Safer Internet: Browsing: Protect Passwords

Non-expert Online Practices
1. Use Antivirus Software
2. Use Strong Passwords
3. Change Passwords Frequently
4. Only Visit Websites They Know
5. Don't Share Personal Info

Expert Online Practices
1. Install Software Updates
2. Use Unique Passwords
3. Use Multifactor-Factor Authentication
4. Use Strong Passwords
5. Use a Password Manager

Summary

Passwords are now covered in a separate 3-session OLLI course: P@s$w0rdz
Passwords:Intro (from earlier in this course) now summarizes highlights from P@s$w0rdz.
This section originally provided more details about other password issues, e.g., secret answers, biometrics, 2FA, etc.
This section now provides only Reference articles (below) [for P@s$w0rdz] -- it will continue to be updated.

References

{TCYOP-4: 99-100; TCYOP-3: 81-83}
e-Books: Take Control of...: Your Passwords, 1Password; Passwords cheat sheet
haveibeenpwned.com check if you have an account that has been compromised in a data breach
SYSTEM: Please enter your new password.
USER: cabbage
SYSTEM:...
USER:... boiled cabbage
SYSTEM:...
USER:... 1 boiled cabbage
SYSTEM:...
USER:... 50bloodyboiledcabbages
SYSTEM:...
USER:... 50BLOODYboiledcabbages
SYSTEM:...
USER:...
SYSTEM:...
USER:...
SYSTEM:... Sorry, that password is already in use.
Wikipedia: Password; Authentication; Backdoor method of bypassing normal authentication
HowStuffWorks: Authentication
Wikipedia: Password manager; Password strength
Wikipedia: Password entropy derived from # character choices (# of bits) * length of password
Wikipedia: FIPS-181 Fed. Info Processing Std.: Automated Password Generator
Wikipedia: Random password generator; Diceware
Wikipedia: Password cracking depends on info entropy; number, speed of CPU/GPUs, # of permitted attempts;
e.g., 2008: A user-selected eight-character password with numbers, mixed case, and symbols,
reaches an estimated 30-bit strength, according to NIST. 30 is only one billion permutations
and would take an average of 16 minutes to crack
Wikipedia: salt random data that is used as an additional input to a one-way function that hashes a password or passphrase
zxcvbn (password strength tester): testing page; intro; source code
Beware of Attacks Using Password Reset Request Notifications TB; 3/26/2024
Back Up and Secure Your Digital Life
product reviews: ...
Password manager: free, paid;
Two-factor authentication; ...
NYT; 3/7/2024
Suspects can refuse to provide phone passcodes to police, court rules
phone-unlocking case law is 'total mess,' may be ripe
for Supreme Court review; Ars; 12/14/2023
Largest Study of its Kind Shows Outdated Password Practices are Widespread GAtech; 11/17/2023
Cloaked manages your logins with proxy emails, phone numbers and a built-in password manager $10/mo.; TC;10/3/2023
Top Ten Password Security Standards 6/21/2023
Everything you've been told about passwords is a lie
Aim for longer password phrases; Use a password manager if you can;
Consider two-step authentication on your important accounts;
WaPo; 1/10/2023
A Breach at LastPass Has Password Lessons for Us All
reassess whether to trust companies to store our sensitive data in the cloud; NYT; 1/5/2023
How to Set Up Google Password Manager's On-Device Encryption for iOS, Chrome, and Android Giz; 6/22/2022
Steps to Simple Online Security: 1: Always use strong passwords;
2: Set Up Two-Factor Authentication NYT; 4/1/2022
Lapsus$ found a spreadsheet of passwords as they breached Okta, documents show TC; 3/28/2022
Why You Should Sign Into All of Your Accounts Every Now and Then
inactive accounts -- inaccessible due to invalid email address;
account deletion -- policies vary: 6 mo. - 2 years;
LH; 11/30/2021
Why the Password Isn't Dead Quite Yet
some drawbacks to new authentication methods;
often newer devices are required; Wired; 7/6/2021
PSA for US Congresspeople: Please do not enter your phone’s passcode on TV Verge; 5/25/2021
How to See Who's Using Your Streaming Passwords
Netflix; Hulu; Disney+; Amazon Prime Video; Spotify; Giz; 5/3/2021
The 5 Best Ways to Store Passwords Safely
Use your browser; 1Password; LastPass; Dashlane; NordPass; Giz; 2/9/2021
Microsoft takes on Keychain with Autofill features on iOS, macOS
via Microsoft Authenticator app and a Google Chrome extension; ApIn; 2/6/2021
Lost Passwords Lock Millionaires Out of Their Bitcoin Fortunes
