, you can get a sense of how important security updates are by the fact that a typical update addresses 20–40 vulnerabilities that Apple or outside researchers have identified. Some are even zero-day vulnerabilities that are already being exploited in the wild.

It’s usually a good idea to wait a week or so after an update appears before installing it, on the off chance that it has undesirable side effects. Although such problems are uncommon, when they do happen, Apple pulls the update quickly, fixes it, and releases it again, usually within a few days.

Use a Password Manager

We’ll keep banging the password manager drum until the replacement for passwords, passkeys, have become ubiquitous, and that will take years. Until then, if you’re still typing passwords in by hand or copying and pasting from a list you keep in a file, please switch to a password manager like 1Password or LastPass. Even Apple’s built-in password manager and iCloud Keychain are fine, if not as fully featured as the others. A password manager offers five huge benefits:

• It generates strong passwords for you. Mypassword1 can be hacked in seconds.
• It stores your passwords securely. An Excel file on your Desktop is a recipe for disaster.
• It enters passwords for you. Wouldn’t that be easier than typing them in manually?
• It audits existing accounts. How many of your accounts use the same password?
• It lets you access passwords on all your devices. Finally, easy logins on your iPhone!

A bonus benefit for families is password sharing. It allows, for example, a married couple to share essential passwords or parents and teens to share specific passwords.

In short, using a password manager is faster, easier, more secure, and just all-around better. If you need help getting started, get in touch.

Beware of Phishing Email

Individuals and businesses alike frequently suffer from security lapses caused by phishing, forged email that fools someone into revealing login credentials, credit card numbers, or other sensitive information. Although spam filters catch many phishing attempts, you must always be on your guard. Here’s what to watch for:

• Any email that tries to get you to reveal information, follow a link, or sign a document
• Messages from people you don’t know, asking you to take an unusual action
• Direct email from a large company for whom you’re an anonymous customer
• Forged email from a trusted source asking for sensitive information
• All messages that contain numerous spelling and grammar mistakes

When in doubt, don’t follow the link or reply to the email. Instead, contact the sender another way to see if the message is legit.

Avoid Sketchy Websites

We won’t belabor this one, but suffice it to say that you’re much more likely to pick up malware from sites on the fringes of the Web or that cater to the vices of society. The more you can avoid sites that provide pirated software, “adult” content, gambling opportunities, or sales of illicit substances, the safer you’ll be. That’s not to say that reputable sites haven’t been hacked and used to distribute malware, but it’s far less common.

If you are concerned after spending time in the darker corners of the Web, download a free copy of Malwarebytes or VirusBarrier Scanner and scan for malware manually.

Never Respond to Unsolicited Calls or Texts

Although phishing happens mostly via email, scammers have also taken to using texts and phone calls. Thanks to weaknesses in the telephone system, such texts and calls can appear to come from well-known companies, including Apple and Amazon. Even worse, with so much online ordering, fake text messages pretending to help you track packages are becoming more common.

For texts, avoid following links unless you recognize the sender and it makes sense that you’d be receiving such a link. (For instance, Apple can text delivery details related to your orders.) Regardless, never enter login information at a site you’ve reached by following a link because there’s no way to know if it’s real. Instead, if you want to learn more, navigate the company’s site manually by entering its URL, then log in.

For phone calls from companies, unless you’re expecting a call back from a support ticket you opened, don’t answer. Let the call go to voicemail, and if you feel it’s important to respond, look up the company’s phone number elsewhere and talk with someone at that number rather than the one provided by the voicemail.

Let’s raise a glass to staying safe online in 2023!

(Featured image by iStock.com/Bet_Noire)

The post These New Year’s Resolutions Will Improve Your Digital Security in 2023 first appeared on MacTech Solutions.

Do you enroll all organizational devices in a device management solution?

With device management, an IT department or managed services provider (MSP) maintains oversight and control over all organizational devices. That’s helpful for automating configuration and deployment, providing secure access to organizational resources, ensuring consistent security policies, managing app and operating system updates, tracking device inventory and status, and much more.

Do you have an organization-wide backup strategy with offsite backups?

Regular backups—some stored offsite—are essential if you need to recover from lost or stolen hardware, a natural disaster, or a ransomware attack. Even though ransomware isn’t currently a major problem in the Mac world, it wouldn’t hurt to start creating immutable backups using “write once, read many” tape or something like Retrospect’s Cloud Object Lock, a technology that ensures that cloud-based backups can’t be corrupted. Finally, have you tested restoration and recovery of key systems from your backup data? Backup is important, but only if you can restore.

Do you have a policy for updates?

It’s essential to install security-related updates to operating systems and major apps, but how quickly that happens has to be weighed against problems that version changes can cause for important workflows. There’s no right answer here, but you want to make sure that you aren’t leaving your organization’s apps and devices vulnerable to known security exploits for longer than necessary.

Do you have a strong password management policy?

Short, easily guessed, or cracked passwords are one of the primary ways attackers breach corporate networks and systems. At minimum, your password management policy should require that all passwords be stored in a password manager, new passwords be generated by the password manager and meet minimum requirements for strength, and two-factor authentication be used when available.

Do you use an endpoint protection platform?

Endpoint protection is essentially software aimed at preventing and detecting malware on employee workstations, often with an organizational dashboard and management capabilities. Although the Mac doesn’t have nearly the exposure to malware that Windows does, it’s still important to keep computers free of malware that could hurt performance, exfiltrate data, or provide an entry point for future attacks. Endpoint protection is usually part of a larger managed systems approach that can also ensure that devices adhere to security policies like full disk encryption, run only approved software, stay up to date with security updates, and more.

Do you have a list of sensitive data on your network?

Exactly what counts as sensitive data will vary by organization, but anything related to network and corporate security qualifies, as does any personally identifiable information you may hold about or for clients. It’s not uncommon to store information about people that includes names, email addresses, phone numbers, and postal addresses, but you should be even more careful if you store Social Security numbers, credit card numbers, driver’s licenses, passports, financial records, or medical records. Knowing what you have is the first step; after that, consider what additional precautions you should take to protect such information.

Do you provide periodic anti-fraud and security training to employees?

Social engineering is another common way attackers gain access to corporate networks and systems. Does your organization require that all employees take regular training to learn how to identify phishing attacks, require appropriate approvals for unusual transactions or access requests, and report suspected incidents to the necessary people? If an administrative aide in the accounting department gets an email request from the CEO to pay an urgent invoice to a new vendor, will that person know how to respond?

Do you allow access to organizational email and systems from personal devices?

It’s tempting to allow users to access their email from personal devices or to have contractors use their personal email addresses for work communications. We recommend keeping as clear a line as possible between work and personal devices and accounts to reduce the security implications of such mixing. Particularly when there’s sensitive information in play, personal email addresses should never be used for work communications, and if personal devices are being used, they should be set up with two-factor authentication for organizational logins.

Do you have incident and disaster response plans?

Bad things happen, and it’s important to consider how you would respond to different types of security incidents and natural disasters. How will your organization maintain crucial business operations, communicate with employees, coordinate with partners (insurance, legal, PR, and clients), and more? Is your plan written down and updated regularly? Have you tested key aspects of your plan?

We know there’s a lot to think about regarding security in today’s world, and we’re always available to help if you’d like assistance answering any of the above questions.

(Featured image by iStock.com/Bulat Silvia)

The post Security Questions Your Organization Should Be Asking Itself first appeared on MacTech Solutions.

(Featured image by iStock.com/metamorworks)

The post Export Passwords from Safari to Ease the Move to a Password Manager first appeared on MacTech Solutions.