Passwords versus Passkeys

Traditional multi-factor authentication involves three methods of authentication, at least two of which are required for protection. They include something you know (a password), something you have (usually a code from an authenticator app or text message), and something you are (biometric authentication). Most systems primarily use the first two, but that leaves room for attack because someone could acquire your password and an authentication code through nefarious means.

Passkeys change the model. Instead of how passwords and codes use words and numbers that can be copied and shared, passkeys are pairs of cryptographic keys: a public key and a private key. Websites keep the public key, and the private key is stored securely within a device or encrypted vault, such as in the Secure Enclave in Apple’s chips or a 1Password vault. Authenticating with a website requires providing the private key that matches the account’s public key, something that Apple users with modern devices can usually initiate with Touch ID or Face ID.

Instead of generating security with something you have and something you know, passkeys rely on possession (do you have the device?) and presence (are you physically in front of the device?). This approach is fundamentally more secure than passwords because the private key can’t be phished, copied, or used remotely, and you must be physically present to unlock your device. Nor can you be tricked into providing a passkey to a malicious website. (Neither approach protects against physical coercion.)

Where Can You Use Passkeys?

In practice, since you use passkeys primarily to sign into websites, passkeys are stored alongside account details in your password manager. For Apple users, Safari (in iOS 16 or macOS 13 Ventura and later) with Apple’s Passwords app provides the most integrated passkey experience. However, most independent password managers, such as 1Password, Bitwarden, and Dashlane, also enable you to store, share, and enter passkeys and can take over for or work alongside Apple’s Passwords. They provide consistent passkey functionality across all major Web browsers, although experiences may vary slightly due to differences in how they handle authentication prompts and platform integration.

You’ll also find robust support in the Password Manager built into Google Chrome and other Chromium-based browsers, including Arc, Brave, Edge, Opera, and Vivaldi. Firefox’s native passkey support is more limited, but third-party password managers work well with Firefox. 

Although website support for passkeys was initially slow, an increasing number of sites now support them. That includes the big three of Apple, Google, and Microsoft, of course, as well as Amazon, Best Buy, Discord, eBay, GitHub, Intuit, Netflix, Notion, PayPal, Robinhood, Stripe, Target, Walmart, and WhatsApp.

Setting Up Passkeys

The process of setting up passkeys varies a little by website, but is generally remarkably easy. You may be prompted to create a passkey while signing in, or you may need to navigate to the security options associated with your account.

Google offers both approaches. Setting up a passkey for a Google Account can be as simple as agreeing to do so while logging in. If you’re already logged in, Google’s Passkeys and security keys page lets you make one. Once you click Create a Passkey, you’ll be prompted to save it in either Apple’s Passwords or another password manager like 1Password. That’s it.

Note that if you use both Passwords and another password manager, you can save the passkey in only one, and only that one can use it to sign in later. However, most sites that support passkeys let you add multiple passkeys, so you could save separate passkeys in different password managers.

Signing in with Passkeys

Similarly, using a passkey to sign in is trivially simple. You navigate to the website’s login page, enter your username, choose the passkey sign-in option if necessary, and then authenticate.

Exactly how you authenticate depends on the device you’re using and your password manager. On the Mac, Passwords will ask you to use Touch ID if available (above) or a dialog otherwise (below, left). 1Password, once unlocked for the session, presents a dialog with a Sign In button (below right).

On the iPhone and iPad, an authentication dialog appears at the bottom of the screen asking if you want to sign in with your passkey. Tap Continue and authenticate with Face ID or Touch ID (with a fallback to your passcode if necessary).

Unsurprisingly, Apple makes it particularly easy to sign in to Apple websites like iCloud.com using a passkey. As soon as you navigate to such a site in Safari, the device prompts you to sign in using your current Apple Account username and an implicit passkey.

When using other browsers or another Mac that lacks access to your passkey, selecting the passkey sign-in option displays a QR code that you need to scan with an iPhone or iPad that has the passkey stored on it.

Managing and Sharing Passkeys

As noted, passkeys are stored in accounts managed by a password manager. In fact, passkeys are currently stored alongside passwords in each account. There’s nothing to see or edit, although you can delete passkeys like any other data. Although deleting the passkey on your device guarantees that it can’t be used to sign in again, it’s best to also delete the passkey at the website where you created it to avoid confusion.

Passkeys are automatically synced among all your devices by the password manager so you can take advantage of them everywhere, but note that syncing is specific to just one password manager—for instance, iCloud Keychain doesn’t sync with 1Password or other third-party managers. The authentication method varies by device, but the overall experience remains the same. 

You can also share passkeys with other people in your family or workgroup, just as you would with password-only accounts. They can log in to your passkey-protected accounts because they can prove possession (they have the passkey) and presence (they’re authenticating). In essence, you’re saying, “This person is authorized to act as the account holder.”