But what happens when you can’t access that wealth because you forgot the password to your digital wallet? NYT; 1/12/2021
Here's how many Americans still secretly use their ex's passwords
password sharing even after breakup; ZD; 10/12/2020
How Do I Get Into My Email If I've Lost My Recovery Codes? LH; 8/7/2020
Why Am I Locked Out of My Netflix Account? (password oversharing?) LH; 7/31/2020
How to Change Your Email Address LH; 6/17/2020
Neo-Nazis Are Spreading a List of Emails and Passwords for Gates Foundation and WHO Employees MB; 4/21/2020
Silicon Valley Legends Launch Beyond Identity in Quest to Eliminate Passwords Beyond Identify; 4/14/2020
Three old password rules that are dumb today
Don't be afraid to write down your passwords; Do share your accounts;
Don't constantly change your passwords; CNet; 3/11/2020
How to Share Your Online Accounts Without Sharing Your Password
via password manager; Amazon Prime 'Household Package'; Spotify, Apple Music, YouTube Music: family plan;
Netflix, Hulu, Disney Plus: share pw, but setup profiles; Wired; 2/23/2020
More than 38,000 people will stand in line this week to get a new password
on paper, at German university; ZD; 12/18/2019
How Can I Close Accounts for Old Services I Don't Use Anymore?
Check through your email for notices, confirmations, etc.; Search for old passwords in your browser
and password managers; Google your username; Clear out permissions for other apps; LH; 12/5/2019
Who’s Hacking Your Spotify? NYT; 12/5/2019
Why Sharing Your Disney+ or Netflix Password Is a Bad Idea
use unique password,2FA; Giz; 11/29/2019
Suspect can’t be compelled to reveal “64-character” password, court rules Ars; 11/23/2019
Nikki Haley lost her password, so she sent sensitive info over unclassified system
OpenNet; Ars; 11/20/2019
How to use Sign In With Apple and manage your log in information ApIn; 11/7/2019
Please get your digital affairs in order password manager, backup codes; TC; 9/15/2019
How to create a backup plan to restore passwords if your system fails
iCloud, password manager; MW; 9/3/2019
Fernando Corbató, a Father of Your Computer (and Your Password), Dies at 93 timesharing; NYT; 7/12/2019
Hacker Lexicon: What Is Credential Dumping? extracting usernames and passwords from a victim computer,
so that they can be used to reenter that computer at will and reach other computers on the network; Wired; 7/7/2019
[2] A quarter of major CMSs use outdated MD5 as the default password hashing scheme
Offenders include WordPress, osCommerce, SuiteCRM, Simple Machines Forum, miniBB, MyBB,
SugarCRM, and others; ZD; 6/17/2019
5 alarming facts in honor of World Password Day
1. Data breaches are happening more often;
2. Data breaches are getting worse;
3. Data breaches may not be detected and reported promptly;
4. The more online accounts you have, the more vulnerable you are;
5. We can't seem to shake our bad password habits; PC; 5/2/2019
Introducing the 1Password Internet Password Book
;-) bad handwriting is the best form of encryption; 4/1/2019
WebAuthn: What you need to know about the future of the passwordless Web
while OS and browser makers now support the WebAuthn API,
it's unclear when and how Web sites will begin implementing it; PC; 3/7/2019
The web just took a big step toward a password-free future
WebAuthn is here to kill the password; uses USB key or other biometrics;
already supported by most browsers (Chrome, Firefox, Edge, and Safari); Verge; 3/4/2019
Once Again, Sharing Streaming Passwords Is Not 'Piracy' Or 'Freeloading'
most actual streaming companies view as marketing and source of new accounts; TD; 3/1/2019
[2] Cryptocurrency wallet caught sending user passwords to Google's spellchecker
Coinomi wallet bug sends users' secret passphrases to Google's Spellcheck API via HTTP, in plaintext; ZD; 2/27/2019
Millions of utility customers’ passwords stored in plain text and sent in plain text via email; Ars; 2/25/2019
When Your Shared Netflix Account Outlasts The Relationship NPR; 2/14/2019
You happily share passwords for Netflix, HBO and more, despite risks CNet; 2/12/2019
Digital exchange loses $137 million as founder takes passwords to the grave cryptocurrency; Ars; 2/2/2019
How to Stop Worrying About Every 'Mega' Password Breach That Comes Along
1. Enable 2FA;
2. Get a password manager;
3. Buy a physical security token, e.g., Yubikey, Google Titan;
4. Enjoy; Giz; 1/17/2019

