Summary |
References : General | 1Password | Multi-Factor Authentication | Android | Apps | Biometrics; Passkeys |
Bitwarden | Breaches / HaveIBeenPwned | Browser (as PM) | Chrome | Credential Stuffing | DashLane | Edge |
Facebook | Firefox | Freq. of Changing | iCloud/KeyChain | iOS | LastPass | macOS | Password Managers |
Safari | Security Questions | SMS, SIM hijacking | SSO (Single Sign-On | Password Strength | Windows
Non-expert Online Practices 1. Use Antivirus Software 2. Use Strong Passwords 3. Change Passwords Frequently 4. Only Visit Websites They Know 5. Don't Share Personal Info |
Expert Online Practices 1. Install Software Updates 2. Use Unique Passwords 3. Use Multifactor-Factor Authentication 4. Use Strong Passwords 5. Use a Password Manager |
Summary
- Passwords are now covered in a separate 3-session OLLI course: P@s$w0rdz
- Passwords:Intro (from earlier in this course) now summarizes highlights from P@s$w0rdz.
- This section originally provided more details about other password issues, e.g., secret answers, biometrics, 2FA, etc.
- This section now provides only Reference articles (below) [for P@s$w0rdz] -- it will continue to be updated.
References
- {TCYOP-4: 99-100; TCYOP-3: 81-83}
- e-Books: Take Control of...: Your Passwords, 1Password; Passwords cheat sheet
- haveibeenpwned.com check if you have an account that has been compromised in a data breach
- SYSTEM: Please enter your new password.
- USER: cabbage
- SYSTEM:...
- USER:...
- SYSTEM:...
- USER:...
- SYSTEM:...
- USER:...
- SYSTEM:...
- USER:...
- SYSTEM:...
- USER:...
- SYSTEM:...
- USER:...
- SYSTEM:...
- Wikipedia: Password; Authentication; Backdoor method of bypassing normal authentication
- HowStuffWorks: Authentication
- Wikipedia: Password manager; Password strength
- Wikipedia: Password entropy derived from # character choices (# of bits) * length of password
- Wikipedia: FIPS-181 Fed. Info Processing Std.: Automated Password Generator
- Wikipedia: Random password generator; Diceware
- Wikipedia: Password cracking depends on info entropy; number, speed of CPU/GPUs, # of permitted attempts;
e.g., 2008: A user-selected eight-character password with numbers, mixed case, and symbols,
reaches an estimated 30-bit strength, according to NIST. 30 is only one billion permutations
and would take an average of 16 minutes to crack - Wikipedia: salt random data that is used as an additional input to a one-way function that hashes a password or passphrase
- zxcvbn (password strength tester): testing page; intro; source code
- New passkey specifications will let users import and export them 10/14/2024
- Not Great: Even Password Manager Subscribers Reuse Passwords PC; 10/2/2024
- NIST Recommends Some Common-Sense Password Rules 9/26/2024
- Life imitates XKCD comic as Florida gang beats crypto password from retiree Group staged home invasions to steal cryptocurrency; Ars; 9/19/2024
- Beware of Attacks Using Password Reset Request Notifications TB; 3/26/2024
- Back Up and Secure Your Digital Life
product reviews: ...
Password manager: free, paid;
Two-factor authentication; ...
NYT; 3/7/2024 - Suspects can refuse to provide phone passcodes to police, court rules
phone-unlocking case law is 'total mess,' may be ripe
for Supreme Court review; Ars; 12/14/2023 - Largest Study of its Kind Shows Outdated Password Practices are Widespread GAtech; 11/17/2023
- Cloaked manages your logins with proxy emails, phone numbers and a built-in password manager $10/mo.; TC;10/3/2023
- Top Ten Password Security Standards 6/21/2023
- Everything you've been told about passwords is a lie
Aim for longer password phrases; Use a password manager if you can;
Consider two-step authentication on your important accounts;
WaPo; 1/10/2023 - A Breach at LastPass Has Password Lessons for Us All
reassess whether to trust companies to store our sensitive data in the cloud; NYT; 1/5/2023 - How to Set Up Google Password Manager's On-Device Encryption for iOS, Chrome, and Android Giz; 6/22/2022
- Steps to Simple Online Security: 1: Always use strong passwords;
2: Set Up Two-Factor Authentication NYT; 4/1/2022 - Lapsus$ found a spreadsheet of passwords as they breached Okta, documents show TC; 3/28/2022
- Why You Should Sign Into All of Your Accounts Every Now and Then
inactive accounts -- inaccessible due to invalid email address;
account deletion -- policies vary: 6 mo. - 2 years;
LH; 11/30/2021 - Why the Password Isn't Dead Quite Yet
some drawbacks to new authentication methods;
often newer devices are required; Wired; 7/6/2021 - PSA for US Congresspeople: Please do not enter your phone’s passcode on TV Verge; 5/25/2021
- How to See Who's Using Your Streaming Passwords
Netflix; Hulu; Disney+; Amazon Prime Video; Spotify; Giz; 5/3/2021 - The 5 Best Ways to Store Passwords Safely
Use your browser; 1Password; LastPass; Dashlane; NordPass; Giz; 2/9/2021 - Microsoft takes on Keychain with Autofill features on iOS, macOS
via Microsoft Authenticator app and a Google Chrome extension; ApIn; 2/6/2021 - Lost Passwords Lock Millionaires Out of Their Bitcoin Fortunes
But what happens when you can’t access that wealth because you forgot the password to your digital wallet? NYT; 1/12/2021 - Here's how many Americans still secretly use their ex's passwords
password sharing even after breakup; ZD; 10/12/2020 - How Do I Get Into My Email If I've Lost My Recovery Codes? LH; 8/7/2020
- Why Am I Locked Out of My Netflix Account? (password oversharing?) LH; 7/31/2020
- How to Change Your Email Address LH; 6/17/2020
- Neo-Nazis Are Spreading a List of Emails and Passwords for Gates Foundation and WHO Employees MB; 4/21/2020
- Silicon Valley Legends Launch Beyond Identity in Quest to Eliminate Passwords Beyond Identify; 4/14/2020
- Three old password rules that are dumb today
Don't be afraid to write down your passwords; Do share your accounts;
