I haven’t used it before (at least knowingly). But today one of my seldom used IOS devices displayed a warning that a password I use for a news site (a very weak one by choice) had appeared on a national data base of stolen passwords. The message even identified the news site where I use it. Apparently I’d left keychain switched on on that device and Apple had been monitoring that password.
Well, I changed the PW and a few others that were intentionally simple and easy to remember. Than I researched Apple’s keychain function to see what it’s all about.
ArticleHere’s a snippet:
“If you have iCloud Keychain set up as an option to auto-fill passwords into mobile and web apps, Safari will help out in the auditing so that it can warn you of compromised passwords whenever you log in to a website. So if you use iCloud Keychain to auto-fill your credentials into a website in Safari, after you sing in, Safari will give you a prompt to "Change Password on Website," like so: This password has appeared in a data leak, which puts this account at high risk of compromise. You should change your password immediately. One problem with above: I don’t use Safari for sensitive sites. I use DuckGo instead.
Like most of you, I’m sure, I use some pretty tough passwords for financial sites, some extending to 15 characters. (And, most often 2-factor authentication is also used.) Each password is unique. So, I’m not particularly concerned. The one that may have been heisted is a simple one I’ve used for over 20 years where security isn’t much of a concern. On the other hand - If Russian hackers can shut down a major U.S. pipeline, how do you keep them from accessing your personal financial data - or worse?
So … Do you think trusting Apple to remember your passwords is a good idea? Or a bad idea?
Please forgive listing this as “Other Investing.” But ISTM security of financial records is pretty important.
Comments
That said, for most general users Keychain/iCloud is more than enough to keep them secure in a relatively simple, lowest-common-denominator sort of way.
However, I do not use any of the above to store my financial passwords. I have them in an encrypted Word document that is only on my computer ( hard copy in safe deposit) and I enter them by hand or copy and paste
One of the downnsides to these notifications is that many of them refer to a web service I have not used in years and there is no easy "delete account" button.
I use the free, open source KeePass program as my password manager*.
KeePass is very capable from a security perspective but it may not be the most intuitive password manager to configure and the user interface looks dated (if that matters to you).
*I don't use password managers on mobile devices since sites requiring passwords are not accessed on these devices (except web mail).
FWIW - the password (to a news site) that was “flagged” by Apple consisted of 8 lower case letters which comprised a first name and an initial. Think “denniso”. I’d imagine there’s hundreds of people using that one.
However, this has spurred me to rethink and beef-up password security across the wide spectrum of applications.
I've been caught up in so many breaches -- especially OPM and Equifax -- that a few years ago I took a weeklong stand-down and went through all my accounts to change emails and add updated/randomized passwords on EVERYTHING as I put them into a password manager and/or enabled 2FA on selected sites. In many cases on my more critical accounts I redid the 'security question' answers so that they make no sense -- eg, "what's your favorite color" might be "MFO" or something utterly random. After all, computers and customer service reps don't care if the answer makes sense, all they care about is if it's the correct response.
The career securitygeek in me didn't want to use a manager, but I figure a) I'm getting older and simplicity is fun, and b) the capabilities of AI/ML/BigData make it even easier to guess/brute-force passwords and moreso the 'security questions' that 'protect' accounts. So I bit the bullet and so far so good.
I do the same!