I have been telling non-technical people about how to handle passwords.
I emphasize the importance of long and unique passwords. Here’s my advice:
Go to any book or magazine and pick out three or four random words. For example, looking at a letter I got, I chose workplace, community, and providing.
Capitalize the first letter (since many sites insist you need one at least one capital letter) and append !1 on the end (since many sites insist you need at least one number and a one non-alphanumeric character). Might as well get those out of the way.
In this example, the newly generated password is Workplacecommunityproviding!1. Now write it down. Yes, it’s better to write it down than use the same password over and over.
Before, I told people to store their passwords in a locked Note. You can’t see the note unless you can get their iPhone or Mac and unlock the note. However, I’ve recently found a better place.
Make the following new Shortcut: Open URL pref:root=PASSWORDS
Go to Accessibility→Touch→Backtap.
Set one of the back taps to run your new shortcut.
Now, when they create a new password, they can tap the back of their phones two/three times, and enter a password directly into Apple’s password database.
Your method is better for passwords you want to remember, though. I have a lot of passwords in 1password and they are mostly random and as long as possible. But for a little number of important sites that also have some kind of two factor authentication, I prefer to remember the password. In that case, I use a dictionary and pick random words from random pages.
Just a quick note that iOS 16 now supports unlocking encrypted notes with the device passcode and Face ID/Touch ID rather than a discrete passphrase if you wish. It won’t change the passphrase for existing locked notes, but it does make unlocking notes a little easier now if you make that change (under Settings / Notes).
I’d wait until MacOS (and iPadOS if you have an iPad) are updated before making the change. Doing it now may inhibit reading locked notes anywhere but the iPhone.
Yep…as a long time computer security and sysadmin type…once you get past about 17 characters or so then the only viable cracking technique is the brute force try every possible password technique…and for that the only thing that matters is length.
In addition…although a different password for every site is optimum…there’s something to be said for passwords of the “I don’t really care” variety…say you need to have an account at www.whateverwebsite.com but there isn’t any financial or personal data there…in that case I can see that using a standard "I don’t care about it” for those sites doesn’t really compromise security. In the days of password managers that have auto fill capabilities it’s not really necessary and having the long random word passwords isn’t any harder than a re-used one…but in the absence of actually reducing a user’s security it’s essentially harmless…although one needs to (of course) only use the “I don’t care about it” password on sites without any financial or personal information involved…and it’s just easier to generate a new password for every one.
My only additional suggestion is to use a password manager…so one only needs to remember a single password (well, you need the computer and/or phone/tablet one as well I guess). I like 1PW version 7, don’t like the new version 8 at all due to lost functionality, but Enpass is an excellent equivalent to version 7 if it ever quits working.
No real need to use a book either…I look around the room and pick out 3 objects and use those…or pick 3 random animals or birds or fruit or whatever…although none of these are absolute…because if you tell people you always pick 3 fruits then that narrows down the universe of words to pick quite a lot…picking 3 unrelated words is best…and when describing the technique never tell people your actual ’number and symbol’ combination…it’s plenty fine to use the same secret combo of those in all your passwords although using a different combo does provide *slightly• more entropy in the password but not nearly as much increase in entropy as longer does. I also upper case more than one letter…and used to do the substitution of @ for a and 3 for e and similar…but once you push the bad guy into using brute force the old common letter substitution trick doesn’t actually add any complexity.
And of course…one could do the same by picking out phrases from a book…but don’t use something commonly known like Four score and seven years ago…because that one will almost certainly be in the dictionary table they try first. And I also point out the page over at Steve Gibson’s of Security Now fame http://grc.com/haystack.htm that explains all of this much better than I do.
I had that opinion for a while, and used a standard username/password for all the sites where I don’t care. Until one of those accounts showed up on haveibeenpwned.com. Even though there was no chance of financial loss or identity theft, a lot of those sites were discussion forums and I now had to deal with the possibility that someone might use those credentials to impersonate/embarrass me. So I then had to go and change my password on dozens of sites (and think up a different PW for each). Ugh.
I generated the password for my password manager (1Password 7) this way** – as you say, it’s much easier to remember. I then have the password manager generate distinct passwords for all the sites I use, and store them. (I never remember those passwords; I just pull them out of the password manager when needed.)