Don't constantly change your passwords; CNet; 3/11/2020 - How to Share Your Online Accounts Without Sharing Your Password
via password manager; Amazon Prime 'Household Package'; Spotify, Apple Music, YouTube Music: family plan;
Netflix, Hulu, Disney Plus: share pw, but setup profiles; Wired; 2/23/2020
1Password
- wikipedia, 1password.com, Take Control Books
- 1Password 8.10.50 TB; 11/2/2024
- A critical security issue in 1Password for Mac left credentials vulnerable to attack ApIn; 8/8/2024
- 1Password's Account Recovery Is Now More Forgiving LH; 7/18/2024
- 1Password Now Generates QR Codes to Share Wifi Passwords LH; 7/11/2024
- 1Password review -- Keep your passwords safe and secure MW; 4/17/2024
- 1Password expands its endpoint security offerings with Kolide acquisition TC; 2/20/2024
- Our Favorite Password Manager Remembers All of Your Logins So You Don’t Have To NYT; 11/24/2023
- Issues with Legacy 1Password 6 and 7 from Mac App Store
"1Password app is damaged"; TB; 11/21/2023 - 1Password detects 'suspicious activity' in its internal Okta account 1Password CTO says investigation found no compromise of user data or sensitive systems; Ars; 10/23/2023
- Two-Factor Authentication, Two-Step Verification, and 1Password not true 2FA, but 2SV; TB; 7/10/2023
- 1Password launches a passkey public beta for Chrome, Edge, Safari, Firefox, and Brave but not its mobile apps 1PW announced passkey support in Nov. 2022; Verge; 6/6/2023
- 1Password is finally rolling out passkey management
save passkeys and synchronize them across devices and platforms after 6/6; Verge; 5/16/2023 - How 1Password is designed to keep your data safe, even in the event of a breach 1PW; 1/10/2023
- Now 1Password remembers sites that use third-party accounts like Google or Facebook to log in Verge; 12/1/2022
- 1Password 8 arrives on Android and iOS with a big redesign and personalized home Verge; 8/9/2022
- 1Password now lets you securely share files and documents with just a link Verge; 6/29/2022
- Twitter pays $150M fine for using two-factor login details (phone #, email) to target ads Ars; 5/26/2022
- 1Password 8.0 TB; 5/9/2022
- 1Password 8 for Mac brings autofilling passwords to native apps Verge; 5/3/2022
- 1Password 7.9.4 TB; 4/8/2022
- Moving from 1Password to KeePass TB; 4/11/2022
- 1Password now lets you easily store crypto wallet details Verge; 2/23/2022
- 1Password 8 for Windows is here 1PW; 11/16/2021
- Psst! Now you can securely share 1Password items with anyone 1PW; 10/12/2021
- Protect your privacy with 1Password and Fastmail 1PW; 9/28/2021
- Sync options compared 9/28/2021; Is it safe to sync my data over the cloud? 11/3/2021
- [2] syncing: other folder, cloud e.g., Box, Dropbox, Google Drive, Microsoft OneDrive, SpiderOak, SugarSync; 11/12/2021
- [2] from local file e.g., USB drive; some browsers restrict access
- Guide: Setup Touch ID 9/22/2021
How safe is it to use Touch ID to secure my vault?
settings for how often to re-enter master password; 9/22/2021 - 1Password has plans to get companies to actually use one password
supplement rather than compete with SSOs like Okta; Verge; 1/21/2022 - 1Password 7.9.2 TB; 12/10/2021
- 1Password 7.9 Adds Secure Password Sharing
blog.1password.com;
one-use or expiring link, optional email verification; TB; 10/19/2021 - 1Password 7.8.8 TB; 10/11/2021
- 1Password gets its own 'hide my email' feature
Create Masked Email -- unique email aliases for logins, much like
Apple's iCloud Plus Hide My Email function but integrated and not only for Apple users;
video; Verge; 9/28/2021 - 1Password Releases Safari Extension for iOS 15 and iPadOS 15 MR; 9/20/2021
- Accel doubles down on 1Password, which just raised $100M more at a $2B valuation TC; 7/27/2021
- 1Password 7.8.5 TB; 6/3/2021
- 1Password acquires SecretHub and launches new enterprise secrets management tool TC; 4/13/2021
- How to Pay Using Virtual Credit Cards in 1Password each tied to a separate merchant
-- linked to debit card or checking account (not credit card); one-off & recurring payments;
can also use privacy.com directly w/o 1PW; LH; 9/24/2020
Multi / 2 Factor Authentication (2FA) / 2 Step Verification
- Wikipedia: Two factor authentication; multi-factor authentication
- Wikipedia: Two step verification; One-time Password (OTP); TOTP = Time-based OTP
- List of websites and whether or not they support 2FA
- Apple: Apple ID (iCloud, iTunes, App Store) Frequently asked questions about two-step verification
- Apple: Two-factor authentication for Apple ID upgrade from 2-step verification; 5/11/2017
- Google: 2-Step Verification Authenticator (app); App Passwords; Backup codes
- Hackers Claim to Have Stolen Phone Numbers of 33 Million Authy Users TB; 7/5/2024
- Reacting to Unsolicited Two-Factor Authentication Codes TB; 5/31/2024
- The Best Two-Factor Authentication App Authy; NYT; 4/12/2024
- Authy Desktop to Reach End-of-Life on 19 March 2024 TB; 2/14/2024
- The Best Security Key for Multi-Factor Authentication NYT; 1/5/2024
- How to Automatically Delete Passcode Texts on Android and iOS Wired; 8/6/2023
- Google Authenticator finally, mercifully adds account syncing for two-factor codes
but it's not E2EE (end-to-end encrypted) yet; Verge; 4/24/2023 - How to set up two-factor authentication on your online accounts Verge; 4/14/2023
- Still using authenticators for MFA? Software for sale can hack you anyway
AitM (adversary in the middle) works by placing a phishing site between the user and the desired site; Ars; 3/14/2023 - How to set up two-factor authentication for your Apple ID and iCloud account MW; 5/5/2022
- Getting started with 2FA: Add an extra layer of protection to your passwords MW; 5/5/2022
- How to add your verification codes to Apple Passwords
iOS/iPadOS 15, Safari 15 for macOS; MW; 4/5/2022 - Lapsus$ and SolarWinds hackers both use the same old trick to bypass MFA Ars; 3/28/2022
- More than 1,200 phishing toolkits capable of intercepting 2FA detected in the wild stealing authentication cookies; 12/27/2021
