Re: Too many passwords

[Stephen Chape]

I am with you on that one Tim.

> On 5 Dec 2018, at 5:02 am, Tim Law  wrote:
> 
> Alex,
> 
> In a blog posting, the owner of 1Password talked about the benefits to the 
> user of using normal words rather than a collection of wild letters and 
> numbers. If you ever have to physically enter a password it is much easier to 
> write “sung.7Persuade.pushy” than a random string and apparently just as 
> secure as long as the words would never normally appear together.  I’ve added 
> in the 7 and the upper case P and it creates a highly secure password that 
> shows all green on those little slider indicators.
> 
> Regards
> 
> Tim
> 
> 
> 
> Sent from Tim's Retina iPad 2
> 
> On 4 Dec 2018, at 11:35 pm, Alex  > wrote:
> 
>> Thanks Daniel, that was very helpful on a very vexatious issue.
>> 
>> Couple queries tho’.  Do you have any opinion on LastPass?  I have used it 
>> in a Windows environment.
>> 
>> And, if one is to use a password management programme, would it then be 
>> advisable to set up random letters, numbers & characters as passwords rather 
>> than the usual passwords one makes up?
>> 
>> Cheers,
>> 
>> Alex Novakovic
>> 
>>> On 3 Dec 2018, at 12:29 pm, Daniel Kerr >> > wrote:
>>> 
>>> Hi Pat
>>> 
>>> If you enter the AppleID (which is also used for iCloud, as they are 
>>> generally one and the same thing), more then 3 times, then yes it will 
>>> generally want you to reset it.
>>> You can do this by a few options - some are automated, and don’t require 
>>> calling Apple.
>>> If you have access to the email address, you can request an email that will 
>>> step you through resetting your password.
>>> Generally if I want to “Test” a password for a client to see if it’s 
>>> correct or not, then I will use the “main” Apple site - applied.apple.com 
>>> 
>>> By putting in the email address and password then it will ensure if it’s 
>>> correct or not. If it logs in - the password is correct. If it advises it 
>>> isn’t correct then a few tries before the option of resetting it (normally 
>>> via the email option). It’s very rare to have to call Apple for this at all 
>>> I find. It’s all automated.
>>> 
>>> *Generally* (and I use this term lightly) the computer password will be 
>>> different to the AppleID password. Though,…in some of the later systems, 
>>> this can be reset by the same AppleID.
>>> In System Preferences - Users & Groups - “username” (on the left hand 
>>> side). On the right hand side there is a tick box that says “Allow user to 
>>> reset password using Apple ID). If this is ticked, then the AppleID can be 
>>> used to change the computer password. And then (generally) these are one 
>>> and the same.
>>> I personally prefer to keep these different, so the computer password is 
>>> completely different to my AppleID. (for security reasons).
>>> 
>>> This could be where (if you had ticked) some of the issue could have 
>>> happened in your last post to the list where you went through with Apple 
>>> resetting the password.
>>> (I probably would have used the Terminal thing as a last resort, as yes it 
>>> resets Keychain and this makes a whole other issue where passwords stored 
>>> there are a) lost of b) almost non-retrievable. And even if retrieved via a 
>>> TimeMachine backup they will be locked away under the “original” password.
>>> 
>>> As Peter has mentioned unfortunately these days everything has to be a lot 
>>> more secure. The flip side to this would be a lot more hacking of details, 
>>> a lot more social engineering of personal details and a lot more user data 
>>> out in the open. So with things like 2-factor authentication, recovery via 
>>> email of forgotten details, and stronger passwords Apple (and others) are 
>>> doing as much as they can do to protect personal data.
>>> I’d personally prefer it this way, then people having access to my data. I 
>>> like the security of 2-factor authentication knowing that even if someone 
>>> got my AppleID password they can’t access it without physical access to my 
>>> iPhone. (which is also locked, and 10 wrong attempts will just wipe my 
>>> device). I’d rather know my data is as secure as possible and harder for 
>>> others to try and get then a lot less security and easier ways to try and 
>>> get my data. (only have to look at the 4 years that yahoo accounts got 
>>> hacked for example with no notification to their users). And we see a lot 
>>> more of these where some companies seem to be a bit less “slack” about some 
>>> things, and more personal data gets “hacked”.
>>> (I know where two of my spams come from as they come to two email address I 
>>> used for Dropbox and Adobe. So I know those two accounts that get spammed 
>>> where two email addresses I used where “taken” in a list from both of those 
>>> companies.). The spam comes addresses to those two email addresses which I 
>>> then went and closed off and 

Re: Too many passwords

[Tim Law]

Alex,

In a blog posting, the owner of 1Password talked about the benefits to the user 
of using normal words rather than a collection of wild letters and numbers. If 
you ever have to physically enter a password it is much easier to write 
“sung.7Persuade.pushy” than a random string and apparently just as secure as 
long as the words would never normally appear together.  I’ve added in the 7 
and the upper case P and it creates a highly secure password that shows all 
green on those little slider indicators.