Passkey Concerns

Although passkeys are a big step forward in usability and security compared to passwords, they’re not without limitations or concerns, which have slowed adoption:

• Account recoverability: Because passkeys are tied to devices, if a user loses all their devices and doesn’t have a cloud backup option (such as registering a new iPhone to an existing Apple Account or adding a new device to a 1Password account), it’s impossible to recover an account. This is primarily a concern for those who have only a single device and no one with whom to share.
• Sharing hurdles: If you want to give someone else passkey access to an account—perhaps a shared bank account—you must log in on their device and then create an additional passkey that is stored on their device. 
• Lack of portability: Although passkeys can be synced between devices using the same platform (iCloud Keychain, 1Password account, etc.), there’s no way to export a passkey from one platform and import it into another. You have to recreate passkeys from scratch for each platform. Vendors are working on the problem, but as you can imagine, enabling export/import opens up security concerns. 
• User confusion: People are, understandably, still unfamiliar with passkeys, leading many to avoid them on principle. It hasn’t helped that using passkeys is slightly different on every website. The industry is working to standardize the user experience, but we’re not there yet.
• Passwords still exist: No major websites allow passkey-only accounts. Since all accounts still have passwords that can be stolen, passkeys aren’t increasing security nearly as much as they could.
• Enterprise support: Large organizations want to know if a passkey was generated on a secure device, if it can be revoked or rotated, and if the user employing the passkey has truly been verified. Support for these requirements is still evolving.
• Digital inheritance: When passkey-only accounts become commonplace in the future, passkeys may be more challenging to manage in situations involving the user’s death. For now, the solution is to share passkey-protected accounts with family members in advance using a password manager. The industry would do well to establish standards around this inevitability.

Nonetheless, the perfect shouldn’t be the enemy of the good. Passkeys improve on passwords in both usability and security, and the best way to get to an easier, more secure future is to start using passkeys wherever possible today.

For more information on all the great Apple products, features, and services, give us a call!  940-767-MACS (6227).  Or stop by MacTech Solutions, 4020 Rhea Rd, Suite 3B, Wichita Falls.  We’re open Monday thru Friday, 10am to 6pm

(Featured image by iStock.com/tanit boonruen)

The post Why Passkeys Are Better than Passwords (And How to Use Them) first appeared on MacTech Solutions.

For more information on all the great Apple products, features, and services, give us a call!  940-767-MACS (6227).  Or stop by MacTech Solutions, 4020 Rhea Rd, Suite 3B, Wichita Falls.  We’re open Monday thru Friday, 10am to 6pm

(Featured image by iStock.com/PrathanChorruangsak)

The post Share Wi-Fi Network Passwords Using QR Codes first appeared on MacTech Solutions.

The effort and inconvenience that different people are willing to endure also vary. Higher levels of security often necessitate significant effort and inconvenience. We have divided our list of suggestions—roughly organized from easiest to hardest—into two sections: actions we believe everyone should take and security measures mainly for those most concerned and willing to tolerate some fuss.

Before we delve into the details, it is important to remember that privacy and security are not the same thing. Privacy refers to the proper collection, use, and governance of personal data. Security, conversely, is concerned with protecting data from unauthorized access and malicious threats. It entails defending data against external dangers, while privacy ensures that the management and use of that data adhere to agreed-upon standards.

Security Improvements for Everyone

These actions are generally beneficial for most users. They don’t require much technical knowledge and can often be accomplished with easily accessible tools and settings:

• Keep apps and operating systems up to date: Nearly every operating system update from Apple addresses numerous security vulnerabilities, and the same is often true for major apps. Always ensure you’re running current versions to take advantage of all those security improvements.
• Enable FileVault: While all data on the internal SSDs of Macs with Apple silicon and Intel-based Macs with the T2 chip is automatically encrypted to prevent unauthorized access if the SSD is removed, it is automatically decrypted whenever the Mac boots, even before you log in. To link decryption to your user account, which makes your login password necessary to decrypt all data, enable FileVault in System Settings > Privacy & Security > FileVault. There are essentially no drawbacks.
• Improve your passcode: For nearly a decade, it has been easy to set a six-digit passcode on the iPhone and iPad, greatly enhancing security compared to the previous standard four-digit passcode (1 million possible combinations versus only 10,000). If you still use four digits, consider switching to six digits, a custom number of digits, or a custom alphanumeric passcode in Settings > Face ID/Touch ID & Passcode > Change Passcode > Passcode Options. Alphanumeric passcodes offer the highest level of security but are more challenging to type.
• Turn on biometric authentication and Stolen Device Protection: If you aren’t already using Face ID or Touch ID on your iPhone or iPad, that’s a mistake. Both provide significantly stronger security than repeatedly entering your passcode, which could be observed. Turn on biometric authentication and Apple’s Stolen Device Protection in Settings > Face/Touch ID & Passcode.
• Adopt strong password habits: If security matters at all to you, you must use a strong, unique password for each online account and never reuse a password. It’s easy and secure as long as you create and store passwords with a password manager like Apple’s Passwords or 1Password.
• Enable MFA whenever it’s available: Multi-factor authentication greatly enhances security, safeguarding you even if your password is compromised in a breach. It typically requires entering a six-digit code that you retrieve from an app or receive via text message. Apple’s Passwords and 1Password can both automatically enter MFA codes for many websites.
• Use an ad blocker: Much of today’s surveillance society relies on ads to track you. Anything you can do to block ads will enhance your privacy, so use ad blockers whenever possible. Highly regarded options include 1Blocker, AdGuard, NextDNS, and uBlock Origin.
• Enable privacy and security features in Web browsers: Safari can prevent cross-site tracking and hide your IP address, along with other privacy and security features. In Safari > Settings, review all the options in the Privacy and Security screens and enable those that are appropriate. (Keep cookies and JavaScript enabled; many sites won’t function properly without them.) If you don’t use Safari, choose Brave or Firefox instead of Google Chrome.
• Utilize secure DNS services: To enhance browsing privacy and protect against DNS leaks, configure your devices to use a privacy-focused DNS service like Cloudflare’s 1.1.1.1 or Quad9’s 9.9.9.9.
• Minimize app exposure: Be vigilant about iPhone or iPad apps that might be sharing information about you with data brokers without your knowledge. Specifically:
  • Turn off Settings > Privacy & Security > Tracking > Allow Apps to Request to Track.
  • Rescind location tracking permissions for all apps except those that require it, such as navigation or weather apps, in Settings > Privacy & Security > Location Services.
  • Delete apps you’re not using to prevent them from spying on you.

