Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
2 factor is not the same as 2 step. 2 factor is more secure.

Google Authentication can be done via 3rd party app. I use my 1Password actually, which makes Google's method 2 step, not 2 factor.

Apple's "2 factor" works by pushing a system notification to your iPhone. A phone number isn't needed to do this. However, Apple uses a phone number as a fallback if the push doesn't work for whatever reason. This phone number part is what keeps Apple's method from being true 2FA.

Neither Google's or Apple's is true 2FA, but Apple's is more secure because you can't use other apps to authenticate.

Ok... so you haven't explained what real 2 factor authentication is? And I really don't buy Apples system being any more secure when it works in the exact same, way as googles.
 
  • Like
Reactions: Demo Kit
The sites which have had big credential losses were not attacked via phishing and a brute force attack does not require passwords to be dictionary words.
The sites which have had big credential losses were not attacked via phishing and a brute force attack does not require passwords to be dictionary words.

Do you actually read what I write!
Most people use dictionary words (or variants of these), especially those linked to them in some way (info obtained through social engineering)
that's why its actually even possible to brute force these things.
which password is easier to guess from the encrypted hash? : lovebird3 or l,j6!lo:y

They'll go first through the dictionary because the factorial combinations for numbers+letters+symbols is around
3.856204823 E+215 combinations for 8 letters (ifI use an unicode letter, then the combination explodes to over 10 E+10000 (and more), call me back when there is a quantum computer that can run this comes around.

Hackers go for the low hanging fruit.

The low hanging fruit are in order SOCIAL ENGINEERING, brute forcing with a dictionary password files, then the MTM attack.
 
Ok... so you haven't explained what real 2 factor authentication is? And I really don't buy Apples system being any more secure when it works in the exact same, way as googles.

Two factor is authentication based on something you know and have. Two step authentication can be made up of two things you know.

Apple's system is more secure because they don't allow you to use an app. I can use various apps with Google to authenticate.
[doublepost=1490384474][/doublepost]
They're safe if they'd not dumb as bricks and actually respond to these phishing things or use the same short passwords in 20 different sites. That's the main issue there.
If security is onerous, people don't use it. The same reason they don't use 2 factor is the same reason they reuse those shortish bad passwords

The simplest way for these people to protect themselves would be to use some biometric key linked to a list of registered device for this key. Each time you add a device you'd have to authenticate it (that's what happens right now for many of the big players even if you don't use 2 factors). On devices with no biometrics, you could force long password login (eventually those devices will be few).

You're relying on a person not making a mistake and falling for scams. Long passwords are better than short ones, but having 2FA turned on is even better. What makes something more secure is the collective sum of multiple security measures.
 
Two factor is authentication based on something you know and have. Two step authentication can be made up of two things you know.

Apple's system is more secure because they don't allow you to use an app. I can use various apps with Google to authenticate.
[doublepost=1490384474][/doublepost]

You're relying on a person not making a mistake and falling for scams. Long passwords are better than short ones, but having 2FA turned on is even better. What makes something more secure is the collective sum of multiple security measures.

what makes something secure is USING IT.
For a lot of people two factor is a bother so they don't use it (thus no security).

That's why touch Id is more secure than the password, because people will actually use it instead of having to input a long password.

Anything that reduces friction to security is a plus. If someone just has to remember not to click and login on links from unsolicited emails they receive once and a while, that's still less friction to security. If my 70 year old mother can do it, I think most people can do it.

The user is weakest link in any security and that's why education and reducing friction to security is the best bet.

I'm all for biometric keychains where new device can be authorized to use it (the first time you try to log in with something in the keychain).
 
what makes something secure is USING IT.
For a lot of people two factor is a bother so they don't use it (thus no security).

That's why touch Id is more secure than the password, because people will actually use it instead of having to input a long password.

Anything that reduces friction to security is a plus. If someone just has to remember not to click and login on links from unsolicited emails they receive once and a while, that's still less friction to security. If my 70 year old mother can do it, I think most people can do it.