- How to Manually Get Apple 2FA Codes on Mac OSXD; 12/17/2021
- Google wants every account to use 2FA, starts auto-enrolling users Ars; 11/3/2021
- The Booming Underground Market for Bots That Steal Your 2FA Codes
user cooperation necessary; Vice; 11/2/2021 - The White House's Plan to Stop Government Employees From Getting Phished
focus on hardware security keys; Vice; 10/15/2021 - How Coinbase Phishers Steal One-Time Passwords 10/13/2021
- Google is about to turn on two-factor authentication by default for millions of users
set up the Inactive Account Manager while you still can; Verge; 10/5/2021 - How to move Google Authenticator to your new iPhone ApIn; 9/24/2021
- You Should Use Your iPhone's New Built-in Two-Factor Authentication
instead of 3rd-party app; LH; 9/23/2021 - Microsoft adds a passwordless option for Microsoft accounts
In place of a password, Microsoft will use its Microsoft Authenticator app for your phone,
Windows Hello, and codes sent to your email or phone; PC; 9/15/2021 - Wireless Carrier Injects Ads Into Two-Factor Authentication Texts TD; 7/1/2021
- This Agency's Computers Hold Secrets. Hackers Got In With One Password.
New York City's Law Department had old unpatched software, did not implement 2FA; NYT; 6/18/2021 - Google will make two-factor authentication mandatory soon PC; 5/6/2021
- How to set up two-factor authentication for your Apple ID and iCloud account MW; 5/4/2021
- Why You Should Use a Physical Key to Sign Into Your Accounts Giz; 4/30/2021
- Two-Factor Authentication: Who Has It and How to Set It Up PCMag; 4/27/2021
- How to Move Google Authenticator Account to a New iPhone OSXD; 1/27/2021
- No emails have leaked from the 2020 election campaigns yet
-- tiny USB sticks may be one reason why CNBC; 12/23/2020 - Trump Twitter 'hack': Police accept attacker's claim BBC; 12/16/2020
- SolarWinds hackers have a clever way to bypass multi-factor authentication Ars; 12/14/2020
- With Google Authenticator's Latest iOS Update, You Really Have No Excuse Now
like Android version, supports account transfer to a different device; Giz; 12/3/2020 - Use 2FA to Stop This New WhatsApp Account Attack LH; 11/28/2020
- Microsoft urges users to stop using phone-based multi-factor authentication
use app-based authenticators and security keys instead; ZD; 11/12/2020 - A Dutch security researcher says he logged into Trump's Twitter account,
which didn't have 2FA, using the password 'maga2020!'
the account has now been secured w/ 2FA; 10/22/2020 - Gatekeeper Two-Factor Authentication review: Needs a consumer-grade overhaul
GateKeeper Wireless Security Key; PC; 10/15/2020 - Zoom’s mobile and desktop apps now support two-factor authentication previously only available via the web; Verge; 9/11/2020
- How to transfer your Google Authenticator 2FA to a new phone Verge; 9/2/2020
- Musk says Tesla two-factor authentication 'embarrassingly late' but coming soon Verge; 8/15/2020
- Apple has finally embraced key-based 2FA. So should you Advanced Protection Program (APP); Ars; 7/17/2020
- How Two-Factor Authentication Keeps Your Accounts Safe Wired; 7/12/2020
- [2] Choosing 2FA authenticator apps can be hard. Ars did it so you don’t have to
technical; doesn't discuss 1Password at all (except in reader comments); Ars; 5/27/2020 - No-password logon surges for Microsoft services to 150 million people
three no-password logon options for its online services on Windows machines:
a hardware security key combined with Windows Hello face recognition technology or fingerprint ID;
a hardware key combined with a PIN code;
or a phone running the Microsoft Authenticator app; CNet; 5/7/2020 - Google will switch on mandatory two-factor authentication for Nest accounts this month TH; 5/5/2020
- You Should Set Up Two-Step Verification on Your Nintendo Account Right Now LH; 4/20/2020
- How to bypass Apple’s multi-device two-factor system with Messages auto-fill except uses SMS; MW; 3/24/2020
- How Do I Switch From One 2FA Authentication App to Another? LH; 3/13/2020
- Microsoft: 99.9% of compromised accounts did not use multi-factor authentication
Only 11% of all enterprise accounts use a MFA solution overall; ZD; 3/6/2020 - What you need to know about security keys on iOS and macOS e.g., YubiKey; ApIn; 3/2/2020
- Researchers find an Android malware strain Cerberus that can extract and steal
one-time passwords generated by Google's Authenticator mobile app ZD; 2/27/2020 - Google now treats iPhones as physical security keys Verge; 1/15/2020
- Alternative Ways to Protect Yourself from Being Spearfished
Prioritize Your Accounts;
Use Strong, Unique Passwords & 2FA;
Provide Fake Answers to Security Questions;
Think You're Important;
Your Cell Phone Number Is the Weak Link;
The Problem With Authenticator Apps (most poorly designed);
Google Voice as an Alternative to Authenticator Apps and Cell Phone Numbers; TB; 1/31/2020 - The Best Authenticator Apps for Protecting Your Accounts
Google Authenticator; Microsoft Authenticator; Authy; LastPass; Duo Mobile;
(it didn't mention 1Password); Giz; 1/1/2020
Android
- Your mobile password manager might be exposing your credentials "AutoSpill": Android autofill; TC; 12/6/2023
- How to Use Your Android Phone's Built-In Password Manager LH; 5/12/2022
- Google Authenticator’s first Android update in years lets you move your account between devices Verge; 5/6/2020
Apps
- Use an application to encrypt a file (.txt, .doc, spreadsheet, .pdf)
-- assuming AES-128 or AES-256 (better) level encryption, with latest version of software. - Microsoft Office (2016-; 365-); Acrobat (X -)
- compression utils.: WinZip (9.0-); 7-Zip; Keka
- discussion: P@s$w0rdz: Storing: Secure (Encrypt) Your Passwords
Biometrics, Fingerprints, Facial Recognition; Passkeys
- Biometrics; Fast IDentity Online (FIDO)
- HowStuffWorks: How will biometrics affect our privacy?