Security Improvements for the Particularly Concerned

Implementing these actions may require extra steps, specialized knowledge, or significant changes in habits. They’re primarily for those with heightened concerns or those at greater risk, such as journalists, activists, and individuals handling sensitive data:

• Use independent search engines: Google and Microsoft are known for collecting information about their users. To keep your searches private, use a search engine that prioritizes privacy, such as DuckDuckGo, Brave Search, Kagi, or Startpage.
• Protect network traffic: While we used to recommend ensuring you were using secure HTTP (HTTPS) connections, that’s now the bare minimum. For greater privacy while browsing the Web with Safari, turn on iCloud Private Relay in Settings/System Settings > Your Name > iCloud > Private Relay. (This requires an iCloud+ subscription and won’t encrypt traffic from most non-Apple apps.) More broadly, you can safeguard all your traffic by using a trusted VPN service like Mullvad VPN, NordVPN, or ProtonVPN.
• Activate Advanced Data Protection: End-to-end encryption (E2EE) keeps your online data private from everyone, including cloud providers. However, it requires you to manage your encryption keys, which means no one can help recover your data if you lose those keys. You can enable E2EE with Apple services using Advanced Data Protection; turn it on in Settings/System Settings > Your Name > iCloud > Advanced Data Protection.
• Use encrypted messaging: The iMessage system used by Apple’s Messages app for blue bubble conversations is highly secure, particularly with Advanced Data Protection enabled. However, for the most secure messaging with E2EE, look to Signal. While WhatsApp also offers E2EE, its backups might not be encrypted, and its parent company, Meta, is one of the most egregious privacy abusers on the planet.
• Regularly review and revoke permissions: Periodically check and manage app permissions on your device to ensure that no apps have unnecessary access to sensitive information, such as your contacts or location. Work through the options in Settings/System Settings > Privacy & Security and revoke permissions for anything that seems inappropriate. Apps that require additional permissions will always prompt you again.
• Encrypt cloud-stored data: To ensure that cloud storage services like Box, Dropbox, Google Drive, and OneDrive cannot read your data, use the free and open source Cryptomator to encrypt it first.
• Use encrypted email: While it’s impossible to ensure that email will remain private because you can’t control your recipients’ actions, the most privacy-focused email services are ProtonMail and Tuta Mail. They employ E2EE for emails sent to other users of the same service and allow the encryption of email messages sent to any external recipient.
• Reduce reliance on cloud services: If you have general concerns about cloud services, consider exploring peer-to-peer alternatives that remove the need for a central provider. You can find peer-to-peer solutions for file storage, file sharing, chat and messaging, videoconferencing, collaborative documents, cloud-based notes, and more.
• Avoid social media: Posting on social media, especially on platforms owned by large corporations, allows those companies to create a comprehensive profile of you that is shared with advertisers and is vulnerable to data breaches. Further, any information you disclose about yourself could be exploited by hackers in social engineering attacks targeting your accounts. Consider replacing social media with independent forums devoted to your interests and private messaging spaces for friends and family.

Ultimately, enhancing privacy and security is your responsibility. Apple and other companies may offer tools to assist, but it’s up to you to implement them and stay vigilant against new threats. We’re also happy to provide advice and assistance.

Protect Your Digital Life with Confidence

Staying safe online doesn’t have to be complicated — and you don’t have to figure it out alone.

At MacTech Solutions, we’re passionate about helping you protect your digital life.

Whether you need help securing your Mac, your iPhone, or your online accounts, we’re here for you.

Stop by MacTech Solutions in Finishing Touch Plaza in Wichita Falls — and let’s make sure your digital world stays safe, private, and protected.

For more information on all the great Apple products, features, and services, give us a call!  940-767-MACS (6227).  Or stop by MacTech Solutions, 4020 Rhea Rd, Suite 3B, Wichita Falls.  We’re open Monday thru Friday, 10am to 6pm

(Featured image by iStock.com/andreusK)

The post Protect Your Digital Life: Quick Privacy and Security Tips You Can Use Now first appeared on MacTech Solutions.

Starting in macOS 15 Sequoia, iOS 18, iPadOS 18, and visionOS 2, Passwords is now a real app rather than being trapped inside Safari, System Settings, and Settings. If you have resisted using a password manager or don’t wish to continue subscribing to an alternative, give Apple’s Passwords a try. It makes creating, maintaining, and entering passwords faster, easier, and more secure than doing it by hand. Those already using a password manager can export their accounts and import into Passwords.

What You’ll Find in Passwords

We’ll focus on the Mac version here, but the other versions are nearly identical apart from their screen sizes.

The left-hand sidebar, reminiscent of Reminders, provides categories of accounts:

• All: Select All to see all your accounts, regardless of what shared group they may be in.
• Passkeys: If you have any passkeys for large websites like Apple, Google, and others, they’ll appear here.
• Codes: Passwords can create, store, and enter two-factor authentication codes for sites that support them. If you need to look one up manually because Passwords couldn’t autofill it, you’ll find the associated account here.
• Wi-Fi: This category contains stored passwords for all the known Wi-Fi networks on your device. Because known Wi-Fi networks aren’t synced between devices, the number of these will vary between your devices.
• Security: If you have any accounts with weak passwords, accounts you previously shared and stopped sharing, or accounts whose passwords were leaked in a security breach, they’ll appear here. Edit these accounts and click the Change Password button to start the process; when the password changes, they’ll disappear from this category.
• Deleted: Any accounts you delete stay here for 30 days before being deleted for good. You can delete any of these accounts immediately or restore them to their previous group.
• Shared Groups: If you use Family Sharing, you automatically get a Family Passwords group to simplify sharing important accounts with your family members. But you can also share accounts with other groups of Apple device owners. To move an account to a group, choose it from the Group pop-up menu.