Apps

Use an application to encrypt a file (.txt, .doc, spreadsheet, .pdf)
-- assuming AES-128 or AES-256 (better) level encryption, with latest version of software.
Microsoft Office (2016-; 365-); Acrobat (X -)
compression utils.: WinZip (9.0-); 7-Zip; Keka
discussion: P@s$w0rdz: Storing: Secure (Encrypt) Your Passwords

Biometrics, Fingerprints, Facial Recognition; Passkeys

Biometrics; Fast IDentity Online (FIDO)
HowStuffWorks: How will biometrics affect our privacy?
Google and Apple use passkeys to capture users by locking credentials into their platforms
and have made the UX of passkeys worse than that of password managers 4/26/2024
Cops can force suspect to unlock phone with thumbprint, US court rules Ars; 4/18/2024
I Stopped Using Passwords. It's Great -- and a Total Mess
Passkeys are here to replace passwords. When they work, it's a seamless vision of the future.
But don't ditch your old logins just yet; Wired; 2/8/2024
Google begins prompting users to create passwordless passkeys by default Verge; 10/10/2023
Passkeys: all the news and updates around passwordless sign-on Verge; 9/29/2023
Windows 11 gains support for managing passkeys TC; 9/21/2023
1Password rolls out public passkey support to its mobile apps and web extensions Verge; 9/20/2023
Passkey: Which popular apps and services offer the new feature? ApIn; 9/6/2023
How to use Passkeys on your iPhone, iPad, and Mac MW; 6/22/2023
1Password is finally rolling out passkey management
save passkeys and synchronize them across devices and platforms after 6/6; Verge; 5/16/2023
Passkeys may not be for you, but they are safe and easy -- here's why
answering common questions about how passkeys work; Ars; 5/12/2023
How to Use Passkeys on Your iPhone or Mac LH; 5/11/2023
Embrace the Passwordless Future of Passkeys LH; 5/9/2023
Google's passkey offering is refined and comprehensive enough to recommend but the ecosystem is incomplete, despite PayPal, Kayak, and others using passkeys; Ars; 5/8/2023
Google now lets you access your account with passkeys rather than passwords TC; 5/3/2023
1Password is trying for zero passwords
create and unlock 1Password accounts using biometric-based passkey tech; Verge; 2/9/2023
Everything to Know About Passkeys for a Password-Free Future passkeys; NYT; 1/11/2023
The Password Isn't Dead Yet. You Need a Hardware Key Wired; 12/30/2022
The passwordless experience you deserve passkeys; 1PW; 11/17/2022
Dashlane is ready to replace all your passwords with passkeys Verge; 8/31/2022
Why Passkeys Will Be Simpler and More Secure Than Passwords TB; 6/27/2022
Apple ‘passkeys’ could finally kill off the password for good TC; 6/6/2022
Another Step Toward a Password-Free Future TB; 5/5/2022
Apple, Google, and Microsoft will soon implement passwordless sign-in on all major platforms
unlocking phone to enable access; Verge; 5/5/2022
Some of tech's biggest names want a future without passwords -- here's what that would look like CNBC; 4/24/2022
A Big Bet to Kill the Password for Good
after a decade of work, the FIDO Alliance says it's found the missing piece in the bridge to a password-free future; Wired; 3/17/2022
What You Need to Know About Facial Recognition at Airports NYT; 2/26/2022
IRS will end use of facial recognition after widespread privacy concerns
ID.me facial recognition/sign-in issues; Verge; 2/7/2022
The smart toilet era is here! Are you ready to share your analprint with big tech? Guard; 9/23/2021
Researchers Create 'Master Faces' to Bypass Facial Recognition MB; 8/10/2021
Apple demos passkeys, to let users set up accounts with just Face ID or Touch ID,
joining Microsoft and Google in advocating for passwordless authentication CNet; 6/10/2021
John Gruber Analyzes Apple's Secure Intent TB; 6/4/2021
How to Log In to Your Devices Without Passwords Wired; 4/11/2021
Inside FIDO Alliance's vision of a future free of passwords
FIDO2 combines W3C's Web Authentication (WebAuthn) specification and FIDO Alliance’s
corresponding Client-to-Authenticator Protocol (CTAP). This allows you to use your phone
or laptop to identify yourself safely to a web service. To reduce the risk of phishing or
any other attacks, the FIDO2 method doesn't involve storing your credentials on a server.
Instead, it uses features such as biometric authentication to validate your identity so the
password never leaves your device; TNW; 10/9/2020
Face ID and Touch ID Logins Coming to Websites With Safari Web Authentication API 6/24/2020
The case for biometric authentication -- and why we should ditch passwords TNW; 6/6/2020
Apple is making iPhones easier to unlock without Face ID while many wear masks CNet; 4/29/2020
How to turn off Face ID and use a PIN to unlock your iPhone instead e.g., if wearing mask; TNW; 4/17/2020
Attackers can bypass fingerprint authentication with an ~80% success rate:
using fake fingerprints for ~20 attempts fine for most people, but it's hardly foolproof; Ars; 4/8/2020
This Smart Toilet Will Know You by the Shape of Your A*****e MB; 4/7/2020
How YubiKey Bio could make remote security concerns a thing of the past PC; 3/31/2020
Google Pixel 4 face unlock works even when you're unconscious
Your eyes don't need to be open to access the phone; CNet; 10/18/2019
Samsung says it will issue a patch for a fingerprint recognition bug on its
Galaxy S10 phone that allowed any fingerprint to unlock the phone Reut; 10/17/2019
[2] Biometrics using ear canals Giz; 9/19/2019
How to Thwart Facial Recognition
1) disappear: go offline and off the grid; 2) flood the system with weird, incongruous data.
Wear someone else's likeness or lend out your own; NYT; 7/30/2019
The Pentagon has a laser that can identify people from a distance—by their heartbeat
unique cardiac signature from 200 meters away, even through clothes; MIT; 6/27/2019

Bitwarden

wikipedia, bitwarden.com
Bitwarden begins adding passkey support to its password manager Verge; 11/2/2023
Bitwarden review: This free password manager has few restrictions, and little polish PC; 8/25/2022

Breaches / HaveIBeenPwned

How to verify a data breach TC; 3/15/2024
Have I Been Pwned adds almost 71M email addresses tied to stolen accounts from the Naz.API dataset
it allegedly contains 1B+ lines of stolen credentials; BC; 1/18/2024
Troy Hunt (pwned) scours the dark web for your stolen data 9/22/2023
What to Do if Your Password Is Exposed in a Data Breach Giz; 7/27/2022
The NCA shares 585 million passwords with Have I Been Pwned
UK National Crime Agency; US FBI had shared earlier; 12/20/2021
Have I been Pwned (HIBP) goes open source
HIBP will now also receive compromised passwords discovered in the course of FBI investigations; ZD; 5/27/2021
How to tell if your password has been stolen
HaveIBeenPwned; Hass-Platner-Institut;
Google Password Checkup; Firefox Lockwise; Microsoft Edge Password Monitor;
password managers: LastPass, Dashlane, 1Password; PC; 2/10/2021
Have I Been Pwned is going open source tells you if passwords were breached; Verge; 8/7/2020
How Have I Been Pwned became the keeper of the internet’s biggest data breaches
10 billion+ breached accounts; TC; 7/3/2020
After a breach, users rarely change their passwords, and when they do, they're often weaker
to make things worse, users' new passwords were overall more similar to passwords they use on other accounts; 5/27/2020
10 Billion Wrecked Accounts Show Why You Need 'Have I Been Pwned' LH; 4/9/2020

Browser (as PM)