- Google and Apple use passkeys to capture users by locking credentials into their platforms
and have made the UX of passkeys worse than that of password managers 4/26/2024 - Cops can force suspect to unlock phone with thumbprint, US court rules Ars; 4/18/2024
- I Stopped Using Passwords. It's Great -- and a Total Mess
Passkeys are here to replace passwords. When they work, it's a seamless vision of the future.
But don't ditch your old logins just yet; Wired; 2/8/2024 - Google begins prompting users to create passwordless passkeys by default Verge; 10/10/2023
- Passkeys: all the news and updates around passwordless sign-on Verge; 9/29/2023
- Windows 11 gains support for managing passkeys TC; 9/21/2023
- 1Password rolls out public passkey support to its mobile apps and web extensions Verge; 9/20/2023
- Passkey: Which popular apps and services offer the new feature? ApIn; 9/6/2023
- How to use Passkeys on your iPhone, iPad, and Mac MW; 6/22/2023
- 1Password is finally rolling out passkey management
save passkeys and synchronize them across devices and platforms after 6/6; Verge; 5/16/2023 - Passkeys may not be for you, but they are safe and easy -- here's why
answering common questions about how passkeys work; Ars; 5/12/2023 - How to Use Passkeys on Your iPhone or Mac LH; 5/11/2023
- Embrace the Passwordless Future of Passkeys LH; 5/9/2023
- Google's passkey offering is refined and comprehensive enough to recommend but the ecosystem is incomplete, despite PayPal, Kayak, and others using passkeys; Ars; 5/8/2023
- Google now lets you access your account with passkeys rather than passwords TC; 5/3/2023
- 1Password is trying for zero passwords
create and unlock 1Password accounts using biometric-based passkey tech; Verge; 2/9/2023 - Everything to Know About Passkeys for a Password-Free Future passkeys; NYT; 1/11/2023
- The Password Isn't Dead Yet. You Need a Hardware Key Wired; 12/30/2022
- The passwordless experience you deserve passkeys; 1PW; 11/17/2022
- Dashlane is ready to replace all your passwords with passkeys Verge; 8/31/2022
- Why Passkeys Will Be Simpler and More Secure Than Passwords TB; 6/27/2022
- Apple ‘passkeys’ could finally kill off the password for good TC; 6/6/2022
- Another Step Toward a Password-Free Future TB; 5/5/2022
- Apple, Google, and Microsoft will soon implement passwordless sign-in on all major platforms
unlocking phone to enable access; Verge; 5/5/2022 - Some of tech's biggest names want a future without passwords -- here's what that would look like CNBC; 4/24/2022
- A Big Bet to Kill the Password for Good
after a decade of work, the FIDO Alliance says it's found the missing piece in the bridge to a password-free future; Wired; 3/17/2022 - What You Need to Know About Facial Recognition at Airports NYT; 2/26/2022
- IRS will end use of facial recognition after widespread privacy concerns
ID.me facial recognition/sign-in issues; Verge; 2/7/2022 - The smart toilet era is here! Are you ready to share your analprint with big tech? Guard; 9/23/2021
- Researchers Create 'Master Faces' to Bypass Facial Recognition MB; 8/10/2021
- Apple demos passkeys, to let users set up accounts with just Face ID or Touch ID,
joining Microsoft and Google in advocating for passwordless authentication CNet; 6/10/2021 - John Gruber Analyzes Apple's Secure Intent TB; 6/4/2021
- How to Log In to Your Devices Without Passwords Wired; 4/11/2021
- Inside FIDO Alliance's vision of a future free of passwords
FIDO2 combines W3C's Web Authentication (WebAuthn) specification and FIDO Alliance’s
corresponding Client-to-Authenticator Protocol (CTAP). This allows you to use your phone
or laptop to identify yourself safely to a web service. To reduce the risk of phishing or
any other attacks, the FIDO2 method doesn't involve storing your credentials on a server.