The middle pane lists the accounts in the selected category. You can sort the list using the menu with vertical arrows, search for a specific account, and manually add a new one with the + button. Otherwise, scroll through the list and click an account to view it in the right-hand pane.

At the top of the right-hand pane is an AirDrop button and an Edit button. Click AirDrop to share an account with someone nearby or Edit to make changes or set up a two-factor verification code. If you want to copy information, click the User Name, Password, Verification Code, or Website item to get a Copy menu. The password becomes visible when you mouse over it. Clicking Website also offers an Open Website option and lets you add more sites where the password should autofill.

Setup Requirements

Most people shouldn’t need to do anything to start using Passwords. However, if you have trouble, check the following items:

• Turn on Password AutoFill: If your device isn’t entering passwords for you, turn on AutoFill Passwords and Passkeys in Settings/System Settings > General > AutoFill & Passwords. Also, ensure that Passwords is enabled in the AutoFill From section if multiple password managers are installed.
• Turn on iCloud Keychain: If you want your passwords to sync securely among your devices, which makes life a lot easier, go to Settings/System Settings > Your Name > iCloud > Passwords and turn on Sync This Device.
• Set up iCloud Passwords for other browsers: Apart from Safari, Chromium-based Web browsers (Arc, Brave, Google Chrome, Microsoft Edge, etc.) can access and autofill your saved passwords if you install Apple’s iCloud Passwords Chrome extension. (There’s also now an iCloud Passwords add-on for Firefox.) The overall experience is not as seamless as in Safari, requiring a once-per-launch code, and you have to create new accounts in Safari or manually in Passwords, but it works.
  
• Configure settings: Choose Passwords > Settings (or look in Settings > Apps > Passwords for iOS 18 and iPadOS 18) to access options. Generally speaking, it’s fine to keep them all turned on.
  

If you have additional questions, check Apple’s documentation for detailed instructions for all the platforms on which Passwords runs. But realistically, Passwords is easy to use, and although the app itself is new, the underlying password management features and syncing have been in place for years, so they’re stable and reliable  

For more information on all the great Apple products, features, and services, give us a call!  940-767-MACS (6227).  Or stop by MacTech Solutions, 4020 Rhea Rd, Suite 3B, Wichita Falls.  We’re open Monday thru Friday, 10am to 6pm

(Featured image by iStock.com/designer491)

The post Passwords Becomes a Real App in macOS 15 Sequoia, iOS 18, and iPadOS 18 first appeared on MacTech Solutions.

(Featured image based on an original by iStock.com/Armastas)

Social Media: Don’t forget about local security on your Mac. Make sure to require a password shortly after the screen saver starts or the display sleeps to prevent people from riffling 

The post Set macOS to Require a Password after Screen Saver Start or Display Sleep first appeared on MacTech Solutions.

The rationale behind password expiration policies was that if an attacker were to steal a password database and decrypt some passwords, they would work for only a limited period, lessening the risk of unauthorized access. Even if an attacker gained access to an account, they could remain undetected only if they didn’t change the password, and that access wouldn’t last indefinitely.

Over time, security experts realized that the problem wasn’t so much how long an attacker could remain undetected but allowing users to set weak passwords that could be decrypted. It turns out that users often choose weaker passwords when they know they will have to change them, perhaps by tweaking a previous password for easier memorization. This fact hasn’t been lost on attackers, making it easier for them to figure out future passwords. In other words, attempting to increase security by requiring users to change passwords paradoxically reduces security.

The National Institute for Standards and Technology (NIST) is a US government agency that develops cybersecurity standards and best practices for the federal government that large corporations and other institutions tend to follow. In 2017, NIST changed its guidelines to say, “Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).” In a FAQ, NIST explains:

Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets have been compromised since attackers can apply these same common transformations.

Of course, if there’s evidence of unauthorized access or a breach of the password database, all passwords should be invalidated and everyone should be required to create a new password immediately—that’s entirely different than requiring passwords to be changed on a schedule.

Interestingly, NIST also doesn’t recommend password composition requirements—such as requiring the password to contain a letter, number, and special character—because users tend to devise predictable techniques to meet such requirements, such as appending an exclamation point to every password. Instead, NIST encourages longer passwords because a long password that’s easily remembered and typed can be stronger than a shorter password composed of random characters. Password managers can generally create both types.

If you’re forced to change a website password periodically, it’s easiest to use a password manager to generate and enter a new strong password, and you won’t have to memorize the new password. For the very few passwords you must remember and type manually, aim for longer passwords that won’t trip up your fingers while typing or require numerous switches of iPhone uppercase and numeric keyboards. To aid memorization, perhaps consider choosing words for your password from categories with many possibilities. For instance, if your initial password is gouda-purple-1989-New-York, the next one could be cheddar-black-2011-Des-Moines. Both are strong in their own right, but only you would know the categories used for each portion.

Of course for more information, you can always reach out to us directly at Mac Tech Solutions, 4020 Rhea Rd, Suite 3B in Wichita Falls, 10am to 6pm, Mon-Fri.  And we’re always available 24/7 at MacTech-Solutions.com

(Featured image based on an original by iStock.com/designer491)

Social Media: Security experts no longer recommend password expiration policies that require users to change their passwords periodically. Here’s why.

