Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

In this Discussion

Here's a statement of the obvious: The opinions expressed here are those of the participants, not those of the Mutual Fund Observer. We cannot vouch for the accuracy or appropriateness of any of it, though we do encourage civility and good humor.

    Support MFO

  • Donate through PayPal

Use Apple “Keychain” for your passwords? Yea or Nay?

edited June 15 in Other Investing
I haven’t used it before (at least knowingly). But today one of my seldom used IOS devices displayed a warning that a password I use for a news site (a very weak one by choice) had appeared on a national data base of stolen passwords. The message even identified the news site where I use it. Apparently I’d left keychain switched on on that device and Apple had been monitoring that password.

Well, I changed the PW and a few others that were intentionally simple and easy to remember. Than I researched Apple’s keychain function to see what it’s all about.

Article

Here’s a snippet: “If you have iCloud Keychain set up as an option to auto-fill passwords into mobile and web apps, Safari will help out in the auditing so that it can warn you of compromised passwords whenever you log in to a website. So if you use iCloud Keychain to auto-fill your credentials into a website in Safari, after you sing in, Safari will give you a prompt to "Change Password on Website," like so: This password has appeared in a data leak, which puts this account at high risk of compromise. You should change your password immediately.

One problem with above: I don’t use Safari for sensitive sites. I use DuckGo instead.

Like most of you, I’m sure, I use some pretty tough passwords for financial sites, some extending to 15 characters. (And, most often 2-factor authentication is also used.) Each password is unique. So, I’m not particularly concerned. The one that may have been heisted is a simple one I’ve used for over 20 years where security isn’t much of a concern. On the other hand - If Russian hackers can shut down a major U.S. pipeline, how do you keep them from accessing your personal financial data - or worse?

So … Do you think trusting Apple to remember your passwords is a good idea? Or a bad idea?

Please forgive listing this as “Other Investing.” But ISTM security of financial records is pretty important.

Comments

  • I'm an Apple user, but I subscribe to Dashlane, an excellent password manager. As we have several devices, it's worth the $60 annually. I have not explored the iCloud Keychain. Firefox has a great bookmarks manager.
  • I'm a lifelong Apple user but use 1Password for the moment and have my vault in a zero-trust cloud storage environment that even the provider can't get into. Plus in the interest of resiliency, I didn't like having all my passwords in Apple's ecosystem .... last time I looked, they didn't make it easy to export all your accounts/pws if you wanted to leave Keychain for something else.

    That said, for most general users Keychain/iCloud is more than enough to keep them secure in a relatively simple, lowest-common-denominator sort of way.
  • I agree that a third party PW manger is probably safer than Apple, Firefox or Google. Both LastPass and 1Password were given good reviews in WSJ recently.

    However, I do not use any of the above to store my financial passwords. I have them in an encrypted Word document that is only on my computer ( hard copy in safe deposit) and I enter them by hand or copy and paste

    One of the downnsides to these notifications is that many of them refer to a web service I have not used in years and there is no easy "delete account" button.
  • edited June 16
    A stand-alone password manager will usually be more secure than saving passwords via a web browser.
    I use the free, open source KeePass program as my password manager*.
    KeePass is very capable from a security perspective but it may not be the most intuitive password manager to configure and the user interface looks dated (if that matters to you).

    *I don't use password managers on mobile devices since sites requiring passwords are not accessed on these devices (except web mail).
  • edited June 16
    Thanks all. Very informative.

    FWIW - the password (to a news site) that was “flagged” by Apple consisted of 8 lower case letters which comprised a first name and an initial. Think “denniso”. I’d imagine there’s hundreds of people using that one.:)

    However, this has spurred me to rethink and beef-up password security across the wide spectrum of applications.
  • hank said:

    Thanks all. Very informative.

    FWIW - the password (to a news site) that was “flagged” by Apple consisted of 8 lower case letters which comprised a first name and an initial. Think “denniso”. I’d imagine there’s hundreds of people using that one.:)

    However, this has spurred me to rethink and beef-up password security across the wide spectrum of applications.


    I've been caught up in so many breaches -- especially OPM and Equifax -- that a few years ago I took a weeklong stand-down and went through all my accounts to change emails and add updated/randomized passwords on EVERYTHING as I put them into a password manager and/or enabled 2FA on selected sites. In many cases on my more critical accounts I redid the 'security question' answers so that they make no sense -- eg, "what's your favorite color" might be "MFO" or something utterly random. After all, computers and customer service reps don't care if the answer makes sense, all they care about is if it's the correct response.

    The career securitygeek in me didn't want to use a manager, but I figure a) I'm getting older and simplicity is fun, and b) the capabilities of AI/ML/BigData make it even easier to guess/brute-force passwords and moreso the 'security questions' that 'protect' accounts. So I bit the bullet and so far so good.



  • +1 especially the tip of providing random answers to security questions !
  • carew388 said:

    +1 especially the tip of providing random answers to security questions !

    +2
    I do the same!

  • edited June 16
    I've been using different brands of scotch whisky. My school? Cutty Sark University / Favorite Teacher? Jonnie Walker Black …. etc.
Sign In or Register to comment.