Instead, it uses features such as biometric authentication to validate your identity so the
password never leaves your device; TNW; 10/9/2020 - Face ID and Touch ID Logins Coming to Websites With Safari Web Authentication API 6/24/2020
- The case for biometric authentication -- and why we should ditch passwords TNW; 6/6/2020
- Apple is making iPhones easier to unlock without Face ID while many wear masks CNet; 4/29/2020
- How to turn off Face ID and use a PIN to unlock your iPhone instead e.g., if wearing mask; TNW; 4/17/2020
- Attackers can bypass fingerprint authentication with an ~80% success rate:
using fake fingerprints for ~20 attempts fine for most people, but it's hardly foolproof; Ars; 4/8/2020 - This Smart Toilet Will Know You by the Shape of Your A*****e MB; 4/7/2020
- How YubiKey Bio could make remote security concerns a thing of the past PC; 3/31/2020
Bitwarden
- wikipedia, bitwarden.com
- Bitwarden begins adding passkey support to its password manager Verge; 11/2/2023
- Bitwarden review: This free password manager has few restrictions, and little polish PC; 8/25/2022
Breaches / HaveIBeenPwned
- How to verify a data breach TC; 3/15/2024
- Have I Been Pwned adds almost 71M email addresses tied to stolen accounts from the Naz.API dataset
it allegedly contains 1B+ lines of stolen credentials; BC; 1/18/2024 - Troy Hunt (pwned) scours the dark web for your stolen data 9/22/2023
- What to Do if Your Password Is Exposed in a Data Breach Giz; 7/27/2022
- The NCA shares 585 million passwords with Have I Been Pwned
UK National Crime Agency; US FBI had shared earlier; 12/20/2021 - Have I been Pwned (HIBP) goes open source
HIBP will now also receive compromised passwords discovered in the course of FBI investigations; ZD; 5/27/2021 - How to tell if your password has been stolen
HaveIBeenPwned; Hass-Platner-Institut;
Google Password Checkup; Firefox Lockwise; Microsoft Edge Password Monitor;
password managers: LastPass, Dashlane, 1Password; PC; 2/10/2021 - Have I Been Pwned is going open source tells you if passwords were breached; Verge; 8/7/2020
- How Have I Been Pwned became the keeper of the internet’s biggest data breaches
10 billion+ breached accounts; TC; 7/3/2020 - After a breach, users rarely change their passwords, and when they do, they're often weaker
to make things worse, users' new passwords were overall more similar to passwords they use on other accounts; 5/27/2020 - 10 Billion Wrecked Accounts Show Why You Need 'Have I Been Pwned' LH; 4/9/2020
Browser (as PM)
- Hackers can force iOS and macOS browsers to divulge passwords and much more speculative execution, WebKit; Ars; 10/25/2023
- How to Access Saved Passwords in Chrome OSXD; 5/8/2023
- How to Check for Reused & Compromised Passwords in Safari for Mac OSXD; 7/22/2021
- Why your browser's password manager isn't good enough
browser-specific; mobile support? less robust than standalone PM; PC; 1/25/2021 - Chrome and Edge want to help with that password problem of yours Ars; 1/22/2021
- Safari Autofill on Mac: How to Add Logins & Passwords, How to Update & Edit Saved Passwords OSXD; 9/8/2020
- How to Use Chrome, Firefox, or Safari to Change All of Your Bad Passwords
check for bad, vulnerable pw; a PM still preferable; LH; 7/14/2020
Chrome
- Chrome's password safety tool will now automatically run in the background Verge; 12/21/2023
- How to Delete Your Autofill Passwords in Chrome (and Move to Something More Secure) LH; 5/9/2022
- How to Manage Your Passwords in Google Chrome LH; 5/28/2021
- Chrome now uses Duplex to fix your stolen passwords TC; 5/18/2021
- How to View Saved Passwords in Chrome on Mac OSXD; 6/18/2020
Credential Stuffing
- FBI says credential stuffing attacks are behind some recent bank hacks ZD; 9/14/2020
- One out of every 142 passwords is '123456'
'123456' was spotted 7 million times across a data trove of one billion leaked credentials,
in one of the biggest password re-use studies of its kind; average password length is
usually of 9.48 characters; most security experts recommend using passwords as long
as possible, and usually in the realm of 16 to 24 characters, or more; only letters (29%);
only numbers (13%); include special character (12%); ZD; 7/2/2020
DashLane
- wikipedia, dashlane.com
- Dashlane review: Passwords and plenty more MW; 4/17/2024
- Dashlane Authenticator app discontinued 5/13/2024 3/28/2024
- Dashlane is getting rid of its insecure master password Verge; 5/3/2023
- Dashlane publishes its source code to GitHub in transparency push TC; 2/2/2023
- Dashlane's new $3.99 password manager plan is cheaper but might not beat free
unlimited passwords but only on 2 devices; Verge; 4/29/2021 - Profile of the popular password management app Dashlane, which has raised $110M last spring
and is airing its first ever Super Bowl ad Superbowl ad: Password Paradise; Wired; 2/2/2020
Edge
- Microsoft Edge can finally generate new passwords for you PC; 1/21/2021
- Microsoft Edge can now auto-generate passwords, but only via your phone PC; 12/16/2020
- One million Facebook users had passwords stolen by fake apps ApIn; 10/7/2022
Firefox
- Mozilla will end support for Firefox Lockwise app
still available via Firefox's desktop and mobile browsers;
CNet; 11/23/2021 - The Firefox password manager now tells you when you use leaked passwords
Firefox Lockwise; Firefox Monitor: checks whether a website has suffered a security breach; ZD; 5/5/2020
Frequency of Changing
iCloud
- The Essential Guide to Using Apple's New Passwords App: Passkeys, 2FA, Sharing and More CNet; 10/25/2024
- How Apple creates your passwords
not totally random pattern: twenty characters, mostly letters, and the hyphens divide these sequences into three equal parts; 1 capital letter; position of digit; randomly generated syllables - Everything You Can Do With Apple's New Passwords App LH; 10/3/2024
- Apple's free Passwords app can replace your paid password manager (kinda) MW; 8/23/2024
- A New Passwords App Is Coming to iOS 18, iPadOS 18, and macOS 15 LH; 6/10/2024
- Using Apple's iCloud Passwords Outside Safari TB; 4/1/2024
- Why iCloud Keychain asks for an old device's password -- and why you don't need to worry MW; 7/4/2023