The post Changing Passwords Periodically Doesn’t Increase Security first appeared on MacTech Solutions.

Be sure to visit us online at MacTech-Solutions.com, or stop by 4020 Rhea Rd, Suite 3B, Monday-Friday, 10am to 6pm

(Featured image based on an original by iStock.com/ipuwadol)

Social Media: 1Password is tremendously helpful for entering website passwords, but a little-known feature also enables it to enter your Mac login password for changing system settings, installing apps, and more.

The post Use 1Password to Enter Your Mac Login Password first appeared on MacTech Solutions.

• People you trust report receiving email that you didn’t send.
• Social media friend requests are made to people you don’t know, or messages you don’t recognize are sent from your account.
• Although you’re certain you have the correct password, you can’t log in to an account.
• You become aware of your personal data appearing in places it shouldn’t.
• Unknown charges or transfers appear in a bank or credit card account.

However, attackers will also try to fool you into thinking an account has been compromised to get you to enter passwords or financial information on a website designed to steal data. Don’t assume you’ve been hacked just because you received a phishing email saying so or because you see unexpected notifications claiming your computer is infected. No legitimate entity will ever send such email, and the only notification about malware you should ever see would come from anti-malware software you installed.

(Speaking of malware, dealing with that is a topic for another day—we’re focusing on online accounts in this article. Nonetheless, if one of your accounts has been compromised, it’s also worth scanning your Mac with the free version of Malwarebytes or VirusBarrier Scanner, just in case.)

First off, don’t panic. It’s important to take a deep breath, document everything you see with screenshots (press Command-Shift-5), and move quickly to regain control over whatever accounts were hacked and prevent others from falling prey to the attacker.

When you suspect an account has been compromised, try to verify the problem. Do the following:

• Alert techs: If the account in question is for work, immediately alert your IT department and follow their instructions. If it’s a personal account, contact us. Tell whoever is helping you that you have screenshots you can send and be ready to forward any suspicious messages you have as well.
• Gather evidence: Ask the person who told you about the problem to forward the message they received to another of your email addresses, or to a close friend or family member so you can see what’s being said in your name. Scrutiny of the fake message may reveal information about what has happened, though you may need help from someone with more technical experience.
• Examine email: Since email account breaches are the most concerning (because they can be used to reset passwords elsewhere), scan your email for messages you didn’t send or replies to such messages. Along with the Inbox, look in the Sent mailbox and the Trash. Also, check your settings and filters to ensure incoming messages aren’t being forwarded elsewhere and then deleted.
• Check social media: Connect to all your social media accounts—even those you don’t use regularly—and look for posts, friend requests, messages, or anything else that suggests an attacker has been impersonating you.
• Audit accounts: Log in to important accounts and look for suspicious activity, such as login attempts from unfamiliar locations or IP addresses or changes to account settings.

If you find evidence to suggest that one or more of your accounts have been compromised, follow these steps:

• Immediately change the passwords for any affected accounts. We always recommend using a password manager like 1Password to generate strong, random passwords.
• Whenever possible, turn on two-factor authentication.
• If available for the account in question, follow advice from the service. Apple, Facebook, Google, Instagram, Microsoft, and Twitter all have advice on how to respond, as will many other companies.
• Review account settings for unauthorized changes, especially recovery options like backup phone numbers and email addresses.
• Look through your accounts in your password manager and change the passwords for the most important ones and any that might be related.
• If you can’t get into an account because the password has been changed, make sure you have sole control of your email account and then trigger a password reset.
• For affected financial accounts, along with changing the password, immediately call the institution and ask for their help locking the account to prevent any transfers.
• If your email account was used to send phishing messages to contacts, you should alert any friends, family, and colleagues who might have received the messages that your account was hacked and that the previous message wasn’t from you.

Security breaches are stressful, we know, but it’s imperative that you deal with them right away. The longer you wait, the more damage the attacker can cause, including stealing your money, impersonating you, scamming your friends and family, and compromising your employer’s systems. We’re here to help.

(Featured image by iStock.com/PUGUN SJ)

The post Help! My Account Has Been Hacked—What Should I Do? first appeared on MacTech Solutions.

(Featured image by iStock.com/Prae_Studio)

The post After “Mother of All Breaches,” Update Passwords on Compromised Sites first appeared on MacTech Solutions.

PDF provides options for password-protecting documents for just these reasons, and you can add such protection to your PDFs in both Apple’s Preview and Adobe Acrobat. We’ll explain how to do that, but before we do, we want to share some best practices to increase the likelihood that your PDFs will remain protected as you wish.

Also, if you’re looking for a comprehensive solution to protecting lots of documents for a wide variety of situations, you’d be better off investigating document digital rights management systems along the lines of LockLizard and Vitrium.

Best Practices for Password-Protecting PDFs

There’s no such thing as perfect security, especially when you want to share information with others rather than just keeping it as your own secret. But you can increase the security of shared documents with these best practices.

