Skip to content

Apple Announces Decision to Ditch Passwords

Chitchat
  • @phenomlab I guess this should be another thread, but after you post this meme, I wonder about your opinion on the new techniques to omit passwords…

    https://tech.co/news/apple-ditches-passwords

    Apple, Google, and Microsoft are going in this direction I guess.

  • @crazycells interesting topic, and one that’s been banded around the security community for years. Whilst it’s a good concept, even biometric security and passkeys have one major flaw - the end user responsible for the security itself.

    Ever heard of users being the weakest link ? In most cases, this is absolutely true. For example, you could have the highest grade security on offer, but once you put that electronic fortress into inexperienced hands, it may as well not be there at all. It’s long been considered that the “human firewall” is relatively simple to bypass, and it’s sadly a fact. Humans are susceptible to coercion - easily convinced that even something that looks too good to be true (and often is) is genuine - a “one time” opportunity too good to miss.

    Then there’s the social engineering side of things. It really doesn’t matter how strong your security is, the user in control of it can easily open the door to all sorts of unwanted activity, and allow sensitive information to simply walk out of the door at the same time.

    Will biometric security replacing passwords resolve this issue ? No - it’ll be exactly the same, just with a modern approach. What’s needed here is awareness - a constant reminder of what can easily happen if you lower your guard. We make the same mistake constantly by requiring users to change their passwords every x days - all that has achieved is to lower entropy and in fact weaken security in the process. This is something I’ve written about before

    https://sudonix.com/topic/135/changing-passwords-regularly-actually-weakens-security

    Users have a nasty habit of choosing weak passwords that they as humans can remember, and by definition, make that same password vulnerable to a dictionary attack or other simple mechanism - even brute force or sieve attacks - by adding a sequential number to satisfy the change, but to keep the password memorable.

    Admittedly, biometric security can stop that in it’s tracks and increasingly enhance the user experience, but it’s not a silver bullet - and should never be regarded as one.

    For all the time users remain unaware of the risk (or are ignorant to it), then no amount of security enhancements - even biometric - are not enough to increase security.

  • @phenomlab Thanks for the comment.

    I agree with you on users being the weakest link in the system… Let’s see how well or how fast this system will be adapted… I hope they can come up with a secure way that is not annoying…

    I actually started using the “1password” password manager quite some time ago for this purpose, and I have to tell you that my life got so much easier. I also turn on 2FA if the website offers one in the app, and I do not remember or know any of the passwords I have 😄 I only know 1 password that will unlock the 1password app 😄 and that is enough to fill the login page details… I usually pick a long alphanumeric password with some special characters in it, so it is hard to guess.

    Additionally, after my critical email addresses got exposed in several website hackings last year, I also started using “simplelogin.io” with a custom domain so that I could create unique email addresses for each website. I have been using this for the last 8 months or so, and happy so far…

    With this method, each website has a unique email address and also unique password. At least if I am hacked on website X, my info on website Y is still safe…

  • @crazycells good call with the password manager. I use Bitwarden myself for personal and family usage, and Dashlane for work. I’ve been experimenting with Bitwarden and it’s 2fa capabilities and I have to admit it’s impressive - so much so that I’m considering using this as a drop in replacement for Authy which I’ve been using for years.

  • @phenomlab said in Apple Announces Decision to Ditch Passwords:

    @crazycells good call with the password manager. I use Bitwarden myself for personal and family usage, and Dashlane for work. I’ve been experimenting with Bitwarden and it’s 2fa capabilities and I have to admit it’s impressive - so much so that I’m considering using this as a drop in replacement for Authy which I’ve been using for years.

    Yeah, I, too, prefer password managers filling 2FAs rather than me checking from an app on the phone. That is why I ditched Authy for this very reason 😄

  • @crazycells I suppose the only issue which immediately springs to mind here is that if the password manager becomes compromised - for example, if your master password is inadvertently leaked, then an attacker has both the password, and the TOTP code.

    This might not sit well with the more paranoid users, but be perfectly acceptable and convenient for the less discerning ones.

    Food for thought.

  • @phenomlab said in Apple Announces Decision to Ditch Passwords:

    @crazycells I suppose the only issue which immediately springs to mind here is that if the password manager becomes compromised - for example, if your master password is inadvertently leaked, then an attacker has both the password, and the TOTP code.

    This might not sit well with the more paranoid users, but be perfectly acceptable and convenient for the less discerning ones.