- How a Passcode Thief Can Lock You Out of Your iCloud Account, Possibly Permanently TB; 4/20/2023
- How to Use Apple's New All-In-One Password Manager Wired; 4/11/2023
- What kinds of passwords, tokens, and keys can Apple manage for you? MW; 3/24/2023
- How to update your passwords with Apple's Security Recommendations MW; 3/16/2023
- If both your iPhone and passcode get stolen, you're in deep trouble ApIn; 2/24/2023
- How to use iCloud Keychain on Windows and how it differs from macOS and iOS ApIn; 8/1/2022
- The macOS Monterey user's guide to Keychain Access password management ApIn; 7/29/2022
- How to use Apple's Keychain password manager in Google Chrome TNW; 2/1/2021
- How to use iCloud Keychain, Apple's built-in and free password manager ApIn; 2/14/2022
- How to use iCloud Keychain, Apple's built-in and free password manager ApIn; 12/29/2021
- If you lock a file in Apple's Notes, don't lose your password MW; 12/27/2021
- How to Install iCloud Passwords Extension on Microsoft Edge OSXD; 12/4/2021
- [2] How to use Keychain Access to view and manage passwords on your Mac MW; 11/18/2021
- How to Import and Export Passwords From iCloud Keychain to Other Password Managers
requires macOS Monterey; LH; 10/29/2021 - Add Two-Factor Codes to Password Entries in iOS 15, iPadOS 15, and Safari 15 TB; 10/7/2021
- You Should Use Your iPhone's New Built-in Two-Factor Authentication
instead of 3rd-party app; LH; 9/23/2021 - Designate Account Recovery and Legacy Contacts
only iCloud+ ($); MW; 6/8/2021 - iCloud 12.5 for Windows finally lets you manage passwords in Keychain MW; 8/16/2021
- How to master your passwords using iCloud Keychain MW; 5/6/2021
- How to set up two-factor authentication for your Apple ID and iCloud account MW; 5/4/2021
- How to take control of your passwords using iCloud Keychain on your iPhone, iPad, and Mac MW; 2/15/2021
- Apple releases Chrome extension for iCloud passwords Verge; 1/31/2021
- Why iCloud Keychain may prompt you for a device password used with other Apple hardware you own
Apple doesn't store your password; MW; 1/25/2021 - How to share a password via AirDrop from iOS 14, iPadOS 14, or macOS
from KeyChain, even if iCloud syncing off; MW; 10/23/2020 - How to Reset Keychain on Mac OSXD; 7/29/2020
- How to Create a New Keychain on Mac OSXD; 7/25/2020
- iPhone & iPad (KeyChain): How to Manually Add Passwords; How to Edit Saved Passwords,
How to Find Duplicate Passwords OSXD; 6/21/2020 - Apple's iOS 14 may turn iCloud Keychain into a true 1Password and LastPass competitor 2FA support; Verge; 4/1/2020
- How to Use iCloud Keychain on iPhone & iPad OSXD; 3/30/2020
iOS
- Wikipedia: Touch ID 4-digit PIN: 10,000 possibilities; fingerprint 50,000 but only 5 tries; stored locally not in cloud
- Apple: If you forgot the passcode for your Apple Watch 11/3/2022
- Apple: Use Touch ID instead of your passcode 3/17/2022
- Apple: About Touch ID security on iPhone and iPad 9/11/2017
- 1Password & Touch ID
- Apple to Introduce Stolen Device Protection in the Upcoming iOS 17.3 TB; 12/14/2023
- How iOS 15.4 could finally eliminate password hell MW; 2/7/2022
- How to Get Verification Codes For Apple ID on iPhone & iPad OSXD; 9/8/2021
- How to Check for Compromised or Leaked Passwords on iPhone & iPad with Security Recommendations OSXD; 2/5/2021
- How to check if your passwords saved in Keychain were compromised on iOS 14 TNW; 10/16/2020
- How to Generate Strong Passwords on iPhone and iPad using iCloud KeyChain; how strong? editable? 9/24/2020
- How to Use Third Party Password Managers on iPhone & iPad Instead of Keychain OSXD; 6/10/2020
LastPass
- wikipedia, lastpass.com
- Multifactor Authentication
- LastPass goes independent over a year after serious breaches
spunoff from GoTo; Verge; 5/1/2024 - LastPass review -- Does the original password manager still have what it takes? MW; 4/17/2024
- LastPass now requires 12-character master passwords for better security BC; 1/3/2024
- Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach Krebs; 9/5/2023
- Lastpass Publishes More Details about Its Data Breaches TB; 3/3/2023
- LastPass says employee's home computer was hacked and corporate vault taken Ars; 2/27/2023
- Additional GoTo Data Stolen in the LastPass Breach TB; 1/26/2022
- LastPass Data Breach: It's Time to Ditch This Password Manager Wired; 12/28/2022
- LastPass users: Your info and password vault data are now in hackers' hands
“Encrypted fields [username, passwords, notes] remain secured with 256-bit AES encryption
and can only be decrypted with a unique encryption key derived from each user's master password"; Ars; 12/22/2022 - LastPass warns users of 'security incident' that may have exposed personal data MW; 12/1/2022
- LastPass developer systems hacked to steal source code
user passwords/vaults should be safe; BC; 8/25/2022 - LastPass no longer requires a password to access your vault Eng; 6/6/2022
- Some LastPass users say their master passwords were compromised and used in blocked login attempts from unknown IPs; LastPass blames “credential stuffing” BC; 12/28/2021
- Big Changes Are Coming to LastPass, but Unfortunately Not Its Prices Giz; 12/14/2021
- LastPass is going to become an independent company Verge; 12/14/2021
- How to Export LastPass Passwords OSXD; 6/20/2021
- Security researcher finds seven embedded trackers in the Android app for LastPass password manager
LastPass says users can opt out if they want; Reg; 2/25/2021 - How to leave LastPass and move to another password manager Verge; 2/24/2021
- LastPass's free password manager is about to become a lot less useful
free tier will limit you to one type of device starting 3/16; PC; 2/16/2021 - LastPass will warn you if your passwords show up on the dark web paid subscription only; En; 8/5/2020
- LogMeIn lays off more than 300 workers Boston Biz Journal; 2/21/2020
- Watch Out for Lastpass' New Log-off Bug LH; 2/7/2020
- LastPass to Drop Support for Native Mac App and Replace it With Universal Web App MR; 1/30/2020
- LastPass is in the midst of a major outage
issue appears to impact users with accounts dating back to 2014 and earlier; ZD; 1/20/2020 - LogMeIn sells to private equity firms for $4.3 billion