• Use strong passwords: All PDF passwords should be longer than 12 characters and include uppercase and lowercase letters, numbers, and punctuation, without using dictionary words or well-known number/letter substitutions. A plethora of online PDF unlocking tools can remove weak passwords, and passwords should be strong enough to withstand brute force and dictionary attacks from a determined attacker who could bring significant computing resources to bear.
• Focus on Document Open passwords: PDFs can have two passwords: the Document Open password that users must enter to open the document and a Permissions password that restricts actions like editing, printing, and copying. Even if you mainly want to restrict actions, it’s worth setting a Document Open password because the Permissions password’s restrictions can be bypassed by third-party utilities or by screenshots and Live Text.
• Share passwords out of band: When sharing a protected PDF with someone, send them the password via a different communications channel. So, if you email the PDF, give them the password via Messages or a voice call. That way, if an attacker gains access to the PDF, they won’t also have the password sitting next to it.
• Educate recipients: When you share a user password with someone else, they can give it to anyone they want and, depending on how you set things up, remove the protection from the document. In short, your document security is only as strong as your recipients want it to be, so make sure to communicate your wishes to them.
• Watermark documents: Along those lines, it may be worth adding a header/footer or watermark that identifies the document as Confidential or Draft to clarify why it shouldn’t be shared.
• Avoid online tools: Numerous websites offer PDF utility functions, such as adding passwords, watermarking, merging and splitting, conversion, and more. There’s no harm in using them with documents you don’t care about, but if you’re concerned enough to password-protect a PDF, don’t upload it to a website with unknown security and document retention policies.
• Clear metadata: Passwords protect PDF content, but not necessarily metadata that might include the author’s name, employer, and keywords.
• Use Adobe Acrobat: Apple’s Preview is a decent PDF app and offers basic password-protection capabilities, but for more protection capabilities and options, use the full-featured Adobe Acrobat. Preview is OK for those who need to protect an occasional PDF, but Acrobat is a better choice if protecting PDFs is essential for your situation.

Password-Protect a PDF Using Preview

It’s easy to add password protection to a PDF with Preview. Apple recommends a slightly fussier approach that involves setting the permissions during an export, although we didn’t find that it made any difference. Apple is likely trying to get you to make a copy so you don’t password-protect your original, but it’s easier to duplicate the file in the Finder first with File > Duplicate. Here’s the simple method:

1. With a copy of a PDF open in Preview, choose File > Edit Permissions to display the permissions dialog.
   
2. Select Require Password To Open Document, and enter the desired Document Open password twice.
3. Deselect desired checkboxes in the Permissions section to restrict those activities.
4. Enter the Owner (Permissions) password twice at the bottom of the dialog. It should be different from the Document Open password. Either will open the document, but only the Owner (Permissions) password will allow the document to be printed, copied, or edited as per those checkboxes.
5. Click Apply and save the document.

Password-Protect a PDF Using Adobe Acrobat

Adobe has extensive instructions on password-protecting PDFs using Acrobat in different scenarios, but the basics are still simple.

1. With a copy of a PDF open in Acrobat, choose File > Protect Using Password to open the password dialog.
   
2. Select Viewing to add a Document Open password or Editing to add a Permissions password.
3. Enter the password, and retype it to confirm it.
4. Click Apply and save the document.

For a simple Document Open password, you’re all done, but if you want to set specific printing, editing, and copying restrictions, follow these steps:

1. Choose Edit > Protection > Security Properties to open the Document Properties dialog with the Security tab selected.
   
2. Next to Security Method (which should be set to Password Security), click Change Settings to open the Password Security – Settings dialog.
   
3. In the Permissions section, select the desired options to restrict printing, editing, and copying text in various ways.
4. Click OK and, when prompted, confirm the passwords you’ve entered.
5. Dismiss the Document Properties dialog and save the document.

Password-protecting a PDF can be helpful when you want to ensure a PDF containing sensitive information can’t be viewed or edited by the wrong people. Make sure to use strong passwords since weak passwords are so easily removed!

(Featured image based on an original by iStock.com/Thitichaya Yajampa)

The post Want to Password-Protect a PDF? Follow These Best Practices first appeared on MacTech Solutions.

(Images by iStock.com/1550539 and HT Ganzo)

The post Stay Alert! Voice Phishing Used in Recent Ransomware Attacks first appeared on MacTech Solutions.

But what if you receive a 2FA code that you didn’t request?

1. Don’t panic. Although receiving the code means that someone is trying to log in to your account and has your password, the extra authentication step has done its job and protected your account from being compromised.
2. Never share an authentication code with anyone! A hacker could attempt to break into your account, be foiled by two-factor authentication, and then email or text you with a trumped-up story about why you should send them the code. Authentication codes are short-lived, so if this is going to happen, it will happen right away.
3. Independently from the message with the code, go to the account website, log in, and change the password. As always, make sure the password is strong, unique, and stored in your password manager. If the account used an old password that was shared with other accounts, change passwords on those accounts as well.

There are a handful of scenarios that could generate such an authentication code:

• Stolen credentials: The most likely scenario, which the advice above addresses, is when your email address and password have been stolen, probably in a significant site breach. You can check the Have I Been Pwned site to see if your account is floating around on the “dark Web.” Password managers often perform similar checks. Changing the password on any breached sites is essential.
  
• Identity theft: You started receiving authentication codes from TikTok, but you don’t remember creating a TikTok account. Someone might be trying to create an account to impersonate you but cannot complete the account creation without the authentication code. There isn’t much you can do to stop such attempts, although if an account has been created, you should be able to change the password (since it’s using your email address or phone number), log in, and either just let the account sit in your password manager or try to delete it.
• Accidental or random triggering: If you have a common email address or phone number, someone could have accidentally entered your address or number instead of theirs while trying to create an account. It’s easy to type marsha32@example.com instead of marsha23@example.com or mistake the Boston 617 area code for the upstate New York 607 area code. If you’re sure you don’t have an account at the site in question and you only get one authentication code, you can probably ignore it.

Regardless of the cause, don’t ignore 2FA codes you didn’t request for sites where you have an account. It’s not hard to change a password, particularly if you use a password manager, and the extra piece of mind is worth the few minutes of work.