Hackers can force iOS and macOS browsers to divulge passwords and much more speculative execution, WebKit; Ars; 10/25/2023
How to Access Saved Passwords in Chrome OSXD; 5/8/2023
How to Check for Reused & Compromised Passwords in Safari for Mac OSXD; 7/22/2021
Why your browser's password manager isn't good enough
browser-specific; mobile support? less robust than standalone PM; PC; 1/25/2021
Chrome and Edge want to help with that password problem of yours Ars; 1/22/2021
Safari Autofill on Mac: How to Add Logins & Passwords, How to Update & Edit Saved Passwords OSXD; 9/8/2020
How to Use Chrome, Firefox, or Safari to Change All of Your Bad Passwords
check for bad, vulnerable pw; a PM still preferable; LH; 7/14/2020
[2] Easily Reveal Hidden Passwords In Any Browser LH; 12/5/19

Chrome

Chrome's password safety tool will now automatically run in the background Verge; 12/21/2023
How to Delete Your Autofill Passwords in Chrome (and Move to Something More Secure) LH; 5/9/2022
How to Manage Your Passwords in Google Chrome LH; 5/28/2021
Chrome now uses Duplex to fix your stolen passwords TC; 5/18/2021
How to View Saved Passwords in Chrome on Mac OSXD; 6/18/2020
Chrome Will Automatically Scan Your Passwords Against Data Breaches Wired; 12/15/2019
Google's Chrome 79 will warn you if your password has been stolen—or will be PC; 12/10/2019
Google's new Password Checkup tells you if your accounts can be compromised
Chrome; reused, compromised and weak passwords; PC; 10/2/2019
Google's Password Checkup plugin for Chrome can warn you if your password was stolen PC; 2/5/2019

Credential Stuffing

FBI says credential stuffing attacks are behind some recent bank hacks ZD; 9/14/2020
One out of every 142 passwords is '123456'
'123456' was spotted 7 million times across a data trove of one billion leaked credentials,
in one of the biggest password re-use studies of its kind; average password length is
usually of 9.48 characters; most security experts recommend using passwords as long
as possible, and usually in the realm of 16 to 24 characters, or more; only letters (29%);
only numbers (13%); include special character (12%); ZD; 7/2/2020
Hundreds of Thousands of People Are Using Passwords That Have Already Been Hacked, Google Says
New ‘Password Checkup' Chrome extension found 1.5 percent of all website logins use
compromised credentials, a figure that's higher for porn websites; MB; 8/15/2019
Hacker Lexicon: What Is Credential Stuffing?
attackers take a massive trove of usernames and passwords (often from a corporate megabreach)
and try to "stuff" those credentials into the login page of other digital services. Because people
often reuse the same username and password across multiple sites, attackers can often use
one piece of credential info to unlock multiple accounts; Wired; 2/17/2019

DashLane

wikipedia, dashlane.com
Dashlane review: Passwords and plenty more MW; 4/17/2024
Dashlane Authenticator app discontinued 5/13/2024 3/28/2024
Dashlane is getting rid of its insecure master password Verge; 5/3/2023
Dashlane publishes its source code to GitHub in transparency push TC; 2/2/2023
Dashlane's new $3.99 password manager plan is cheaper but might not beat free
unlimited passwords but only on 2 devices; Verge; 4/29/2021
Profile of the popular password management app Dashlane, which has raised $110M last spring
and is airing its first ever Super Bowl ad Superbowl ad: Password Paradise; Wired; 2/2/2020

Edge

Microsoft Edge can finally generate new passwords for you PC; 1/21/2021
Microsoft Edge can now auto-generate passwords, but only via your phone PC; 12/16/2020

Facebook

One million Facebook users had passwords stolen by fake apps ApIn; 10/7/2022
Facebook Did Not Securely Store Passwords. Here's What You Need to Know. NYT; 3/21/2019
Facebook has urged users to enable phone number-based 2FA,
but the numbers are used in a user lookup feature with no opt out and to target ads
Settings > Mobile: remove all numbers; setup 2FA with an authenticator app/PM; TC; 3/3/2019

Firefox

Mozilla will end support for Firefox Lockwise app
still available via Firefox's desktop and mobile browsers;
CNet; 11/23/2021
The Firefox password manager now tells you when you use leaked passwords
Firefox Lockwise; Firefox Monitor: checks whether a website has suffered a security breach; ZD; 5/5/2020
How to Recover Your Missing Firefox Passwords LH; 6/18/2019
Firefox to Warn When Saved Logins are Found in Data Breaches via partner haveibeenpwned.com; BC; 7/17/2019
Firefox to get a random password generator, like Chrome ZD; 6/27/2019

Frequency of Changing

Microsoft says mandatory password changing is "ancient and obsolete" Ars; 6/3/2019
Microsoft drops password expiration requirement
with the Windows 10 May 2019 Update, suggests organizations implement other
password security practices; Ars; 4/25/2019