Regards

Tim



Sent from Tim's Retina iPad 2

> On 4 Dec 2018, at 11:35 pm, Alex  wrote:
> 
> Thanks Daniel, that was very helpful on a very vexatious issue.
> 
> Couple queries tho’.  Do you have any opinion on LastPass?  I have used it in 
> a Windows environment.
> 
> And, if one is to use a password management programme, would it then be 
> advisable to set up random letters, numbers & characters as passwords rather 
> than the usual passwords one makes up?
> 
> Cheers,
> 
> Alex Novakovic
> 
>> On 3 Dec 2018, at 12:29 pm, Daniel Kerr  wrote:
>> 
>> Hi Pat
>> 
>> If you enter the AppleID (which is also used for iCloud, as they are 
>> generally one and the same thing), more then 3 times, then yes it will 
>> generally want you to reset it.
>> You can do this by a few options - some are automated, and don’t require 
>> calling Apple.
>> If you have access to the email address, you can request an email that will 
>> step you through resetting your password.
>> Generally if I want to “Test” a password for a client to see if it’s correct 
>> or not, then I will use the “main” Apple site - applied.apple.com
>> By putting in the email address and password then it will ensure if it’s 
>> correct or not. If it logs in - the password is correct. If it advises it 
>> isn’t correct then a few tries before the option of resetting it (normally 
>> via the email option). It’s very rare to have to call Apple for this at all 
>> I find. It’s all automated.
>> 
>> *Generally* (and I use this term lightly) the computer password will be 
>> different to the AppleID password. Though,…in some of the later systems, 
>> this can be reset by the same AppleID.
>> In System Preferences - Users & Groups - “username” (on the left hand side). 
>> On the right hand side there is a tick box that says “Allow user to reset 
>> password using Apple ID). If this is ticked, then the AppleID can be used to 
>> change the computer password. And then (generally) these are one and the 
>> same.
>> I personally prefer to keep these different, so the computer password is 
>> completely different to my AppleID. (for security reasons).
>> 
>> This could be where (if you had ticked) some of the issue could have 
>> happened in your last post to the list where you went through with Apple 
>> resetting the password.
>> (I probably would have used the Terminal thing as a last resort, as yes it 
>> resets Keychain and this makes a whole other issue where passwords stored 
>> there are a) lost of b) almost non-retrievable. And even if retrieved via a 
>> TimeMachine backup they will be locked away under the “original” password.
>> 
>> As Peter has mentioned unfortunately these days everything has to be a lot 
>> more secure. The flip side to this would be a lot more hacking of details, a 
>> lot more social engineering of personal details and a lot more user data out 
>> in the open. So with things like 2-factor authentication, recovery via email 
>> of forgotten details, and stronger passwords Apple (and others) are doing as 
>> much as they can do to protect personal data.
>> I’d personally prefer it this way, then people having access to my data. I 
>> like the security of 2-factor authentication knowing that even if someone 
>> got my AppleID password they can’t access it without physical access to my 
>> iPhone. (which is also locked, and 10 wrong attempts will just wipe my 
>> device). I’d rather know my data is as secure as possible and harder for 
>> others to try and get then a lot less security and easier ways to try and 
>> get my data. (only have to look at the 4 years that yahoo accounts got 
>> hacked for example with no notification to their users). And we see a lot 
>> more of these where some companies seem to be a bit less “slack” about some 
>> things, and more personal data gets “hacked”.
>> (I know where two of my spams come from as they come to two email address I 
>> used for Dropbox and Adobe. So I know those two accounts that get spammed 
>> where two email addresses I used where “taken” in a list from both of those 
>> companies.). The spam comes addresses to those two email addresses which I 
>> then went and closed off and changed.
>> This was another interesting site where I could check which “places” my 
>> email address may have been taken from - https://haveibeenpwned.com
>> This came from an article I read ages ago here - 
>> 

Re: Too many passwords

[Daniel Kerr]

Hi Alex

Thanks for that, glad it was helpful.

