Those Terrible Passwords Aren’t Getting Any Better

NordVPN recently released its annual list of commonly used passwords, and (surprise, surprise!) not much has changed. What’s truly baffling is how many folks still rely on this digital equivalent of leaving their front door wide open. The most common password is “123456” but fear not, “password” is still in there at number four.

If you’re reading MacSparky, you probably already use a password manager and strong, unique passwords. But if you know someone who doesn’t, please share this with them. Their accounts are far more vulnerable than they realize.

And there’s no excuse anymore. Apple users don’t even need a third-party solution: The built-in Passwords app starting with macOS 15 (Sequoia) and iOS 18 and newer generates, stores, and auto-fills strong passwords for free. It’s right there in your Applications folder (App Library on iOS), waiting to help.

Remember: If your password is easy for you to remember, it’s probably easy for others to guess.

Who’s Responsible For Age Verification?

There seems to be a lot of finger-pointing going on about age verification between software and hardware developers. Facebook (and now Tinder) argue that it’s up to the hardware seller to verify a user’s age. (Ben Lovejoy covers this over at 9to5Mac.) In a lot of ways, that makes sense. When you register your iPhone, it should know how old you are. That could give Apple the ability to prevent underage children from downloading dangerous social media apps. Of course, it’s not illegal to have these apps for underage children in every jurisdiction.

Likewise, the seller of these dangerous apps that can harm children should take more responsibility than just finger-pointing at the device manufacturer. There are plenty of ways for Tinder and Facebook to know when they have an underage user. And they, too, should be taking steps to protect these children.

And of course, don’t forget the parents. Some parents will want to grant their children access, and others will want to lock the devices down. In my opinion, the only way we’re going to really solve this problem is if the parents, the hardware and the software people all get together on this. I absolutely would like to see Apple take a more active role in this, but I don’t think it’s solely responsible for the solution.

Stolen Device Protection

There’s a new feature heading to iOS 17.3 after the New Year that will make it harder for someone to shoulder-surf your passcode and change your Apple ID on you. This is directly aimed at the vulnerability Joanna Stern wrote about in the Wall Street Journal. The new feature will require Face ID to get to saved passwords, and changing your Apple ID password will be subject to a security delay unless you do it from a familiar location, like home or work.

You’ll need to turn it on when it ships, but my initial take is that it seems like the right balance of security and convenience. I doubt we’ll see 17.3 before February.

Malicious Email is Getting Smarter

Malicious email is not comically dumb any more. One malicious strain, called Emotet, appears to come from a known contact and looks as if it is replying to an existing thread. If you click on the links or attachments, you are done for. Dan Goodin at Ars Technica breaks it down.

For me, if it has an embedded link or an attachment, I assume it is malicious until proven otherwise. This is particularly true from financial institution-related or account-related email. I’ve managed to avoid trouble because of constant vigilance. I wonder how many people out there have been compromised and don’t even realize it.

iCloud Gets a Security Upgrade

Today Apple announced some nice updates to the iCloud security features. The following features now have end-to-end encryption on iCloud:

  • Device Backups
  • Messages Backups
  • iCloud Drive
  • Notes
  • Photos
  • Reminders
  • Safari Bookmarks
  • Siri Shortcuts
  • Voice Memos
  • Wallet Passes

End-to-end encryption means your data can’t be viewed on the server in these categories (if you opt in). Put simply, Apple will no longer be able to see the above categories of data. If Apple gets hacked in the future, the bad guys can’t see your data either.

Apple has very publicly stated an interest in protecting user privacy. I believe them. What is impressive about this is how they’ve added the encryption at Apple’s user-base scale. That can’t be easy.

At this point, it’s opt-in. You must go into the iCloud settings and click on Advance Data Protection. I will be opting in. Advanced Data Protection is in the latest iOS 16.2 beta. It will be available to all U.S. customers by the end of the year and rolling out to the world in early 2023.

One note of caution, however, is that this means if you ever lose passwords, the data is gone. Apple can’t help you. So get your password security sorted out before you push the button.

Craig Federighi did an interview with Joanna Stern on these updates. She did a great job explaining end-to-end encryption in the process.

Where are the Passkeys?

With Apple’s latest round of updates, we’ve got a new password feature that lets your computer manage passwords for you in the background. There are a lot of advantages to this new “Passkey” system. (Here’s Apple’s explainer.) It isn’t dependent on user-generated passwords. It’ll guarantee people use different passwords for different sites. It will also help you avoid phishing attacks because it won’t work on spoofed websites. This comes at the cost of some loss of control, but third parties are already working on that (like 1Password in this video). 

I’m curious, however, as to when Passkey websites will start showing up. So far, I’ve seen none. For this to work, websites must adopt some new backend technologies, and everyone is now waiting for that to happen. Are website developers untrusting of the new technology? Do they want to see others figure it out first? Do they need the budget for these changes? I expect it is all of the above. I’ve been asking about it for MacSparky.com with some of my platform providers, and I’m told to cool my jets. I sure hope this all gets sorted out. It will help web security for a lot of people once it gets rolling.

553 Million Facebook Users Compromised

Hackers managed to grab names, account details, and telephone numbers from 553 million Facebook users, and now they’ve published all that data on the web. Yikes. I’m shocked at the scope but not the source.

If you have a Facebook account, now is the time to be on alert for scammy phone calls from people who will try and social engineer their way into your credit card numbers and bank accounts. There is already a scam where they call and claim to be the IRS and need “immediate payment to avoid criminal prosecution”. I’m sure they’ll come up with even more dreadful ways to abuse this treasure trove of data.