parent of LastPass supposedly "becoming a private company will help fuel its next phase of growth and product investment"
(S: often private equity acquisitions don't have such rosy outcomes); ZD; 12/17/2019
macOS
- Apple: Frequently asked questions about two-step verification for Apple ID
- How to Recover Recently Deleted Passwords on Mac OSXD; 10/18/2023
- macOS Monterey Features Dedicated Password Section in System Preferences,
Built-In Authenticator and More MR; 6/11/2021 - How to Find Forgotten / Lost Web Site Passwords on Mac OSXD; 7/27/2020
SSO (Single Sign-On); OAuth
- Wikipedia: Single Sign On (SSO); OpenID users authenticated by certain co-operating sites
(known as Relying Parties or RP) using a third party service; security issues - Wikipedia: OAuth open standard for authorization; security issues
- OpenID / OAuth allow you to use your Google, Twitter, Facebook credentials to log into other sites
- You Can Disable Google Sign-in Pop-ups on All Websites LH; 12/20/2022
- She clicked sign-in with Google. Strangers got access to all her files. WaPo; 10/24/2022
- Behold, a password phishing site that can trick even savvy users Ars; 3/21/2022
- How to Use 'Sign In With Apple' on iPhone & iPad to Hide Email from Apps & Signups OSXD; 8/5/2020
- Remove Apps Linked to Your Facebook Account That You're Not Using LH; 7/3/2020
- How Google's New 'One Tap' Android Sign-Ins Work
how secure if someone can access your device or Google account? LH; 6/16/2020 - Sign in with Apple FAQ: What you need to know about Apple's single sign-on feature
compared with Facebook, Google, or Twitter sign-in options:no tracking;
fake email with free anonymous email forwarding; requires 2FA;
(also usable on non-Apple devices; still avail on fewer SSO sites?); MW; 4/7/2020
Password Managers
- Wikipedia: password manager; 1Password; Bitwarden; Dashlane; KeePass
- HowStuffWorks: How Password Management Software Works
- Best Free Password Manager Bitwarden; CNet; 9/21/2024
- Roboform review: Quiet and efficient password manager that gets the job done MW; 6/25/2024
- Breaking a Password Manager pseudo-random number generator in old RoboForm; 6/4/2024
- Our Favorite Password Manager Remembers All of Your Logins So You Don’t Have To NYT; 11/24/2023
- Best Password managers to protect your data on iOS and macOS
Keychain, 1Password, Bitwarden, Dashlane, Keeper, NordPass; ApIn; 11/4/2023 - Are password managers safe? 1PW
- Best password manager to use CNet; 7/30/2024
- The Best Password Managers NYT; 7/11/2024
- MW; 7/5/2024
- Best free password managers: Better online security doesn't have to cost a thing
Best free password manager for most people: Bitwarden
Best free password manager for DIYers: KeePass
Best free password manager for simplicity: Google, Apple, or Firefox
Free vs. paid password managers; PC; 6/19/2024 - Best password managers: Reviews of the top products PC; 6/16/2024
- The Best Password Managers to Secure Your Digital Life discussion of browsers and passkeys;
Bitwarden, 1Password, Dashlane, Nordpass, Enpass, KeePassXC; Wired; 4/28/2024 - Proton launches its password manager Proton Pass TC; 6/28/2023
- Proton releases end-to-end encrypted password manager for desktop and mobile TC; 4/20/2023
- KeePass disputes vulnerability allowing stealthy password theft BC; 1/30/2023
- NortonLifeLock warns that hackers breached Password Manager accounts BC; 1/13/2023
- Seven free alternatives to the LastPass password manager
Bitwarden; Zoho Vault; Dashland; KeePass;
LogMeOnce; NordPass; RoboForm;
Verge; 1/6/2023 - Bitwarden vs. LastPass CNet; 8/29/2022
- Mindpass Password Manager makes 3D password control super simple
4 sequence of objects, similar to 4 word phrase; gimmick? MW; 6/5/2022 - Why 1Password Is Now the Best Password Manager for Mac LH; 5/20/2022
- McAfee Total Protection review: A new look, but more work is needed
to improve the experience with its password manager; PC; 3/1/2022 - LastPass vs. 1Password: Which password manager should you use? CNet; 1/13/2022
- 7 of the Best Password Managers to Choose From Before (Firefox) Lockwise Shuts Down
Firefox Browser; Bitwarden; LastPass;
iCloud Keychain; 1Password; KeePass;
Dashlane; LH; 12/6/2021 - Best Password Manager Tools for Linux
LastPass; Keeper; KeePass; SpiderOak Encryptr; EnPass; RoboForm; Buttercup; Bitwarden; Passmgr; 8/25/2021 - LogMeOnce review: The passwordless password manager
master password still needed to create vault, but biometric, numeric PIN, and/or photo can access; PC; 8/17/2021 - NordPass review: Streamlined password management PC; 7/29/2021
- Vulnerability in the Kaspersky Password Manager
generated guessable "random" passwords; 7/6/2021 - Backdoored password manager stole data from as many as 29K enterprises Passwordstate; Ars; 4/23/2021
- Isn't local storage better for password database security?
in the end, the use of any well-regarded password manager is more secure than most people’s habits,
regardless of where the password data is stored; PC; 4/14/2021 - Mastering your password manager: 5 must-know tips PC; 3/18/2021
- Should I Keep Using My Password Manager? if it's not in Top 10? e.g., Roboform; LH; 11/27/2020
- 5 Password Manager Perks You Might Not Be Using
Check for Compromised Accounts;
Find Sites That Support Two-Factor Authentication;
Store IDs and Credit Cards;
Share Passwords With Other People;
Safely Store Your Important Documents; Wired; 8/21/2020 - Password manager showdown: LastPass vs. 1Password 8/14/2020
- Dropbox launches password manager, computer backup, and secure ‘vaults’ out of beta 8/12/2020
- Apple announces open-source project for password manager developers ApIn; 6/5/2020
- Trend Micro Password Manager review: Basic and a little buggy PC; 5/28/2020
- Now's The Perfect Time to Start Using a Password Manager Wired; 5/24/2020
- The best password managers in 2020 Dashlane, LastPass, Keeper, Enpass, 1Password, Zoho Vault, RoboForm; Toms; 5/8/2020
- How Do I Access My Work Passwords From My Home Devices? Chrome sync; password managers; LH; 3/27/2020
- Why You Need a Password Manager. Yes, You.