The user is weakest link in any security and that's why education and reducing friction to security is the best bet.

I'm all for biometric keychains where new device can be authorized to use it (the first time you try to log in with something in the keychain).

You're arguing about different things. Is it easier to not use 2FA? Yes.

Could you get the same security without it? No and that's the point I'm stating. A user suggested a long password is enough, when that's false. At no point did I bring up usability.

Yeah it's easier to not have 2FA, but you're also less secure without it.
 
You're arguing about different things. Is it easier to not use 2FA? Yes.

Could you get the same security without it? No and that's the point I'm stating. A user suggested a long password is enough, when that's false. At no point did I bring up usability.

Yeah it's easier to not have 2FA, but you're also less secure without it.

Well, usability is critical cause that's why he was probably asking in the first place...
Why would people not use what's more secure, or any security at all, well because its often a pain in the ass (or perceived to be).
A very good password used with care is secure enough, and provides less friction if the person is attentive.
Even better, a good password you don't even have to remember and will not be cracked (like biometric ones).
The lesser the user is involved in managing his own security, the better it will be.

If you got 30 different services all with 2FA, then it will become properly hellish (even more hellish than trying to remember to 30 passwords). Of course, you can then get into frameworks like OpenID that simplifies this kind of thing.

Security is a mess and people dealing with are also a mess. With IOT and automation (car, home), on top of this and the dilettante way those devices and users deal with security, it will get mucho bad in the near future.
 
Well, usability is critical cause that's why he was probably asking in the first place...

His/Her talking point was long passwords are hard to guess and thus secure enough. That's a false sense of security and I stated 2FA is more secure. At no point did I bring up usability.

2FA is more secure, period. I would agree with you that 2FA is more of a hassle, but that's not what I was discussing.
 
Exactly - 2 factor is key here and everyone should be using it these days. Makes these idiot "hackers" impotent to do anything at all.


Real hackers are constructive and without them they would be no web, computers, e-mail.
Calling them Hackers is the same as saying a Muslim commits acts of terror.
 
"There have not been any breaches in any of Apple's systems including iCloud and Apple ID," the spokesperson said. "The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services."

Sounds to me like they're blaming others.
Um... English is my third language but this is reading comprehension fail on your part...

Let's break down the sentences, kids:

1. "There have not been any breaches in any of Apple's systems including iCloud and Apple ID," the spokesperson said. = NO COMPROMISES DETECTED on any Apple systems.
2. "The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services." = The list is a rehash of a previously obtained list.

Where does it blame anyone for anything? LMAO

Do they teach reading comprehension anymore in the States?!

I log in here to read some pithy and funny reactions and the occasional positive/smart reactions. This is plain ridiculous.
 
Real hackers are constructive and without them they would be no web, computers, e-mail.
Calling them Hackers is the same as saying a Muslim commits acts of terror.

The quotes were supposed to imply derision (i.e. these aren't real hackers). Sorry if that was unclear.
 
which password is easier to guess from the encrypted hash? : lovebird3 or l,j6!lo:y
What about strawmanlovebirdcorruption59849129 vs l,j6!lo:y ?

Nobody advices to use a common word followed by a single digit. You start with multiple words, or other items that are memorable to you.
 
this is why i always just use 'Password123' cause its got a capital letter which all sites require and some numbers which they also require
 
I got an email saying someone used my Apple ID to sign into iCloud on an iPhone 7 this morning.
My account showed an extra device so it looks like the email from Apple was genuine.
I have Two Factor Authentication turned on so how would this be possible?

**EDIT**

On further inspection it looks like the email was fake (the address isn't Apple but the display name says Apple).

I changed my password but didn't click on any links in the email - I never do.

I think the device that was showing on my account must have been my old iPhone 7 Plus that went faulty and Apple replaced.

I don't think anyone actually managed to get into my account after all.
 
