How do I persuade friends that saving passwords on Apple devices need not be risky?

[Alwyn]

The sort of attitude I encounter is this:

'I only have 2 passwords. I daren't save passwords. They disappear into the cloud and I don't trust that.'

I have pointed out that, provided you have a secure Apple ID password and you don't give it to anyone else, especially not in response to an e-mail telling you that your Apple Account is about to expire etc, then you can safely save your passwords provided of course that the device requires a password to be opened. I even tell them where to find them if they forget them. Doesn't seem to cut much ice.

 

[bobtomay]

If they only have 2 passwords, you're wasting your breath and your time.

 

[harryb2448]

Don't worry about it. Let them do what they want to do, you do what you want to do.

You will never convince them Alwyn, and if you keep at them risk losing friendships. Folk do not want to be told how little they know.

 

[vansmith]

To their credit, if they are using a cloud based password management system, their concerns aren't entirely unfounded. As with anything online, it can be retrieved if someone really wanted it and Apple is no more or less secure than any other company that puts in a lot of work to protect user data.

 

[pm-r]

To their credit, if they are using a cloud based password management system, their concerns aren't entirely unfounded. As with anything online, it can be retrieved if someone really wanted it and Apple is no more or less secure than any other company that puts in a lot of work to protect user data.

Must say I certainly tend to agree with van.

 

[chas_m]

The post above makes it sound like passwords can be retrieved from Apple by, say, hackers.

They cannot. Like other companies, everything sent to iCloud is encrypted, and Apple does not have the encryption keys.

UNlike other companies, Apple does not transmit any passwords when it is not necessary to do so. For example the passcode on the iPhone, or anything using Touch ID, such as Apple Pay.

To Alwyn: I concur with the other posters that you are wasting your breath. Just make them promise that when the inevitable day comes, they will remember that they ignored your advice and that you're not going to help them now.

 

[pm-r]

WOW chas, I find it pretty hard to believe from what you say when I read of hackers breaking into various companies and accounts that none of them used any encryption and the hackers only went after various accounts that didn't even use any encryption.

It seems these days that the use of encryption for anything out or even exposed on the web just slows down the access when access is wanted by hackers or those really wanting access.

 

[chscag]

Anything or anyone nowadays can be hacked, encryption or no encryption. Just ask the US Government Office of Personnel Management who had their US government workers security clearance information and fingerprints stolen by hackers.

 

[lclev]

if they "only have two passwords" hopefully they are random mix of caps, numbers, characters, etc. - because regardless if they store them on their device or not, they can be compromised. Been there, done that, and have the t-shirt.

Any password once it leaves their computer can be compromised. But as harry said - save your breath.

Lisa

 

[vansmith]

The post above makes it sound like passwords can be retrieved from Apple by, say, hackers.

Because they can. Apple isn't special.

They cannot. Like other companies, everything sent to iCloud is encrypted, and Apple does not have the encryption keys.

As The Intercept notes, "While Apple does not have the crypto keys that can unlock the data on iOS 8 devices, they do have access to your iCloud backup data. Apple encrypts your iCloud data in storage, but they encrypt it with their own key, not with your passcode key, which means that they are able to decrypt it to comply with government requests." Os, as part of an investigation done by Ars Technica: "In other words, to provide the variety of services Apple offers, Apple must hold the encryption key to your encrypted data," a suggestion which points to the possibility of someone decrypting your content on iCloud. That makes sense though given that section V.E. of the iCloud TOS: "You acknowledge and agree that Apple may, without liability to you, access, use, preserve and/or disclose your Account information and Content to law enforcement authorities, government officials, and/or a third party..." To do that, it has to be able to decrypt it. Apple's Privacy page even makes this explicit: "Apple retains the encryption keys in our own data centres, so you can back up, sync and share your iCloud data." Apple holds the encryption keys which means that, if hackers wanted to, they could get access to them (given that basically anyone can be hacked, I'm sticking with the "they could get hacked" language).

Suffice it to say, Apple has to retain the power to decrypt content which, given that it exists somewhere, means that it can be taken or found. I think that believing that all iCloud content and password protections are safe is myopic at best, dangerous at most. Caution when storing things elsewhere is always the right choice.

UNlike other companies, Apple does not transmit any passwords when it is not necessary to do so. For example the passcode on the iPhone, or anything using Touch ID, such as Apple Pay.

That's not iCloud.

 

[pm-r]

if they "only have two passwords" hopefully they are random mix of caps, numbers, characters, etc. - because regardless if they store them on their device or not, they can be compromised. Been there, done that, and have the t-shirt.

Any password once it leaves their computer can be compromised. But as harry said - save your breath.

Lisa

Hmmm…??? Just curious but what's the difference between having "only have two passwords" or hundreds or thousands?? Other than it being much harder to remember more than just a couple without using some password software.

 

[vansmith]

If you only use two, odds are that you use those two for everything which means, if they get them, they get access to everything. If you have multiple, getting your password limits the "damage" to a small set of things that you use that password for.

 

[lclev]

pm-r: What vansmith said ^^^. Example: My once favorite password was compromised when Adobe got hit. I was going on the assumption no one would ever guess it because it was a composite of things no one knew about me. Right .... I had to change everything from my online banking to every site I paid bills online at to all my favorite shopping sites. I had used basically one password with a slight variation to it to give me two to remember. So when I logged into a site I knew it was one or the other. To add to it, I used the same user names - I have two favorites and if either are available, I use them. So I was very vulnerable.

At work I took security seriously and create long pass phrases but for my personal use it took a wake up call. Now, I have a many and all very different passwords - all saved in 1Password.
I was lucky I did not get compromised - just sayin'

Lisa

 

[vansmith]

Iclev is right - strong obscure passwords are the best (they're hard to remember but a good password manager helps here).

For those who might want a way of doing this using built in tools, Keychain Access is your friend. Use that and go to File > New Password Item... > click the key icon and up opens the Password Assistant.

 

[Alwyn]

Having not had time since starting this thread until now to access the Forum I am amazed at the response. Thanks for all the tips. I'm particularly interested in the comments about cloud security. Although I keep things like Calendar in iCloud I prefer to back up using 2 external drives with Time Machine and to store all my files on my iMac.

Am I right in thinking that saved passwords could be accessible to a third party if my Apple ID were to be compromised. Do you guys ever change your Apple ID password? The new authentication process for accessing iCloud from a different device seems like a useful additional protection.

 

[vansmith]

The new authentication process for accessing iCloud from a different device seems like a useful additional protection.

Two factor authentication should be an absolutely central part of any account management if it's an option. At least with that enabled, if your password is discovered, no one can access your account (the same thing applies to iCloud).

 

[mattymac]

My passwords are randomly-generated, at least 60 characters long (some are longer), and consist of upper and lowercase letters, numbers, and symbols.

 

[pm-r]

My passwords are randomly-generated, at least 60 characters long (some are longer), and consist of upper and lowercase letters, numbers, and symbols.

As a password developer expert has stated:
"The time it takes to crack a password is the only true measure of its worth."

https://nakedsecurity.sophos.com/2012/05/25/how-long-would-it-take-to-crack-your-password/
http://www.zdnet.com/article/your-passwords-dont-suck-its-your-policies/

Or try:
Think you have a strong password? Hackers crack 16-character passwords in less than an HOUR
http://www.dailymail.co.uk/sciencet...ackers-crack-16-character-passwords-hour.html