(Featured image based on an original by iStock.com/Kateryna Onyshchuk)

The post What Should You Do about an Authentication Code You DIDN’T Request? first appeared on MacTech Solutions.

Before looking at those options, let’s discuss the importance of securing your wireless network. The fact is, we all send sensitive data over Wi-Fi and onto the Internet. That data includes passwords, financial information, and personal details, all of which could be used for identity or outright theft. For those who work at home, it may also include important corporate credentials and information. In addition, if your Wi-Fi network is open for everyone and has a bandwidth cap, you could be throttled or incur additional charges due to extra usage from someone using your network without your knowledge. Worse, someone could engage in illegal activity from your network, potentially putting you at legal risk.

Here are six ways you should secure your Wi-Fi network, plus another that’s usually not worth the effort. Exactly how you go about these tasks varies depending on your Wi-Fi router, but they should all be easy to accomplish.

1. Change Your Wi-Fi Router’s Default Password

Every Wi-Fi router has an app- or Web-based administrative interface where you can adjust settings, including security options. The first thing you should do when setting up a new Wi-Fi router is change the password for accessing that admin interface. (And if you didn’t do that when you set up your current Wi-Fi router, go do it now. Immediately. We’ll wait.) The default passwords are well known to hackers, who can use them to take over routers and turn off all the other security settings.

2. Change the Default Network Name (SSID)

Every Wi-Fi network has a name—technically an SSID, or Service Set Identifier. There’s no security benefit in changing it to anything in particular, but you should change it from the default name. That’s because default names often identify the router’s manufacturer, such as “Netgear” or “Linksys,” and some routers have known vulnerabilities or password styles that make it easier to break in. Of course, the main advantage of changing the network name is that it makes it easier to pick out from any other nearby networks.

3. Update Your Wi-Fi Router’s Firmware

Wi-Fi router manufacturers frequently fix security vulnerabilities and release new firmware versions. Check to make sure your Wi-Fi router has the latest firmware available, and if there’s an option for it to update its firmware automatically, turn that on.

4. Disable WPS (Wi-Fi Protected Setup) If Possible

When you connect a new device to your Wi-Fi network, you need to enter your Wi-Fi password. That’s entirely reasonable, and Apple devices automatically offer to share that password with your other Apple devices and other people in your Contacts. More generally, a technology called Wi-Fi Protected Setup (WPS) was designed to enable connecting without typing the Wi-Fi password, either by entering an 8-digit PIN or pressing a button on the router. The button is fine—no one can connect without physical access to the router. But the PIN is horribly insecure and can be brute forced with readily available cracking software. If your router supports WPS—not all do, happily—turn it off entirely.

5. Create a Guest Network

You’ll probably want to give visitors access to your Wi-Fi network so they can get to the Internet. The best way to do that is to create a guest network—a feature in nearly all Wi-Fi routers—separate from your main Wi-Fi network. It has a different name and password, and its traffic is isolated from yours, ensuring that even if a hacker were to access it, they wouldn’t be able to eavesdrop on your communications. It can have a simpler password since all it’s protecting is your bandwidth. One additional tip—put “Internet of Things” devices like smart appliances, video game consoles, and the like on your guest network to ensure they don’t provide access to your main network’s traffic if they’re hacked. You probably won’t want to do that with HomeKit devices, which will work better on the same network as your Apple devices.

6. Use Strong WPA2 or WPA3 Encryption

After changing the default admin password, this is the second-most important piece of Wi-Fi security advice. All traffic on a Wi-Fi network can (and should) be encrypted so hackers can’t eavesdrop with impunity. The first wireless security protocol was WEP (Wired Equivalent Privacy), which was commonly used from the late 1990s through 2004. Unfortunately, WEP is so easily broken today that it’s no longer considered secure. If you still use WEP, immediately switch to WPA2 (Wi-Fi Protected Access). There’s also WPA3, which is even more secure but is available only in hardware sold in the last few years.

Don’t Bother Hiding Your SSID

Finally, you may see suggestions that you should hide your Wi-Fi SSID, which prevents nearby devices from displaying it when they list available networks. That might seem like it would improve security, but all it does is prevent the sort of people who aren’t a threat anyway from seeing it. Anyone with the necessary software and skills to break into an unprotected or weakly protected Wi-Fi network can still detect and access a hidden network. They might even be more interested in what’s there, given that the network owner took the trouble to hide it. As long as you follow all the other advice in this article, there’s no benefit in hiding the SSID as well.

Bonus Advice: Use a VPN When on Public Wi-Fi Networks

Ensuring the security of your Wi-Fi network is essential, but what about public Wi-Fi networks in coffee shops, hotels, and airports? Because they’re open to anyone within range, they’re insecure by definition, and anyone on the network could theoretically see any other user’s traffic. Don’t panic. Most Web connections now use HTTPS, which encrypts traffic between you and the destination site (look for https at the start of URLs or a lock icon in the address bar of your Web browser). To ensure that all traffic is protected from prying eyes, use a VPN (Virtual Private Network), which creates an encrypted pipe from your computer to a VPN server elsewhere. Many organizations provide or even require VPN use so that traveling or remote employees can’t inadvertently use unencrypted connections. If your organization doesn’t have a VPN now but would like to set one up, contact us.

(Featured image by iStock.com/CASEZY)

The post Is Your Wi-Fi Network a Security Risk? first appeared on MacTech Solutions.

Although 1Password is the most popular password manager for Apple users, we’ve mentioned LastPass as an alternative in previous articles, so here’s what happened and how LastPass users should react. For those who don’t use LastPass, we also discuss ways your organization can improve its online security by learning from LastPass’s mistakes and misfortunes.