Last edited:
I got an email saying someone used my Apple ID to sign into iCloud on an iPhone 7 this morning.

My account showed an extra device so it looks like the email from Apple was genuine.

I have Two Factor Authentication turned on so how would this be possible?
Did you click the link in the email or type iCloud.com in the browser. Was an alternate authentication method hacked or did someone use your phone? Or your computer hacked or something like that? Did you call Apple?
 
I'm not going to lose any sleep over this. Good luck guessing my unique password & my 2FA code.

2FA is certainly important and in my opinion, too many iPhone users have no idea what it is or how to enable it. And nor do some care to, until they fall victim.
 
  • Like
Reactions: skinned66
Did you click the link in the email or type iCloud.com in the browser. Was an alternate authentication method hacked or did someone use your phone? Or your computer hacked or something like that? Did you call Apple?

On further inspection it looks like the email was fake (the address isn't Apple but the display name says Apple).

I changed my password but didn't click on any links in the email - I never do.

I think the device that was showing on my account must have been my old iPhone 7 Plus that went faulty and Apple replaced.

I don't think anyone actually managed to get into my account after all.
 
  • Like
Reactions: I7guy
what makes something secure is USING IT.
For a lot of people two factor is a bother so they don't use it (thus no security).

That's why touch Id is more secure than the password, because people will actually use it instead of having to input a long password.

Anything that reduces friction to security is a plus. If someone just has to remember not to click and login on links from unsolicited emails they receive once and a while, that's still less friction to security. If my 70 year old mother can do it, I think most people can do it.

The user is weakest link in any security and that's why education and reducing friction to security is the best bet.

I'm all for biometric keychains where new device can be authorized to use it (the first time you try to log in with something in the keychain).

except when have a "complicated" password, I would say although two-factor makes it "more secure" the fact that u have a complicated password means two factor is "less of a need" than having a weak password..

Basically, as long as all your passwords are secure and never repeated anywhere else, there is less of a need for two-factor. As if u have done it right, u wouldn't need extra protection. (including but not limited to, complicated/impossible to answer secure questions).

Two factor is a bother to use, but *if* u have a simple passwords then u'r fooling yourself by not using it. Your more higher risk than those people with a complex password, and don't use two factor.
 
Last edited:
On further inspection it looks like the email was fake (the address isn't Apple but the display name says Apple).

I like to go to these pages with NoScript enabled after stripping any identifying nonsense from the URL and enter what I think about these jerks as my username and passwords. Sometimes their mothers too.
 
I got an email saying someone used my Apple ID to sign into iCloud on an iPhone 7 this morning.
My account showed an extra device so it looks like the email from Apple was genuine.
I have Two Factor Authentication turned on so how would this be possible?

**EDIT**

On further inspection it looks like the email was fake (the address isn't Apple but the display name says Apple).

I changed my password but didn't click on any links in the email - I never do.

I think the device that was showing on my account must have been my old iPhone 7 Plus that went faulty and Apple replaced.

I don't think anyone actually managed to get into my account after all.

My mother received the same thing... This is basically phishing, you examine the header and the actual links (not the text for the links). Even if you click on the links there is actually no harm unless you actually enter your password in those fake sites.
[doublepost=1490762697][/doublepost]
What about strawmanlovebirdcorruption59849129 vs l,j6!lo:y ?

Nobody advices to use a common word followed by a single digit. You start with multiple words, or other items that are memorable to you.

Not sure what you argument here, we're talking about dictionary attacks because people are dumb enough to use one very common words (with small variants). Even a very short password using unicode letters, say (élèyà) would be much safer than a 10 letter dictionary word. If you use dictionary words, at least mispell them on purpose, that alone makes the task much harder!

Nobody's using a 30 letter combination of words no matter how safe they are; you're lucky if your stupid users (yeah, I've had to deal with many in my own company) are not using password123 as their password on your network plus every other account they have on the internet. I do enforce something better than that though ;-).
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.