iCloud

Apple's free Passwords app can replace your paid password manager (kinda) MW; 8/23/2024
A New Passwords App Is Coming to iOS 18, iPadOS 18, and macOS 15 LH; 6/10/2024
Using Apple's iCloud Passwords Outside Safari TB; 4/1/2024
Why iCloud Keychain asks for an old device's password -- and why you don't need to worry MW; 7/4/2023
How a Passcode Thief Can Lock You Out of Your iCloud Account, Possibly Permanently TB; 4/20/2023
How to Use Apple's New All-In-One Password Manager Wired; 4/11/2023
What kinds of passwords, tokens, and keys can Apple manage for you? MW; 3/24/2023
How to update your passwords with Apple's Security Recommendations MW; 3/16/2023
If both your iPhone and passcode get stolen, you're in deep trouble ApIn; 2/24/2023
How to use iCloud Keychain on Windows and how it differs from macOS and iOS ApIn; 8/1/2022
The macOS Monterey user's guide to Keychain Access password management ApIn; 7/29/2022
How to use Apple's Keychain password manager in Google Chrome TNW; 2/1/2021
How to use iCloud Keychain, Apple's built-in and free password manager ApIn; 2/14/2022
How to use iCloud Keychain, Apple's built-in and free password manager ApIn; 12/29/2021
If you lock a file in Apple's Notes, don't lose your password MW; 12/27/2021
How to Install iCloud Passwords Extension on Microsoft Edge OSXD; 12/4/2021
[2] How to use Keychain Access to view and manage passwords on your Mac MW; 11/18/2021
How to Import and Export Passwords From iCloud Keychain to Other Password Managers
requires macOS Monterey; LH; 10/29/2021
Add Two-Factor Codes to Password Entries in iOS 15, iPadOS 15, and Safari 15 TB; 10/7/2021
You Should Use Your iPhone's New Built-in Two-Factor Authentication
instead of 3rd-party app; LH; 9/23/2021
Designate Account Recovery and Legacy Contacts
only iCloud+ ($); MW; 6/8/2021
iCloud 12.5 for Windows finally lets you manage passwords in Keychain MW; 8/16/2021
How to master your passwords using iCloud Keychain MW; 5/6/2021
How to set up two-factor authentication for your Apple ID and iCloud account MW; 5/4/2021
How to take control of your passwords using iCloud Keychain on your iPhone, iPad, and Mac MW; 2/15/2021
Apple releases Chrome extension for iCloud passwords Verge; 1/31/2021
Why iCloud Keychain may prompt you for a device password used with other Apple hardware you own
Apple doesn't store your password; MW; 1/25/2021
How to share a password via AirDrop from iOS 14, iPadOS 14, or macOS
from KeyChain, even if iCloud syncing off; MW; 10/23/2020
How to Reset Keychain on Mac OSXD; 7/29/2020
How to Create a New Keychain on Mac OSXD; 7/25/2020
iPhone & iPad (KeyChain): How to Manually Add Passwords; How to Edit Saved Passwords,
How to Find Duplicate Passwords OSXD; 6/21/2020
Apple's iOS 14 may turn iCloud Keychain into a true 1Password and LastPass competitor 2FA support; Verge; 4/1/2020
How to Use iCloud Keychain on iPhone & iPad OSXD; 3/30/2020
macOS Keychain Security Flaw Discovered by Researcher
but Details Not Shared With Apple Over Bug Bounty Protest; MR; 2/6/2019

iOS

Wikipedia: Touch ID 4-digit PIN: 10,000 possibilities; fingerprint 50,000 but only 5 tries; stored locally not in cloud
Apple: If you forgot the passcode for your Apple Watch 11/3/2022
Apple: Use Touch ID instead of your passcode 3/17/2022
Apple: About Touch ID security on iPhone and iPad 9/11/2017
1Password & Touch ID
Apple to Introduce Stolen Device Protection in the Upcoming iOS 17.3 TB; 12/14/2023
How iOS 15.4 could finally eliminate password hell MW; 2/7/2022
How to Get Verification Codes For Apple ID on iPhone & iPad OSXD; 9/8/2021
How to Check for Compromised or Leaked Passwords on iPhone & iPad with Security Recommendations OSXD; 2/5/2021
How to check if your passwords saved in Keychain were compromised on iOS 14 TNW; 10/16/2020
How to Generate Strong Passwords on iPhone and iPad using iCloud KeyChain; how strong? editable? 9/24/2020
How to Use Third Party Password Managers on iPhone & iPad Instead of Keychain OSXD; 6/10/2020
How to Turn Off Screen Time Password on iPhone or iPad OSXD; 3/15/2019

LastPass

wikipedia, lastpass.com
Multifactor Authentication
LastPass goes independent over a year after serious breaches
spunoff from GoTo; Verge; 5/1/2024
LastPass review -- Does the original password manager still have what it takes? MW; 4/17/2024
LastPass now requires 12-character master passwords for better security BC; 1/3/2024
Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach Krebs; 9/5/2023
Lastpass Publishes More Details about Its Data Breaches TB; 3/3/2023
LastPass says employee's home computer was hacked and corporate vault taken Ars; 2/27/2023
Additional GoTo Data Stolen in the LastPass Breach TB; 1/26/2022
LastPass Data Breach: It's Time to Ditch This Password Manager Wired; 12/28/2022
LastPass users: Your info and password vault data are now in hackers' hands
“Encrypted fields [username, passwords, notes] remain secured with 256-bit AES encryption
and can only be decrypted with a unique encryption key derived from each user's master password"; Ars; 12/22/2022
LastPass warns users of 'security incident' that may have exposed personal data MW; 12/1/2022
LastPass developer systems hacked to steal source code
user passwords/vaults should be safe; BC; 8/25/2022
LastPass no longer requires a password to access your vault Eng; 6/6/2022
Some LastPass users say their master passwords were compromised and used in blocked login attempts from unknown IPs; LastPass blames “credential stuffing” BC; 12/28/2021
Big Changes Are Coming to LastPass, but Unfortunately Not Its Prices Giz; 12/14/2021
LastPass is going to become an independent company Verge; 12/14/2021
How to Export LastPass Passwords OSXD; 6/20/2021
Security researcher finds seven embedded trackers in the Android app for LastPass password manager
LastPass says users can opt out if they want; Reg; 2/25/2021
How to leave LastPass and move to another password manager Verge; 2/24/2021
LastPass's free password manager is about to become a lot less useful
free tier will limit you to one type of device starting 3/16; PC; 2/16/2021
LastPass will warn you if your passwords show up on the dark web paid subscription only; En; 8/5/2020
LogMeIn lays off more than 300 workers Boston Biz Journal; 2/21/2020
Watch Out for Lastpass' New Log-off Bug LH; 2/7/2020
LastPass to Drop Support for Native Mac App and Replace it With Universal Web App MR; 1/30/2020
LastPass is in the midst of a major outage
issue appears to impact users with accounts dating back to 2014 and earlier; ZD; 1/20/2020
LogMeIn sells to private equity firms for $4.3 billion
parent of LastPass supposedly "becoming a private company will help fuel its next phase of growth and product investment"
(S: often private equity acquisitions don't have such rosy outcomes); ZD; 12/17/2019
LastPass Parent Company (LogMeIn) Sold to Private Equity Firms PC; 12/18/2019
Password-exposing bug purged from LastPass extensions
bug could let malicious websites extract your last used password; Ars; 9/16/2019
What Happened When the DEA Demanded Passwords from LastPass Forb; 4/10/2019

