I'm doing some very limited re-use of passwords but linked to different email addresses. But only for services where I have to regularly enter my password.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
How to Use Automatic Strong Passwords and Password Auditing in iOS 12
- Thread starter MacRumors
- Start date
- Sort by reaction score
Yes, and potentially quite significantly… the question is more about whether it matters enough to the individual and/or what action(s) the individual wants to do about it after an incident. You're correct in that either way you do it you need to document what is unique although that's where the similarities end.
Generally speaking, if you lose control over your documented unique email addresses all anyone gets is a list of email addresses and where those email address happen to be used. They don't get access to anything at all at this point.
On the other hand, if you are documenting unique passwords you are also documenting where that password is applied. In of itself that's also nothing however if you consider how you lost control of that list… it is not an unreasonable assumption that your email address has gone with it. As such, everything is exposed outside of what has 2SA/2FA activated.
Thing is, each time you use your one and only email address you give away a starting point and half of the credential pair. And that includes merely using your email address for email.
That assumes that breaking into your password vault is a relevant attack vector. That risk is tiny compared to a web server of a service you are using being hacked. And for the vast majority of online services one needs to pay for, your real name is needed (or a unique identifier linked to you like an email address used for PayPal). For any service that involves physical goods, a shipping address is needed. Now somebody might not have your email address and your password root, but your real name or credit card number or shipping address and your password root.
And each time you use your one and only password root you give away a starting point and half of the credential pair. Email addresses are transmitted much more in the open than any kind of passwords. Heck, when you encrypt emails with one of the common systems (PGP, S/MIME0, your email address is still out in the open. Using email addresses as security token, it is merely security through obscurity.
Now, that doesn't mean that randomising your email address significantly improves your security. But that it improves your security more than a randomised password, that I don't buy.
The only solution I see is to use something like 1password and as you create passwords in keychain manually add them to 1password on your phone and sync to windows version.
1. Could be any password manager (true key) that is shared by ios and windows. I use 1password.
2. Yes, it sucks. Just saying its the only option I see for someone that wants to use keychain on password on windows or android..
Last edited:
How do you force Safari in iOS to recognise a password field?
I’m trying to create an account on a site and Safari thinks the password field is a prompt to enter an existing password, not generate a new one.
I’m trying to create an account on a site and Safari thinks the password field is a prompt to enter an existing password, not generate a new one.
[doublepost=1539833027][/doublepost]I've been trying for a few days to find out if we can specify the requirements of a strong password generated by Safari for a website. For example, a site requires a special character, but only #,$,%, or &. It won’t allow the hyphen (minus sign) that Safari uses when you click in the "New Password" field of the website. So the site puts up an error and you have to manually enter a strong password, then manually enter it in the Safari Preferences->Passwords. What a hassle. Is there a way to just specify what the special character should be for this website so Safari can generate its Strong Password using one of the allowed ones?
In iOS 12, Apple has introduced new password-related features that are designed to make it easier for iPhone and iPad users to create strong, secure, and unique passwords for app and website logins. In this guide, we'll show you how to use two of those features: automatic strong passwords and password auditing.
Automatic strong passwords ensures that if you're prompted by a website or app to make up a password on the spot, Apple will automatically offer to generate a secure one for you. Password auditing meanwhile flags weak passwords and tells you if a password has been reused for different account login credentials. Here's how to use the two features.
How to Use Automatic Strong Passwords in iOS 12
Pro tip: Next time you need one of your passwords, you can ask Siri. For example, you could say: "Siri, show me my BBC password." Siri will then open up your iCloud Keychain with the relevant entry, but only after you authenticate your identity with a fingerprint, a Face ID scan, or a passcode.
- Launch Safari and navigate to the site asking you to create new login credentials, or launch a third-party app asking you to sign up for a new account.
- Enter a username or email address in the first field.
Tap on the Password field - iOS will generate a strong password.
Tap Use Strong Password to accept the password suggestion and save it to your iCloud Keychain.
How to Identify Reused Passwords in iOS 12
Note that the last screen shows you on which other websites you've used the same password.
- Launch the Settings app on your iPhone or iPad.
- Tap Passwords & Accounts.
Authenticate via Touch ID, Face ID, or your passcode.- Scroll down the list of passwords and tap on any entries with a triangular warning symbol.
Tap Change Password on Website to open the associated website and make the change.
Pro tip: You can share passwords with other people directly from the iOS Password Manager via AirDrop. Simply tap the password field and an option to AirDrop the login will appear. The login can be AirDropped to any device running iOS 12 or macOS Mojave.
Article Link: How to Use Automatic Strong Passwords and Password Auditing in iOS 12
[doublepost=1539833488][/doublepost]
Oh, yes. I found that out the hard way. My CC was expiring and I didn't know if Citizen's One would transparently use the CC I had at Apple.com or if I needed to update it at Citizen's as well. After fighting with that stupid thing for half an hour, I got it done. Now I probably just confused them.
It's amazing the outdated crap you see on major business sites. As I was updating passwords the other day, I had two sites that e-mailed me a cleartext "temporary" password, and that apparently was the only way you could change passwords.
Any answers to this? I used to be able to get in and manually change a password by deleting the dashes or adding a special character if I needed too. But now the text box has "STRONG PASSWORD" overwriting it and I can't edit it at all, so these sites that don't accept apple's generated password just won't work.
Nothing yet. It took me many hours to go through and fix all the passwords I have.
- First of all, most websites hide the "change password" link somewhere deep inside the site.
- I actually had two websites who wanted to email me a plaintext "temporary" password. Can you imagine?
- A few who would only accept passwords that were shorter than the one Safari Prefs wanted to supply, and no way to edit or specify the length you wanted. I wound up hacking the password down and pasting it in.
- Some put the userID on one page and the password field on a second page, so Safari Prefs gets confused.
- One used a URL that Safari didn't pick up (e.g. "subdomain.domain.com" got stored in Prefs as just "domain.com" and so goes to the wrong page when double-clicked)
- Finally, macOS often could not realize that I had changed the password on the site, and didn't save it. When I tried to test it, it used the old password. I resorted to refreshing the page or going to another page to trigger Safari to save the changed password. Somehow, it doesn't feel the need to save it after it has pasted it in. Go figure.