    Food for thought.

    yeah, but thanks to 1password, I am ok with this.
    they have a secondary level of encryption. so even if you got my master password, it is useless without a device that I have registered. It is not enough to decrypt my account, even online. You have to enter a “secret code” to add your device to the account so that you can decrypt your passwords on that device, and this secret code is given during registration only.

  • @crazycells That sounds like a solid solution.

  • Google has started to implement this several days ago , and I asked about this to @julian on NodeBB… I guess this passwordless access will be the new norm for many websites/apps…

    https://www.theverge.com/2023/5/3/23709318/google-accounts-passkey-support-password-2fa-fido-security-phishing

    https://community.nodebb.org/post/92962

  • @crazycells this is an interesting concept, and I’ve been looking at this same technology for a while now. However, I do think it has flaws in the sense that you can use multiple devices, and if one of those were stolen, that could then easily act as a gateway to gain access to your accounts via an unauthorized source.

    Admittedly, you could easily prevent access by disabling that specific device, but the window of opportunity would still exist for a short period of time, and that may be long enough for any nefarious actor to compromise your accounts.

    No technology is going to be absolutely perfect, and we have to accept that. However, I do think it’s going to be a while before this new method of authentication becomes mainstream.

  • @phenomlab yes, let’s see how it will be implemented. I am curious about it.

    For most people, I believe this device will be their phone. And I believe phones are quite secure since they will need a passcode to be opened anyway. And you cannot try indefinitely to find out the passcode.

  • @crazycells said in Apple Announces Decision to Ditch Passwords:

    And you cannot try indefinitely to find out the passcode.

    That’s very true. However, as we saw with the San Bernadino shooting, the FBI did in fact manage to hack that device
    https://www.theverge.com/2021/4/14/22383957/fbi-san-bernadino-iphone-hack-shooting-investigation

    However, I think your average criminal may not have the array of resources that the FBI has… 🙂

  • @phenomlab said in Apple Announces Decision to Ditch Passwords:

    However, I think your average criminal may not have the array of resources that the FBI has… 🙂

    lol I hope they do not 😄

  • @crazycells Who knows given today’s modern technology.


Related Topics
  • Who uses Flarum?

    Chitchat
    22
    7 Votes
    22 Posts
    296 Views

    @Madchatthew I use it here. It is faster, but not sure if that extends to build times.

  • Nord VPN renewal

    Chitchat
    18
    14 Votes
    18 Posts
    515 Views

    💥🔥 that’s not bad at all!

    TopCashBack still doing 97% cashback on that too, win win!

  • Arch Server Progress

    Chitchat
    12
    8 Votes
    12 Posts
    138 Views

    I also wanted to post this. Here are the latest stats for the server so far. This is with all of the software setup and running along with doing updates once a week after testing them on my dev test server and making sure websites function properly.

    image.png

  • Podcasts, freemium, and premium services

    Chitchat
    28
    15 Votes
    28 Posts
    380 Views

    @JAC the guy had already mentioned the app previously during the video and said how to download it and how much he loves it etc, and then went onto thank them for sponsoring the video 😂.

  • Apple, what were you thinking?

    Blog
    15
    14 Votes
    15 Posts
    701 Views

    My daughter needed a new tablet, which was an older Samsung. My wife wanted to get her an Ipad. Fortunately, I was able to talk her out of that and show her how much better an android tablet would be. Preferably the Samsung S9 Ultra tablet. By the way, that thing is outstanding! Great purchase!

  • Proton launch password manager

    Chitchat
    27
    18 Votes
    27 Posts
    566 Views

    @phenomlab said in Proton launch password manager:

    will charge for it no matter if you have the full-blown package like I have. If they offered a discount or another incentive, I may well have taken a different view, but to me, it just seems like easy revenue.

    Much like Surfshark do, they are owned by the same company now and you can tell, there’s always something extra cropping up like dedicated IPs, loads of discounts thrown your way which is fair enough but I don’t think you should have to them thrown at you constantly 😃.

    Fortunately Proton have kept things simple and have all products under one roof should you buy the right package.

  • Own an Apple device? Patch it now

    Security
    4
    6 Votes
    4 Posts
    484 Views

    @crazycells that makes sense. Microsoft tried something similar with Windows but called it “optional updates” 🤦

  • iPhone Data and privacy

    Privacy
    2
    4 Votes
    2 Posts
    478 Views

    Here’s a very useful video that will walk you through the privacy features of Android - mostly around the ones you should disable to get the most out of the experience