macOS

Apple: Frequently asked questions about two-step verification for Apple ID
How to Recover Recently Deleted Passwords on Mac OSXD; 10/18/2023
macOS Monterey Features Dedicated Password Section in System Preferences,
Built-In Authenticator and More MR; 6/11/2021
How to Find Forgotten / Lost Web Site Passwords on Mac OSXD; 7/27/2020
[2] How to find and insert special characters in macOS MW; 2/11/2019

SSO (Single Sign-On); OAuth

Wikipedia: Single Sign On (SSO); OpenID users authenticated by certain co-operating sites
(known as Relying Parties or RP) using a third party service; security issues
Wikipedia: OAuth open standard for authorization; security issues
OpenID / OAuth allow you to use your Google, Twitter, Facebook credentials to log into other sites
You Can Disable Google Sign-in Pop-ups on All Websites LH; 12/20/2022
She clicked sign-in with Google. Strangers got access to all her files. WaPo; 10/24/2022
Behold, a password phishing site that can trick even savvy users Ars; 3/21/2022
How to Use 'Sign In With Apple' on iPhone & iPad to Hide Email from Apps & Signups OSXD; 8/5/2020
Remove Apps Linked to Your Facebook Account That You're Not Using LH; 7/3/2020
How Google's New 'One Tap' Android Sign-Ins Work
how secure if someone can access your device or Google account? LH; 6/16/2020
Sign in with Apple FAQ: What you need to know about Apple's single sign-on feature
compared with Facebook, Google, or Twitter sign-in options:no tracking;
fake email with free anonymous email forwarding; requires 2FA;
(also usable on non-Apple devices; still avail on fewer SSO sites?); MW; 4/7/2020
Your smart watch will soon log you into your accounts without a password TNW; 10/23/2019
‘Sign In With Apple' Is Way Better Than Passwords -- If You Can Find It
anonymized email address; no personal info sharing (like Google, Facebook); WSJ; 9/18/2019
Google bans logins from embedded browser frameworks to prevent MitM phishing
Google previously banned logins initiated from browsers where JavaScript had been disabled; 4/18/2019
Behold, the Facebook phishing scam that could dupe even vigilant users
HTML block almost perfectly reproduces Facebook single sign-on Window; single sign-on, or SSO,
is a feature that allows people to use their accounts on other sites -- typically Facebook, Google,
LinkedIn, or Twitter—to log in to third-party websites; security and cryptographic mechanisms
under the hood usually allow the the login to happen without the third party site ever seeing
the username password; Ars; 2/16/2019

Password Managers

Wikipedia: password manager; 1Password; Bitwarden; Dashlane; KeePass
HowStuffWorks: How Password Management Software Works
Roboform review: Quiet and efficient password manager that gets the job done MW; 6/25/2024
Breaking a Password Manager pseudo-random number generator in old RoboForm; 6/4/2024
Best Free Password Manager Bitwarden; CNet; 5/14/2024
Our Favorite Password Manager Remembers All of Your Logins So You Don’t Have To NYT; 11/24/2023
Best Password managers to protect your data on iOS and macOS
Keychain, 1Password, Bitwarden, Dashlane, Keeper, NordPass; ApIn; 11/4/2023
Are password managers safe? 1PW
Best password manager to use CNet; 7/30/2024
The Best Password Managers NYT; 7/11/2024
MW; 7/5/2024