The Breach

According to LastPass, the breach started in August 2022 when an attacker compromised a developer’s account. The attacker then leveraged information and credentials from that initial breach to target another LastPass employee’s account, where they were able to steal data from cloud-based storage that LastPass used for backup.

The main lesson here is that a dedicated attacker will probe all points of access into a company’s digital infrastructure—everyone must be mindful of security at all times. It also seems that LastPass may have been paying more attention to its on-premises production systems than its cloud-based backup storage. Any organization can learn from that error—if backups contain sensitive data, they should be equally protected.

What Was Stolen

LastPass says that the stolen data included unencrypted customer account information such as names, addresses, and phone numbers, but not credit card details. In the customer vaults, LastPass did secure usernames, passwords, secure notes, and form-filled data using 256-bit AES encryption, so they can be decrypted only with a unique encryption key derived from each user’s master password. However, for inexplicable reasons, LastPass failed to encrypt website URLs associated with password entries.

Because LastPass left this information unencrypted, it’s now available for the attacker to use (or sell for others to use) in targeted phishing attacks. A forged password reset request from an unusual website you regularly use has a better chance of fooling you than a generic one for a big site that millions of people use. It’s even possible that the unencrypted website URLs could lead to extortion attempts, as in the infamous Ashley Madison data breach.

The larger lesson is that a high-value attack target like LastPass should never have stored customer data in unencrypted form. If your company handles customer data along these lines, ensure that it’s always stored in encrypted form. You may not be able to prevent attackers from accessing your network, but if all the data they can steal is encrypted, that limits the overall damage that can ensue.

Potential Problems

By default, LastPass requires master passwords to be at least 12 characters in length. Plus, LastPass applies 100,100 iterations of the PBKDF2 password-strengthening algorithm to make it harder for brute-force attacks to crack passwords. The company says:

If you use the default settings above, it would take millions of years to guess your master password using generally-available password-cracking technology. Your sensitive vault data, such as usernames and passwords, secure notes, attachments, and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture. There are no recommended actions that you need to take at this time.

Unfortunately, LastPass increased the master password minimum length only in 2018 and did not require users with shorter master passwords to reset them at that time. Similarly, the PBKDF2 setting now uses 100,100 iterations, but it previously used 5000, and some long-time users report it being set to 500.

LastPass was correct to increase the default level of security for new accounts as hardware cracking capabilities became faster. However, allowing users to continue using insecure master passwords that were too short and not forcing higher PBKDF2 iteration counts was a major mistake. If your organization steps up its security policies, bite the bullet and ensure that no accounts or users are grandfathered in with old, insecure options.

By not recommending any actions, LastPass missed an opportunity to encourage users to increase their security through multifactor authentication. LastPass also downplayed the concern over phishing attacks. That was likely a decision made by PR (and possibly Legal), but the company could have served users better. Should your organization ever be involved in a breach, make sure that someone involved in the transparency discussions represents the users’ best interests alongside those of the organization. And consider requiring multifactor authentication!

Finally, it’s worth noting that other companies significantly increase the security of their systems by mixing passwords with additional device-based keys. Apple does this by entangling device passcodes and passwords with the device’s unique ID, and 1Password strengthens your passwords with a secret key. LastPass has no such additional protection.

What LastPass Users Should Do

There are two types of LastPass users in this situation: those who had long, secure master passwords and 100,1000 iterations of PBKDF2 and those who didn’t:

• Strong master password users: Despite LastPass’s claim that you don’t need to do anything, we recommend enabling multifactor authentication. (For instructions, click Features & Tools and then Multifactor Authentication in the LastPass support portal.) You could change your master password too, but that won’t affect the data that was already stolen. That horse has already left the barn, whereas enabling multifactor authentication would prevent even a cracked master password from being used in the future.
• Weak master password users: Sorry, but you have work to do. Immediately change your master password and increase your PBKDF2 iterations to at least 100,100. We also recommend enabling multifactor authentication because LastPass is such an important account. Next, go through all your passwords and change at least those for important websites. Start with the critical accounts that could be used to impersonate you, like email, cell phone, and social media, plus those that contain financial data.
  

Regardless of the strength of your master password, be on high alert for phishing attacks conducted through email and text messages. Because the stolen data included both personal information and URLs to websites where you have accounts, phishing attacks may be personalized to you, making them harder to detect. In short, don’t follow links in email or texts to any website where you have to log in. Instead, navigate to the website directly in your browser and log in using links on the site. Don’t trust URL previews—it’s too easy to fake domain names in ways that are nearly impossible to identify.

Should you switch from LastPass to another service, like 1Password? It comes down to whether you believe LastPass has both a sufficiently secure architecture despite not entangling the master password with some device-based key and sufficiently robust security practices despite having been breached. It would not be irrational to switch, and we would recommend switching to 1Password. Other password managers like Bitwarden and Dashlane may be fine too. If you have to change numerous passwords and choose to switch, it may be easier to change the passwords after switching—see how the process of updating a password compares between LastPass and 1Password or whatever tool you end up using.

We realize this is an extremely worrying situation for LastPass users, particularly those with weak master passwords or too-few PBKDF2 iterations set. Only you can reset your passwords, but if you need assistance switching to another password manager, don’t hesitate to contact us.

(Featured image by LastPass)

The post LastPass Security Breach: Here’s What to Do first appeared on MacTech Solutions.

(Featured image by iStock.com/EvgeniyShkolenko)

The post If Your Holiday Gift Was a Tech Device, It’s Time to Change the Password! first appeared on MacTech Solutions.