Dealing with the new security règime

[sophiecentaur]

Recently, I've been finding the world of passwords suddenly got more confusing. Way back I (most of us, I suspect) used easy passwords and, for unimportant sites, the same old password.

That was sloppy and we were warned about 20 separate uses of the same password. Helped by the Apple Keychain facility or the equivalent Windows password help we all behaved ourselves properly. Registering at a brand new site, you suggested a user name and Macos presented you with / suggested a very secure password. You just said OK and you could rely on logging onto the new site with no bother for ever and remembering nothing.
I used Safari for years, but then switched to Chrome and some of the google Office apps which meant a group of us could develop club admin. I now find that there I have ended up with two password managing systems and I can't predict which one will do the business.

There are Apple PF members so what do you all do? My excuse is that I am a definite Old Dog and I have an excuse about New Tricks.
Once I get a good answer to this one, perhaps someone could help me with these new fangled Passkeys . . . .

 

[jedishrfu]

From Microsoft Security:

 

[sophiecentaur]

@jedishrfu yes I read about the details of these public key systems. I believe the DES (Data Encryption Standard) was developed to take a long time to crack; to beat the Russian spies at the grain prices game. It was in the 80's I believe. When processors were sluggish.

Actually my problem has been that users seem to be a bit of an exclusive club. It's rather assumed that we all know about how to join. I'd assume that, because it's such a great tool, every organisation would give noddy instructions about how tom talk safely with them.

But I appreciate that you have mildly shamed me into finding out more and joining the club.

 

[jedishrfu]

It's not that you should feel no shame. Passkeys just kind of popped up on the radar as sites have begun to support them. My understanding is that once you setup a passkey then you disable the password on the site I guess by changing it to an impossible to crack one.

There was a recent article in Ars Technica I think that talked about hackers developing a comprehensive password cracking tool that meant the demise of passwords as a viable protection scheme.

On Apple products, they rolled out a passwords manager that identifies duplicated and compromised passwords as well as passkey sites. I'm not sure for Windows and Android but it's likely they have similar tools.

At work we used Yubi key signon to our network because desktop machines were vulnerable.

 

[sophiecentaur]

Passkeys just kind of popped up on the radar

Exactly; they suddenly appeared. If they really are the answer to the maiden's prayer and could guarantee a safer digital life when why doesn't every digital organisation sell it very hard and help everyone to get on board? Instead, all you get is a terse 'invitation' to switch to the system. When you start dealings with an online company you want to just get on with it and you really don't want to be distracted at the time. Worse than, the straightforward option of Keychain / Passwords no longer seems to help you into an optimal password. You (in a desperate hurry of course) are reduced to thinking of an easy password to remember ("George99" etc.) which would not have happened a few months ago.

desktop machines were vulnerable.

My bizarre problem: A year ago I started on a course of chemo (Much better now; water under the bridge) one of the side effects is Foot and Hand Syndrome, which destroys your fingerprints (lots of fine cracks on the finger ends) and Apple's fingerprint reader (a great way into passkeys, they say) can't help so my Macbook pro is sort of obsolete. Do you know why desktop machines are now particularly vulnerable?

 

[JT Smith]

If they really are the answer to the maiden's prayer and could guarantee a safer digital life when why doesn't every digital organisation sell it very hard and help everyone to get on board?

They aren't the ultimate answer, they're just apparently better than passwords. You'll still have vulnerabilities. And the reason why everyone doesn't jump on board is because it takes time and money to do so. One of my banks still doesn't even offer two step authentication. Slackers! But the account is totally free without a minimum deposit so I take it for it is. Same with lots of smaller organizations.

Some things I care a lot about security. Financial sites especially. Some I don't. For example, I don't really care about my password here. You could guess it with a little effort but... who cares?

 

[berkeman]

For example, I don't really care about my password here. You could guess it with a little effort but... who cares?

Well, we've had about a dozen accounts per year hacked lately where a spammer guesses your password and posts malicious spam under long-time accounts. That gets them banned immediately, and recovering those accounts is messy. Please make your password here less obvious (I have). Thanks.