aside from using two-factor authentication and keeping your operating system and Web browser
up-to-date, it’s the most important thing you can do to protect yourself online; NYT; 9/2/2019
Questions
- These Phishing Tactics Disguised as 'Fun' on Social Media. Here's What to Look For CNet; 3/27/2022
- Choosing and Using Security Questions Cheat Sheet 2021
- Online Security Questions Are Not Very Effective. I Still Love Them. NYT; 7/15/2021
- Why Social Media Name Games Are a Security Risk seemingly innocuous personal information
(your full name + the street your grew up on + your first car, etc.); LH; 12/15/2020 - Why You Shouldn't Play That 'Fun Quarantine Game' on Facebook
the answers to all those fun games are also the same things you might enter when you’re trying
to verify your identity on a website in order to reset your password; LH; 4/16/2020
Safari
- When Safari flashes a 'Compromised Password' warning, pay attention MW; 11/30/2021
- How to Import Passwords & Logins from Chrome to Safari on Mac OSXD; 1/23/2021
SMS, SIM swapping/hijacking
- Google backs Apple's SMS OTP standard proposal
for humans: 747723 is your WEBSITE authentication code.
for browser/apps: @website.com #747723
benefits? autofill, reduce phishing (but not SMS hijacking); ZD; 4/7/2020 - How to Tell if You're the Victim of a SIM-Swapping Attack LH; 1/14/2020
- Hackers Are Breaking Directly Into Telecom Companies to Take Over Customer Phone Numbers MB; 1/10/2020
Password Strength; Diceware
- Wikipedia: List of the most common passwords
- SplashData: List of current 100 worst
- Articles about each year's 'worst 25' list: 2019; 2018; 2017; 2016; 2015; 2014; 2013; 2012; 2011 mostly Gizmodo
- password lists
- Wikipedia: Diceware
- XKCD cartoon: correct horse battery staple
- How to Calculate Password Entropy?
- EFF: How to Make Super-secure Passwords using Dice
- Passwordle guess a 12-char password
- TV Tropes: Embarrassing Password; The Password Is Always "Swordfish"
It seems that most characters in fiction missed the memo on making a good Secret Word or pass phrase.
They are almost invariably single words, names, or dates of significance to a character which can be
easily deduced using a little detective work: the clue is often right there on the desk, in the form of
a picture or memento. Or simply spelled out in bold lettering on your commemorative plaque or a wall poster. - Dumb Password Rules list of sites
- A "ridiculously weak" password causes disaster for Spain's No. 2 mobile carrier Ars; 1/4/2023
- Iran-linked cyberattacks threaten equipment used in U.S. water systems and factories hackers used "1111" default password; NPR; 12/2/2023
- We cracked more than 18,000 passwords. Here are our tips. multifactor authentication; passphrases; WaPo; 8/2/2023
- The Password Game Is Fun, Frustrating, and Educational TB; 6/30/2023
- The Password Game will make you want to break your keyboard in the best way game; Ars; 6/28/2023
- People Sure Are Bad at Creating Passwords LH; 6/14/2023
- A fifth of passwords used by federal agency cracked in security audit
89% of the department's high-value assets didn't use multi-factor authentication; Ars; 12/10/2023 - Make Your Passwords Stronger With These 5 Tips CNet; 5/5/2022
- Never Change Your Password
1) If it's sufficiently strong;
2) If you created a unique one for each account
3) Unless there's a security breach where it's stored;
TB; 3/5/2022 - The 20 Most Commonly Leaked Passwords on the Dark Web MF; 3/3/2022
- Olympics Broadcaster Announces His Computer Password on Live TV
video; MB; 7/26/2021 - Russian Military Hackers Have Been On a Worldwide Password Guessing Spree
according to U.S. and U.K. government officials, the Russian cyber spies of Unit 26165
have been using brute force attacks to target hundreds of organizations; Giz; 7/1/2021 - Did weak wi-fi password lead the police to our door?
BBC; 5/23/2021 - How to create strong, secure passwords by learning how to crack them
it gets harder to crack a password if it's 10 characters or longer
-- but complexity matters too, of course. PC; 5/5/2021 - COMB: The Big Password Leak intl; pw reuse; 4/26/2021
- How to pick the perfect password PC; 4/6/2021
- Breached water plant employees used the same TeamViewer password and no firewall Ars; 2/10/2021
- Rules for strong passwords don't work, researchers find. Here's what does CNet; 11/12/2020
- The Police Can Probably Break Into Your Phone
phone-hacking tools typically exploit security flaws to remove a phone's limit on passcode attempts
and then enter passcodes until the phone unlocks. Because of all the possible combinations,
a six-digit iPhone passcode takes on average about 11 hours to guess, while a 10-digit code takes 12.5 years; NYT; 10/21/2020 - A computer can guess more than 100 billion passwords per second -- still think yours is secure? TNW; 9/22/2020
- 'DiceKeys' Creates a Master Password for Life With One Roll Wired; 8/21/2020
- 'Weird' Nintendo Switch Issue Makes it Easier to Guess Passwords
highlights ok when first 8 characters entered correctly; MB; 5/22/2020 - Suspected DNC & German Parliament Hacker Used His Name As His Email Password TD; 5/6/2020
- FBI recommends passphrases over password complexity
Longer passwords, even consisting of simpler words or constructs, are better than
short passwords with special characters; ZD; 2/21/2020
Windows
- Microsoft Has a New Trick for Keeping Your Password Safe
Warn me about password reuse; Warn me about unsafe password storage; LH; 9/26/2022 - How to type special characters on a Windows 11 PC Verge; 4/26/2022
- How to type special characters on a Windows PC Verge; 3/26/2021