In answer to your questions.
1. I haven’t really used LastPass, so I can’t really comment on it. I’ve just 
always used 1Password. I think I had some reservations on LastPass, but that 
was ages ago and I can’t recall what it was now. Perhaps it was something to do 
with who owned it? Or possibly because they once had a breach (again I think it 
was a long time ago). Whereas i’ve never heard of AgileBits ever having 
problems. They (1Password/AgileBits) always seem more on top of things with 
info, updates, on top of security stuff. But that could be my bias,…lol.
So seeing as I have never used LastPass I can’t really say. A quick search 
seems that they do rate a little “better” in some things - 
https://www.digitaltrends.com/computing/lastpass-vs-1password-comparison/
I think (but I could be wrong) that 1Password has been around a lot longer then 
LastPass - so that could be another reason I use it. :)

2. Yes, generally once using a Password Manager it’s best to go through and 
replace passwords for more random generated ones. Most programs will do this 
for you. And they generally offer an “audit” feature as well. So you can let it 
audit your passwords to see if you need to change any, or any are poor in 
“quality”. And given that the software manages it for you, you don’t actually 
have to remember them. As it does that for you and auto fills it in if you want 
to. (or can look it up if really need to know what it is).
I use a mixture of both generated from 1Password and Apple’s auto-generate 
feature as well. And I have iCloud Keychain set on. So my passwords sync to my 
laptop, iMac, iPad and iPhone. So doesn’t matter what I use, all the 
information is there.
With my iPhone and iPad, I have those set to 10 wrong attempts of the login 
passcode will erase the device. As then even though everything is “Secure” and 
locked away, it just means if someone gets them and tries to break into it, it 
will completely remotely wipe the device after 10 wrong attempts. And given 
ti’s backed up to iCloud and my computer daily I won’t actually lose anything. 
The person will get my items, but all my personal “stuff” will be deleted.
(Not that I actually have anything to hide, as it’s all encrypted, but it’s 
just a “nice feeling” to know that the info won’t go anywhere. Though I did 
have to tell my son many years ago he couldn’t play with my phone and code,…as 
“Daddy didn’t want him to wipe my stuff”. :) Now with FaceID and/or Fingerprint 
ID I don’t really use Passwords all that much. As most programs like my banking 
and 1Password will unlock via FaceID. (or FingerpringID on my iPad Gen6).
But yes, to answer your question (sorry, I get sidetracked sometimes,…lol) - 
yes, it’s a good idea to replace passwords. As I “upgrade” some sites here and 
there I go through and change them all. So they tend to be updated every 2-3 
years anyway. And some wholesaler I use I have to do it every 6 months anyway.

Hope that extra info helps. :)

Kind regards
Daniel

---
Daniel Kerr
MacWizardry

Phone: 0414 795 960
Email: 
Web:   


**For everything Apple**

NOTE: Any information provided in this email may be my personal opinion and as 
such should be taken accordingly, and may not be the views of MacWizardry. Any 
information provided does not offer or warrant any form of warranty or accept 
liability. It would be appreciated that if any information in this email is to 
be disseminated, distributed or copied, that permission by the author be 
requested. 

> On 4 Dec 2018, at 11:35 pm, Alex  wrote:
> 
> Thanks Daniel, that was very helpful on a very vexatious issue.
> 
> Couple queries tho’.  Do you have any opinion on LastPass?  I have used it in 
> a Windows environment.
> 
> And, if one is to use a password management programme, would it then be 
> advisable to set up random letters, numbers & characters as passwords rather 
> than the usual passwords one makes up?
> 
> Cheers,
> 
> Alex Novakovic
> 
>> On 3 Dec 2018, at 12:29 pm, Daniel Kerr  wrote:
>> 
>> Hi Pat
>> 
>> If you enter the AppleID (which is also used for iCloud, as they are 
>> generally one and the same thing), more then 3 times, then yes it will 
>> generally want you to reset it.
>> You can do this by a few options - some are automated, and don’t require 
>> calling Apple.
>> If you have access to the email address, you can request an email that will 
>> step you through resetting your password.
>> Generally if I want to “Test” a password for a client to see if it’s correct 
>> or not, then I will use the “main” Apple site - applied.apple.com
>> By putting in the email address and password then it will ensure if it’s 
>> correct or not. If it logs in - the password is correct. If it advises it 
>> isn’t correct then a few tries before the option of resetting it (normally 
>> via the email option). It’s very rare to have to call Apple for this at all 
>> I find. It’s all 

Re: Too many passwords

[Alex]

Thanks Daniel, that was very helpful on a very vexatious issue.

