Dealing with the new security règime

  • Thread starter Thread starter sophiecentaur
  • Start date Start date
Join the discussion
Ask a follow-up here, or get your own question answered by working scientists, mathematicians and engineers — people, not an autocomplete.
Real named experts · corrections over time · the nuance an AI answer skips
11 replies · 3K views
Messages
30,548
Reaction score
7,530
Recently, I've been finding the world of passwords suddenly got more confusing. Way back I (most of us, I suspect) used easy passwords and, for unimportant sites, the same old password.

That was sloppy and we were warned about 20 separate uses of the same password. Helped by the Apple Keychain facility or the equivalent Windows password help we all behaved ourselves properly. Registering at a brand new site, you suggested a user name and Macos presented you with / suggested a very secure password. You just said OK and you could rely on logging onto the new site with no bother for ever and remembering nothing.
I used Safari for years, but then switched to Chrome and some of the google Office apps which meant a group of us could develop club admin. I now find that there I have ended up with two password managing systems and I can't predict which one will do the business.

There are Apple PF members so what do you all do? My excuse is that I am a definite Old Dog and I have an excuse about New Tricks.
Once I get a good answer to this one, perhaps someone could help me with these new fangled Passkeys . . . .
 
Physics news on Phys.org
@jedishrfu yes I read about the details of these public key systems. I believe the DES (Data Encryption Standard) was developed to take a long time to crack; to beat the Russian spies at the grain prices game. It was in the 80's I believe. When processors were sluggish.

Actually my problem has been that users seem to be a bit of an exclusive club. It's rather assumed that we all know about how to join. I'd assume that, because it's such a great tool, every organisation would give noddy instructions about how tom talk safely with them.

But I appreciate that you have mildly shamed me into finding out more and joining the club.
 
Reply
  • Like
Likes   Reactions: jedishrfu
It's not that you should feel no shame. Passkeys just kind of popped up on the radar as sites have begun to support them. My understanding is that once you setup a passkey then you disable the password on the site I guess by changing it to an impossible to crack one.

There was a recent article in Ars Technica I think that talked about hackers developing a comprehensive password cracking tool that meant the demise of passwords as a viable protection scheme.

On Apple products, they rolled out a passwords manager that identifies duplicated and compromised passwords as well as passkey sites. I'm not sure for Windows and Android but it's likely they have similar tools.

At work we used Yubi key signon to our network because desktop machines were vulnerable.
 
Reply
  • Like
Likes   Reactions: sophiecentaur
jedishrfu said:
Passkeys just kind of popped up on the radar
Exactly; they suddenly appeared. If they really are the answer to the maiden's prayer and could guarantee a safer digital life when why doesn't every digital organisation sell it very hard and help everyone to get on board? Instead, all you get is a terse 'invitation' to switch to the system. When you start dealings with an online company you want to just get on with it and you really don't want to be distracted at the time. Worse than, the straightforward option of Keychain / Passwords no longer seems to help you into an optimal password. You (in a desperate hurry of course) are reduced to thinking of an easy password to remember ("George99" etc.) which would not have happened a few months ago.
jedishrfu said:
desktop machines were vulnerable.
My bizarre problem: A year ago I started on a course of chemo (Much better now; water under the bridge) one of the side effects is Foot and Hand Syndrome, which destroys your fingerprints (lots of fine cracks on the finger ends) and Apple's fingerprint reader (a great way into passkeys, they say) can't help so my Macbook pro is sort of obsolete. Do you know why desktop machines are now particularly vulnerable?
 
sophiecentaur said:
If they really are the answer to the maiden's prayer and could guarantee a safer digital life when why doesn't every digital organisation sell it very hard and help everyone to get on board?

They aren't the ultimate answer, they're just apparently better than passwords. You'll still have vulnerabilities. And the reason why everyone doesn't jump on board is because it takes time and money to do so. One of my banks still doesn't even offer two step authentication. Slackers! But the account is totally free without a minimum deposit so I take it for it is. Same with lots of smaller organizations.

Some things I care a lot about security. Financial sites especially. Some I don't. For example, I don't really care about my password here. You could guess it with a little effort but... who cares?
 
Reply
  • Like
Likes   Reactions: sophiecentaur and nsaspook
JT Smith said:
For example, I don't really care about my password here. You could guess it with a little effort but... who cares?
Well, we've had about a dozen accounts per year hacked lately where a spammer guesses your password and posts malicious spam under long-time accounts. That gets them banned immediately, and recovering those accounts is messy. Please make your password here less obvious (I have). Thanks.
 
Reply
  • Like
  • Wow
Likes   Reactions: FactChecker and sophiecentaur
I feel your pain with the fingerprint reader issue. A physical security key works without touch, and it's much simpler than juggling two password managers.
 
jedishrfu said:
It's not that you should feel no shame. Passkeys just kind of popped up on the radar as sites have begun to support them. My understanding is that once you setup a passkey then you disable the password on the site I guess by changing it to an impossible to crack one.
I don't think the password needs to be disabled. It still needs to be used to recover if your device dies or if you want to use the same account from another device. The advantage is that it doesn't need to be transmitted to the server again for routine use.
 
berkeman said:
Please make your password here less obvious (I have).

macOS helps you here. It generates a very secure PW for you and then it's stored in your Cloud. There's only one PW for the user to remember and (with my leaky brain) that's easy. The snag is when you come across a dumb website that can't communicate with macOS and you find yourself back in the 90s, inventing your own PW again.
My invented PWs tend to use people and phone numbers from my youth. I'm usually the only person with a clue about them. Who else colud know the names of neighbours when I was 11 years old?

EDIT: I realise `I'm just repeating myself!!! Sorry . Fingerprint ID is pretty good but, strangely, a course of Chemo managed to smooth off my fingertips for about a year. Felt a bit like a Bond film or the original TV Mission Impossible.
 
jedishrfu said:
On Apple products, they rolled out a passwords manager that identifies duplicated and compromised passwords as well as passkey sites. I'm not sure for Windows and Android but it's likely they have similar tools.
They do but they don't talk to each other (Windows <-> Android) so a (paid for) 3rd party password manager is most convenient, and will also store credit card details for cross-platform use. I use 1Password.