In late December, I commenced a fascinating geek journey – I decided to cross the password Rubicon. I’m across now. I’m so happy I did.
In my original post of 30 December 2022, I made a few observations at the start of the journey. Key amongst those observations were :
- that Apple was telling me I had 250 passwords “at risk” (as the login and password had been in compromises).
- I wanted to simplify everything by totally “outsourcing” all passwords, logins and two-factor authentication to Apple where I could.
When I started, here was my situation:
- Over the last 20 years, I had accumulated over 300 logins and passwords, of which 250 plus had been compromised through data heists (according to Apple).
- When I first started in the password world, I adopted two or three passwords I would use for everything. In hindsight, that was a big mistake. That said, I have never had an issue with compromised passwords.
- I had my passwords in a mix of 1Password and Apple Keychain/Passwords. I preferred getting the two-factor authentication (2FA) code texted to me. When that wasn’t available, I also used Google and Microsoft Authenticator (I didn’t realise you could do it with Apple). I also signed in with Google, Facebook, Microsoft and Amazon on some sites. I have never used Last Pass, Authy or similar.
- This complicated mess put me at risk and ‘strained the brain’.
After some research, I decided to:
- Let Apple manage everything (as in keeping them and syncing them between devices)
- Let Apple suggest my passwords
- Let Apple be my 2FA code generator
- Use “Sign in with Apple”, where I could
What did this mean?
- I had to go to 250 plus sites Apple identified as “at risk”. I decided to do 30 to 50 a day (depending on the mood).
- I had to go to some websites and choose to use the code generator rather than SMS to get 2FA.
- I made sure every log-in was based on my primary email address.
What did I learn?
- It is a simple process to do this. It takes time, and you learn much about companies and governments and their approach to security, privacy, customer service and technology.
- A number of these logins and passwords were “old”. They had deleted my login credentials or closed the service I was using. Indeed some places had gone out of business!
- Several places said my login and password had been compromised, and they made me change them when I went there.
- Many places manage passwords by “Forgot password” or “Request a password reset” rather than giving you the ability to change it once you are already authorised and “in”.
- Sign-in with Apple was available in around a third of the places I visited.
- When you return, there’s no way of knowing if you have used “Sign in with Apple”. It is sometimes a bit of a guess. It would be good to see this addressed in the future, somehow.
- Sometimes when I chose “Sign in with Apple”, it would recognise my email address and ask permission to merge “Sign in with Apple”, a new password and existing information into one credential (which I was fine about).
- Apple’s password manager and code generator sometimes auto-populate the code the website requests.
- I also had an experience in December where I was on Starlink low-orbit satellite internet in a place that didn’t have 4G telephony. Thus I couldn’t get some 2FA codes as they were sent by SMS rather than via data. This remains a problem but is primarily solved by moving to on-device 2FA.
- Some sites like WordPress, Google/YouTube and LinkedIn are where you can first use their iOS app as their 2FA authenticator. I was OK with that.
A few odd things:
- When Apple suggests a password, sometimes it doesn’t remember it when you change it. What I would do is copy the password when it offers it. If it didn’t update its records, I would paste it in when trying to authenticate (you’ll get what I mean).
- I have four iCloud accounts – one for my “life”, one for media and purchases on the Australia App/Music/TV store and then two more (for the US and UK app stores). Interestingly, when I went to the Apple ID site to change these passwords, it wouldn’t do the “Suggest strong password” thing. I had to make up my own.
So, today I live in password Nirvana:
- I don’t have to remember any passwords.
- All of my 250 passwords are different.
- Nearly all of my logins are the same email address.
- I don’t have multiple 2FA means for 99 per cent of my log-ins. I use the Apple Password Manager and Apple Code Generator. Sometimes, SMS or an app is used for 2FA when the provider insists.
- When I land on a site that offers “Sign in with Apple”, I click that first to see what happens.
- If one of my passwords gets compromised in the future, I only have to change that one password now rather than all of them.
- I could export all passwords for inclusion in my legacy file for the family.
What I did was an interesting geek-project but one that could avert many potential problems. To me, fixing up your online credentials is as important as getting your back-up strategy right. Both are essential for good geek housekeeping and hygiene.