Couple queries tho’.  Do you have any opinion on LastPass?  I have used it in a 
Windows environment.

And, if one is to use a password management programme, would it then be 
advisable to set up random letters, numbers & characters as passwords rather 
than the usual passwords one makes up?

Cheers,

Alex Novakovic

> On 3 Dec 2018, at 12:29 pm, Daniel Kerr  wrote:
> 
> Hi Pat
> 
> If you enter the AppleID (which is also used for iCloud, as they are 
> generally one and the same thing), more then 3 times, then yes it will 
> generally want you to reset it.
> You can do this by a few options - some are automated, and don’t require 
> calling Apple.
> If you have access to the email address, you can request an email that will 
> step you through resetting your password.
> Generally if I want to “Test” a password for a client to see if it’s correct 
> or not, then I will use the “main” Apple site - applied.apple.com
> By putting in the email address and password then it will ensure if it’s 
> correct or not. If it logs in - the password is correct. If it advises it 
> isn’t correct then a few tries before the option of resetting it (normally 
> via the email option). It’s very rare to have to call Apple for this at all I 
> find. It’s all automated.
> 
> *Generally* (and I use this term lightly) the computer password will be 
> different to the AppleID password. Though,…in some of the later systems, this 
> can be reset by the same AppleID.
> In System Preferences - Users & Groups - “username” (on the left hand side). 
> On the right hand side there is a tick box that says “Allow user to reset 
> password using Apple ID). If this is ticked, then the AppleID can be used to 
> change the computer password. And then (generally) these are one and the same.
> I personally prefer to keep these different, so the computer password is 
> completely different to my AppleID. (for security reasons).
> 
> This could be where (if you had ticked) some of the issue could have happened 
> in your last post to the list where you went through with Apple resetting the 
> password.
> (I probably would have used the Terminal thing as a last resort, as yes it 
> resets Keychain and this makes a whole other issue where passwords stored 
> there are a) lost of b) almost non-retrievable. And even if retrieved via a 
> TimeMachine backup they will be locked away under the “original” password.
> 
> As Peter has mentioned unfortunately these days everything has to be a lot 
> more secure. The flip side to this would be a lot more hacking of details, a 
> lot more social engineering of personal details and a lot more user data out 
> in the open. So with things like 2-factor authentication, recovery via email 
> of forgotten details, and stronger passwords Apple (and others) are doing as 
> much as they can do to protect personal data.
> I’d personally prefer it this way, then people having access to my data. I 
> like the security of 2-factor authentication knowing that even if someone got 
> my AppleID password they can’t access it without physical access to my 
> iPhone. (which is also locked, and 10 wrong attempts will just wipe my 
> device). I’d rather know my data is as secure as possible and harder for 
> others to try and get then a lot less security and easier ways to try and get 
> my data. (only have to look at the 4 years that yahoo accounts got hacked for 
> example with no notification to their users). And we see a lot more of these 
> where some companies seem to be a bit less “slack” about some things, and 
> more personal data gets “hacked”.
> (I know where two of my spams come from as they come to two email address I 
> used for Dropbox and Adobe. So I know those two accounts that get spammed 
> where two email addresses I used where “taken” in a list from both of those 
> companies.). The spam comes addresses to those two email addresses which I 
> then went and closed off and changed.
> This was another interesting site where I could check which “places” my email 
> address may have been taken from - https://haveibeenpwned.com
> This came from an article I read ages ago here - 
> https://www.businessinsider.com.au/new-email-scam-uses-old-password-fake-porn-threats-webcam-video-bitcoin-2018-7?r=US=T
> 
> The downside to all the security obviously is having a lot more (different) 
> passwords. This is where things like Keychain Access, 1Password etc come in 
> very handy to store all the passwords in for me. (even things like the WAMUG 
> mailing list, and the WAMUG committee mailing list I have stored to access so 
> I can look after the behind the scenes things for it. And a lot more 
> passwords linked to different things for even those that need passwords as 
> well).
> So without having to remember them all, that’s where the above programs 
> become “life savers”. (and I have them stored in 2 different programs should 
> one “fail”).
> The other