Best free password managers: Better online security doesn't have to cost a thing
Best free password manager for most people: Bitwarden
Best free password manager for DIYers: KeePass
Best free password manager for simplicity: Google, Apple, or Firefox
Free vs. paid password managers; PC; 6/19/2024
Best password managers: Reviews of the top products PC; 6/16/2024
The Best Password Managers to Secure Your Digital Life discussion of browsers and passkeys;
Bitwarden, 1Password, Dashlane, Nordpass, Enpass, KeePassXC; Wired; 4/28/2024
Proton launches its password manager Proton Pass TC; 6/28/2023
Proton releases end-to-end encrypted password manager for desktop and mobile TC; 4/20/2023
KeePass disputes vulnerability allowing stealthy password theft BC; 1/30/2023
NortonLifeLock warns that hackers breached Password Manager accounts BC; 1/13/2023
Seven free alternatives to the LastPass password manager
Bitwarden; Zoho Vault; Dashland; KeePass;
LogMeOnce; NordPass; RoboForm;
Verge; 1/6/2023
Bitwarden vs. LastPass CNet; 8/29/2022
Mindpass Password Manager makes 3D password control super simple
4 sequence of objects, similar to 4 word phrase; gimmick? MW; 6/5/2022
Why 1Password Is Now the Best Password Manager for Mac LH; 5/20/2022
McAfee Total Protection review: A new look, but more work is needed
to improve the experience with its password manager; PC; 3/1/2022
LastPass vs. 1Password: Which password manager should you use? CNet; 1/13/2022
7 of the Best Password Managers to Choose From Before (Firefox) Lockwise Shuts Down
Firefox Browser; Bitwarden; LastPass;
iCloud Keychain; 1Password; KeePass;
Dashlane; LH; 12/6/2021
Best Password Manager Tools for Linux
LastPass; Keeper; KeePass; SpiderOak Encryptr; EnPass; RoboForm; Buttercup; Bitwarden; Passmgr; 8/25/2021
LogMeOnce review: The passwordless password manager
master password still needed to create vault, but biometric, numeric PIN, and/or photo can access; PC; 8/17/2021
NordPass review: Streamlined password management PC; 7/29/2021
Vulnerability in the Kaspersky Password Manager
generated guessable "random" passwords; 7/6/2021
Backdoored password manager stole data from as many as 29K enterprises Passwordstate; Ars; 4/23/2021
Isn't local storage better for password database security?
in the end, the use of any well-regarded password manager is more secure than most people’s habits,
regardless of where the password data is stored; PC; 4/14/2021
Mastering your password manager: 5 must-know tips PC; 3/18/2021
Should I Keep Using My Password Manager? if it's not in Top 10? e.g., Roboform; LH; 11/27/2020
5 Password Manager Perks You Might Not Be Using
Check for Compromised Accounts;
Find Sites That Support Two-Factor Authentication;
Store IDs and Credit Cards;
Share Passwords With Other People;
Safely Store Your Important Documents; Wired; 8/21/2020
Password manager showdown: LastPass vs. 1Password 8/14/2020
Dropbox launches password manager, computer backup, and secure ‘vaults’ out of beta 8/12/2020
Apple announces open-source project for password manager developers ApIn; 6/5/2020
Trend Micro Password Manager review: Basic and a little buggy PC; 5/28/2020
Now's The Perfect Time to Start Using a Password Manager Wired; 5/24/2020
The best password managers in 2020 Dashlane, LastPass, Keeper, Enpass, 1Password, Zoho Vault, RoboForm; Toms; 5/8/2020
How Do I Access My Work Passwords From My Home Devices? Chrome sync; password managers; LH; 3/27/2020
Roboform Everywhere review: Solid password security PC; 11/20/2019
Password Boss review: Managing your passwords with authority PC; 11/7/2019
Keeper review: Security is the greatest strength of this password manager PC; 10/30/2019
It Is Time to Outsource Your Passwords to an App Your brain has better things to do than store secure passwords.
Get a dedicated password manager to keep your login data synced and secure across all devices;
The Best Password Managers to Secure Your Digital Life (abridged version); Wired; 10/22/2019
Why You Need a Password Manager. Yes, You.
aside from using two-factor authentication and keeping your operating system and Web browser
up-to-date, it’s the most important thing you can do to protect yourself online; NYT; 9/2/2019
Don't be an idiot -- here's how to store and remember all your passwords LastPass, 1Password; TNW; 8/25/2019
Best Password Managers 2019 Tom; 8/23/2019
The Best Password Managers BitWarden, KeePass, LastPass, 1Password; from readers; LH; 7/5/2019
[2] Before You Use a Password Manager excessive(?) critique; 6/5/2019
4 Best Password Managers of 2019 (Paid, Family, and Free)
1Password, Dashlane, LastPass, KeePassXC; Wired; 5/26/2019
[2] Severe vulnerabilities uncovered in popular password managers
passwords stored in RAM could lead to theft, only if attacker has already compromised
your Windows system; ZD; 2/20/2019
Forgot password? Five reasons why you need a password manager
Browser Integration; Password Generation; Phishing Protection; Cross Platform Access; Surveillance Safeguard
plus debunking these questions:
"I already have a perfectly good system for managing passwords."
"If someone steals my password file, they have all my passwords."
I don't trust someone else to store my passwords on their server."
"I'm not a target."; ZD; 2/7/2019
Data of 2.4 million Blur password manager users left exposed online
company says data breach didn't expose any actual passwords stored inside users' Blur accounts; ZD; 1/2/2019

Questions

These Phishing Tactics Disguised as 'Fun' on Social Media. Here's What to Look For CNet; 3/27/2022
Choosing and Using Security Questions Cheat Sheet 2021
Online Security Questions Are Not Very Effective. I Still Love Them. NYT; 7/15/2021
Why Social Media Name Games Are a Security Risk seemingly innocuous personal information
(your full name + the street your grew up on + your first car, etc.); LH; 12/15/2020
Why You Shouldn't Play That 'Fun Quarantine Game' on Facebook
the answers to all those fun games are also the same things you might enter when you’re trying
to verify your identity on a website in order to reset your password; LH; 4/16/2020
Why you should steer clear of "Florida Man Challenge"
some posts/sites ask for personal info: maiden name, pet, street, etc.; Ars; 3/24/2019

Safari

When Safari flashes a 'Compromised Password' warning, pay attention MW; 11/30/2021
How to Import Passwords & Logins from Chrome to Safari on Mac OSXD; 1/23/2021
How to get a Safari password to save it in a password manager iOS, macOS; MW; 8/16/2019
macOS browser now autosubmits logins. Here's how to disable it MW; 4/15/2019
How to use Safari's saved passwords in other Mac apps ApIn; 1/4/2019

SMS, SIM swapping/hijacking

Google backs Apple's SMS OTP standard proposal
for humans: 747723 is your WEBSITE authentication code.
for browser/apps: @website.com #747723
benefits? autofill, reduce phishing (but not SMS hijacking); ZD; 4/7/2020
How to Tell if You're the Victim of a SIM-Swapping Attack LH; 1/14/2020
Hackers Are Breaking Directly Into Telecom Companies to Take Over Customer Phone Numbers MB; 1/10/2020
'SIM-Swap' Scams Expose Risks Of Using Phones For Secondary I.D. NPT; 10/25/2019
T-Mobile Has a Secret Setting to Protect Your Account From Hackers That It Refuses to Talk About
NOPORT setting can protect your phone number from SIM swapping; MB; 9/13/2019