This way, I only have to remember one password – the one that unlocks my password manager.
With Passkeys, I hope this whole topic becomes obsolete.
However, using the built in iPhone password manager makes more sense. Once a password is there, it can automatically be used in webpages and apps. And, it is also in the Keychain on the iMac. The trick is getting quick access to it.
Saying Hey Siri, show me the passwords brings it up. However, creating a shortcut to do this is even more convenient. A one line shortcut does the trick:
Open URL root:pref=PASSWORDS
You can now put this on your Home Screen just like a password manager app like LastPass or 1Password. Or you can use Settings→Accessibility→Tapback.
The Password manager also creates passwords for you. And you can use it for 2FA via Auth app.
But Apple’s keychain/iCloud-based password management only works for Safari. If you choose to use another browser, or if you use several different browsers, you’ll need some other mechanism to get your passwords into those browsers.
That’s one of the key advantages to third-party password managers. They are designed to work on a variety of browsers on a variety of different operating systems, so you can access your passwords from whatever app you’re running.
RE passwords and security issues- I? note the following- Most users in our retirement community use their name for their computer. On the wi fi system and sometimes on the related ethernet system, these names are easily found. This makes them " soft " targets for way to many baddies who can simply sit nearby with simple software and find that data.
Lets digress- assume you want to target someone whose name can now easily be found. Would you look for ’ joe lunchpail ’ name or a network name like ‘beachtree’ .
Point being- use a non descriptive name on computer
second point using 8 to 11 letters and numbers is a bit easier if you use the first letter of a 8 to 11 word nonsense phrase An example " the cow ran into the moon rock and died 2 " would be Tcritmrad2$
IMHO its easier to remember two or three nonsense phrases than a random list of numbers and letters.
I have used this technique to create shortcuts for other purposes with the back tap and it works well. However, in the article where I read about this technique they said the “prefs“ could be changed by Apple at any time which might break this process. Just FYI.
Long passwords are fine, but I have discovered (a long time ago, when I bought my first iPhone (many moons) that the iPhone’s keyboard is very slow and clumsy and prone to typos, especially with long passwords involving capitalization, punctuation, and numbers. And, yes, even with an iPhone 13 Pro Max, the keyboard-typos continue. It’s too easy to hit the “n” instead of the “m,” or to hit the “Delete” key instead of the “m,” etc.
The dots that quickly hide what you just typed don’t help either. I wish someone would come up with a way to at least see 2 or 3 of the last alphanumerics entered, if not the entire password before you press “Enter” or “Done”.
I know there are keyboard alternatives to the iPhone, but, gosh, talk about OS Overkill in iOS 15 and 16 (and a iPhone to boot!)…
Passwords are definitely easier with a laptop – until you try to use that password on your iPhone and you find yourself switching between Caps, numbers, punctuation (why is the “?” question mark on the secondary punctuation set?!) , and back to lower-case letters. Plus you discover (quite quickly) that your fingertips just aren’t the same size as Jony Ivie’s!
It’s one of the reasons I capitalize only the first letter and add the !1 on the very end. It eliminates the constant shifting you need to do to type in capitals and other special symbols. Heck, you can type the !1 without reshifting the keyboard. They’re both available on the number shift.
Way easier to type in Specialboardkey!1 than the more typical pa55W0rd2018!.
I guess short and easy to type passwords can be used for things like the bread bakers web forum I’m on. If a hacker breaks into that forum, they can’t do too much damage besides adding too much salt to a recipe. Well, maybe I also reused that password on the Severance Fan Forum too. He could post something there that might make me look stupid.
It is one of the reasons to type your password in as it is used rather than the three words I recommended. You can then copy and paste the password in one go.
Or, you could use the built in password manager in iOS using the shortcut to quickly bring it up. In Safari and most apps, it’ll automatically fill in the password for you.
This security theater bugs me. If I’m holding the display in my hand, how often is someone looking over my shoulder to note the site I’m visiting, my username, and my password? I should have the option to tell the device not to mask the password and accept the risk.
Yeh…which is why I always test type any new master password or something I might need to type frequently for whatever reason on the laptop, iPhone, and iPad because the keyboard layouts are different on each one. Still need to switch to do special characters or some on the numeric layout but make sure the number of switches is minimized.
