A postcard from #password Nirvana using @Apple passwords and code generator

In late December, I commenced a fascinating geek journey – I decided to cross the password Rubicon. I’m across now. I’m so happy I did.

In my original post of 30 December 2022, I made a few observations at the start of the journey. Key amongst those observations were :

1. that Apple was telling me I had 250 passwords “at risk” (as the login and password had been in compromises).
2. I wanted to simplify everything by totally “outsourcing” all passwords, logins and two-factor authentication to Apple where I could.

When I started, here was my situation:

1. Over the last 20 years, I had accumulated over 300 logins and passwords, of which 250 plus had been compromised through data heists (according to Apple).
2. When I first started in the password world, I adopted two or three passwords I would use for everything. In hindsight, that was a big mistake. That said, I have never had an issue with compromised passwords.
3. I had my passwords in a mix of 1Password and Apple Keychain/Passwords. I preferred getting the two-factor authentication (2FA) code texted to me. When that wasn’t available, I also used Google and Microsoft Authenticator (I didn’t realise you could do it with Apple). I also signed in with Google, Facebook, Microsoft and Amazon on some sites. I have never used Last Pass, Authy or similar.
4. This complicated mess put me at risk and ‘strained the brain’.

After some research, I decided to:

• Let Apple manage everything (as in keeping them and syncing them between devices)
• Let Apple suggest my passwords
• Let Apple be my 2FA code generator
• Use “Sign in with Apple”, where I could

What did this mean?

• I had to go to 250 plus sites Apple identified as “at risk”. I decided to do 30 to 50 a day (depending on the mood).
• I had to go to some websites and choose to use the code generator rather than SMS to get 2FA.
• I made sure every log-in was based on my primary email address. 

What did I learn?

1. It is a simple process to do this. It takes time, and you learn much about companies and governments and their approach to security, privacy, customer service and technology.
2. A number of these logins and passwords were “old”. They had deleted my login credentials or closed the service I was using. Indeed some places had gone out of business!
3. Several places said my login and password had been compromised, and they made me change them when I went there. 
4. Many places manage passwords by “Forgot password” or “Request a password reset” rather than giving you the ability to change it once you are already authorised and “in”.
5. Sign-in with Apple was available in around a third of the places I visited.
6. When you return, there’s no way of knowing if you have used “Sign in with Apple”. It is sometimes a bit of a guess. It would be good to see this addressed in the future, somehow.
7. Sometimes when I chose “Sign in with Apple”, it would recognise my email address and ask permission to merge “Sign in with Apple”, a new password and existing information into one credential (which I was fine about). 
8. Apple’s password manager and code generator sometimes auto-populate the code the website requests.
9. I also had an experience in December where I was on Starlink low-orbit satellite internet in a place that didn’t have 4G telephony. Thus I couldn’t get some 2FA codes as they were sent by SMS rather than via data. This remains a problem but is primarily solved by moving to on-device 2FA.
10. Some sites like WordPress, Google/YouTube and LinkedIn are where you can first use their iOS app as their 2FA authenticator. I was OK with that.

A few odd things:

1. When Apple suggests a password, sometimes it doesn’t remember it when you change it. What I would do is copy the password when it offers it. If it didn’t update its records, I would paste it in when trying to authenticate (you’ll get what I mean).
2. I have four iCloud accounts – one for my “life”, one for media and purchases on the Australia App/Music/TV store and then two more (for the US and UK app stores). Interestingly, when I went to the Apple ID site to change these passwords, it wouldn’t do the “Suggest strong password” thing.  I had to make up my own.

So, today I live in password Nirvana:

1. I don’t have to remember any passwords.
2. All of my 250 passwords are different.
3. Nearly all of my logins are the same email address.
4. I don’t have multiple 2FA means for 99 per cent of my log-ins. I use the Apple Password Manager and Apple Code Generator. Sometimes, SMS or an app is used for 2FA when the provider insists. 
5. When I land on a site that offers “Sign in with Apple”, I click that first to see what happens.
6. If one of my passwords gets compromised in the future, I only have to change that one password now rather than all of them.
7. I could export all passwords for inclusion in my legacy file for the family. 

What I did was an interesting geek-project but one that could avert many potential problems. To me, fixing up your online credentials is as important as getting your back-up strategy right. Both are essential for good geek housekeeping and hygiene.

ENDS