Password Strength; Diceware

Wikipedia: List of the most common passwords
SplashData: List of current 100 worst
Articles about each year's 'worst 25' list: 2019; 2018; 2017; 2016; 2015; 2014; 2013; 2012; 2011 mostly Gizmodo
password lists
Wikipedia: Diceware
XKCD cartoon: correct horse battery staple
How to Calculate Password Entropy?
EFF: How to Make Super-secure Passwords using Dice
Passwordle guess a 12-char password
TV Tropes: Embarrassing Password; The Password Is Always "Swordfish"
It seems that most characters in fiction missed the memo on making a good Secret Word or pass phrase.
They are almost invariably single words, names, or dates of significance to a character which can be
easily deduced using a little detective work: the clue is often right there on the desk, in the form of
a picture or memento. Or simply spelled out in bold lettering on your commemorative plaque or a wall poster.
Dumb Password Rules list of sites
A "ridiculously weak" password causes disaster for Spain's No. 2 mobile carrier Ars; 1/4/2023
Iran-linked cyberattacks threaten equipment used in U.S. water systems and factories hackers used "1111" default password; NPR; 12/2/2023
We cracked more than 18,000 passwords. Here are our tips. multifactor authentication; passphrases; WaPo; 8/2/2023
The Password Game Is Fun, Frustrating, and Educational TB; 6/30/2023
The Password Game will make you want to break your keyboard in the best way game; Ars; 6/28/2023
People Sure Are Bad at Creating Passwords LH; 6/14/2023
A fifth of passwords used by federal agency cracked in security audit
89% of the department's high-value assets didn't use multi-factor authentication; Ars; 12/10/2023
Make Your Passwords Stronger With These 5 Tips CNet; 5/5/2022
Never Change Your Password
1) If it's sufficiently strong;
2) If you created a unique one for each account
3) Unless there's a security breach where it's stored;
TB; 3/5/2022
The 20 Most Commonly Leaked Passwords on the Dark Web MF; 3/3/2022
Olympics Broadcaster Announces His Computer Password on Live TV
video; MB; 7/26/2021
Russian Military Hackers Have Been On a Worldwide Password Guessing Spree
according to U.S. and U.K. government officials, the Russian cyber spies of Unit 26165
have been using brute force attacks to target hundreds of organizations; Giz; 7/1/2021
Did weak wi-fi password lead the police to our door?
BBC; 5/23/2021
How to create strong, secure passwords by learning how to crack them
it gets harder to crack a password if it's 10 characters or longer
-- but complexity matters too, of course. PC; 5/5/2021
COMB: The Big Password Leak intl; pw reuse; 4/26/2021
How to pick the perfect password PC; 4/6/2021
Breached water plant employees used the same TeamViewer password and no firewall Ars; 2/10/2021
Rules for strong passwords don't work, researchers find. Here's what does CNet; 11/12/2020
The Police Can Probably Break Into Your Phone
phone-hacking tools typically exploit security flaws to remove a phone's limit on passcode attempts
and then enter passcodes until the phone unlocks. Because of all the possible combinations,
a six-digit iPhone passcode takes on average about 11 hours to guess, while a 10-digit code takes 12.5 years; NYT; 10/21/2020
A computer can guess more than 100 billion passwords per second -- still think yours is secure? TNW; 9/22/2020
'DiceKeys' Creates a Master Password for Life With One Roll Wired; 8/21/2020
'Weird' Nintendo Switch Issue Makes it Easier to Guess Passwords
highlights ok when first 8 characters entered correctly; MB; 5/22/2020
Suspected DNC & German Parliament Hacker Used His Name As His Email Password TD; 5/6/2020
FBI recommends passphrases over password complexity
Longer passwords, even consisting of simpler words or constructs, are better than
short passwords with special characters; ZD; 2/21/2020
It's Time to Nervously Mock the 50 Worst Passwords of the Year Giz; 12/18/2019
'Iloveyou' and the 24 Other Worst Passwords of 2019 LH; 12/18/2019
Disney+ 'hack' panic stresses why you need to use unique passwords
bad password behavior is more to blame than a breach on Disney’s part; PC; 11/18/2019
This Bank Had the Worst Password Policy We've Ever Seen
A European bank (FinecoBank) makes customers pay to change their passwords,
and suggests they Google their password to check if it is secure; MB; 11/15/2019
Equifax used 'admin' as username and password for sensitive data 10/18/2019
[2] Forum cracks the vintage passwords of Ken Thompson and other Unix pioneers Ars; 10/10/2019
600,000 GPS trackers left exposed online with a default password of '123456' ZD; 9/5/2019
When a Company Asks You to Reset Your Password, Should You Be Worried?
may be proactive, not actual attack, but change anyway; LH; 8/23/2019
Instead of Changing Your Passwords, Upgrade Them LH; 7/8/2019
Most hacked passwords revealed as UK cyber survey exposes gaps in online security 4/21/2019
Why 'ji32k7au4a83' Is a Remarkably Common Password
'ji32k7au4a83' (Taiwanese keyboard transliteration) translates to English as 'my password'; Giz; 3/4/2019
Use an 8-char Windows NTLM password? Don't. Every single one can be cracked in under 2.5hrs
NTLM is an old Microsoft authentication protocol that has since been replaced with Kerberos,
but it's still used for storing Windows passwords locally or in Active Directory; Reg; 2/14/2019

Windows

Microsoft Has a New Trick for Keeping Your Password Safe
Warn me about password reuse; Warn me about unsafe password storage; LH; 9/26/2022
How to type special characters on a Windows 11 PC Verge; 4/26/2022
How to type special characters on a Windows PC Verge; 3/26/2021

Printer-friendly version