Share Passwords With AirDrop From iOS 12's New Password Management System

[Euge]

Really? Can you give 3 examples please?
Ideally these examples do not defeat the purpose of a password and do not increase the risk of a password being leaked.

1) In application development it is common to have many services that have service accounts (not personal) that need to be authenticated against. A team will share passwords that need to be secure but shared between a select group of developers.

2) I want to give my girlfriend/mom/sister my Netflix password so she can log into her profile on my Netflix account

3) Husband & wife need to share passwords to log into Netflix/Youtube/Hulu on their iPad for their kids

4) Husband & wife have a shared account for bank/New York times/<insert desired service here>

5) Guy gives female friend his password to Match.com so she can write and run his profile to help hook him up (friend actually did this years ago)

Passwords should be secured but that does not mean it should never be shared.
[doublepost=1528400373][/doublepost]

Alright, since nobody else has, I'll just drop this here. There's no real reason to make your password "BKtat8uW(aJb" unless you're already using a password manager and will never have to type it — or you just hate yourself.

If you're wanting or needing to remember passwords or relate them to other humans, you can make memorable ones that are just fine (source):

View attachment 765217

Use Diceware:
http://world.std.com/~reinhold/diceware.html

And here's an online Diceware generator using a more up-to-date word list from EFF:
https://www.rempe.us/diceware/#eff

 

[ignatius345]

Many, many systems will not allow a password like "correct horse battery staple". This is not useful advice since you can't use it everywhere.

And those systems are stupid and authored by people with who just want the feel of security. That's kind of the point of the comic.

My old work had some BS system that had all kinds of user-hostile requirements and made us change the thing every 6 weeks -- so I just used the same password over and over and changed one digit at the end. I'd write that digit on my monitor so I knew where I was. Hostility to the user results in people circumventing the system.

Now I use a password manager so all of this is moot anyway, but I couldn't use one there and I had better things to do than learn a new "complex" password every 6 weeks.
[doublepost=1528401037][/doublepost]

Use Diceware:
http://world.std.com/~reinhold/diceware.html

That's how I got my 1Password main passphrase. It's all words and there's one digit in it.

 

[OldSchoolMacGuy]

Surely the person receiving the password, if they have a mac, can just open keychain and get the password? Same as one would for shared wifi passwords. Or even just view the website/app password on the phone itself (settings / passwords & accounts).

Storing anything in the Keychain is a security risk. If you're that scared about security, you shouldn't be sharing passwords with anyone nor should you yourself be using the Keychain to store your own passwords.
[doublepost=1528401353][/doublepost]

I don't want to sound like a total noob but how do you do that? I'm guessing the guest needs to be in the list of available Wi-Fis trying to join my network and I should get a popup to share the password.

It's super simple. Here's a quick guide. Works great. Used it just the other day. No more having your friends be like, "The wifi password is C-D-d-#-f-F-4-g-2-3-h-0-0-f-C-4-C" and dealing with typing all that nonsense, just to get it wrong and having to try again.

https://www.payetteforward.com/how-do-i-share-wifi-passwords-on-an-iphone-or-ipad-the-easy-way/

 

[oneMadRssn]

Alright, since nobody else has, I'll just drop this here. There's no real reason to make your password "BKtat8uW(aJb" unless you're already using a password manager and will never have to type it — or you just hate yourself.

If you're wanting or needing to remember passwords or relate them to other humans, you can make memorable ones that are just fine (source):

View attachment 765217

It's a good comic, but this isn't good advice anymore. https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html

Basically, password crackers are on to this scheme and have adapted to the point where passwords that are a long-string of dictionary words can be cracked in fairly little time.

 

[riverfreak]

1) In application development it is common to have many services that have service accounts (not personal) that need to be authenticated against. A team will share passwords that need to be secure but shared between a select group of developers.

2) I want to give my girlfriend/mom/sister my Netflix password so she can log into her profile on my Netflix account

3) Husband & wife need to share passwords to log into Netflix/Youtube/Hulu on their iPad for their kids

4) Husband & wife have a shared account for bank/New York times/<insert desired service here>

5) Guy gives female friend his password to Match.com so she can write and run his profile to help hook him up (friend actually did this years ago)

Passwords should be secured but that does not mean it should never be shared.
[doublepost=1528400373][/doublepost]

Use Diceware:
http://world.std.com/~reinhold/diceware.html

And here's an online Diceware generator using a more up-to-date word list from EFF:
https://www.rempe.us/diceware/#eff

So you have an easy to remember passphrase. For one site.

If the large data breaches have taught us anything, the big danger is in password reuse. even if you have a heuristic that modifies your password based on the site you are visiting, these patterns are easily identified in when passwords from breaches are listed and sorted by, say, email.

 

[fairuz]

Nice feature. I can't think of many cases where the average person would want to share a password, but it'll be useful for those rare cases. Most people end up texting the password, which is obviously dangerous, but writing it is too cumbersome.
[doublepost=1528408125][/doublepost]

1) In application development it is common to have many services that have service accounts (not personal) that need to be authenticated against. A team will share passwords that need to be secure but shared between a select group of developers.

This. For pro sites, there's often a way to have everyone make a separate account and authorize them, but it doesn't make sense for a small team. Huge hassle to do that for every single site you have to use. I only bother with it on a few important things like GitHub.
[doublepost=1528408293][/doublepost]

So you have an easy to remember passphrase. For one site.

If the large data breaches have taught us anything, the big danger is in password reuse. even if you have a heuristic that modifies your password based on the site you are visiting, these patterns are easily identified in when passwords from breaches are listed and sorted by, say, email.

Then maybe we could use randomized email addresses
[doublepost=1528408528][/doublepost]

And those systems are stupid and authored by people with who just want the feel of security. That's kind of the point of the comic.

My old work had some BS system that had all kinds of user-hostile requirements and made us change the thing every 6 weeks -- so I just used the same password over and over and changed one digit at the end. I'd write that digit on my monitor so I knew where I was. Hostility to the user results in people circumventing the system.

Sad but true. I once spent 15 minutes trying to make a password to see whether I got into Princeton for college. Besides being user-hostile, the requirements even decreased the entropy of the password, with things like "no using the same character twice within 5 characters." It wouldn't even take some randomly generated passwords I tried. And it didn't state all the requirements up front (there were too many to list), so I had to keep retrying.

Ended up writing that s*** down in a plain text file on my desktop cause in the end, it was impossible to memorize. Not like it mattered.

 

[AtomicGrog]

Nice feature. I can't think of many cases where the average person would want to share a password, but it'll be useful for those rare cases. Most people end up texting the password, which is obviously dangerous, but writing it is too cumbersome.

Moreover I cant think of many services that have the intent of being used as a shared user capability. mail/chat, banking, gaming to name a few seek to prevent sharing of credentials.

 

[fairuz]

Moreover I cant think of many services that have the intent of being used as a shared user capability. mail/chat, banking, gaming to name a few seek to prevent sharing of credentials.

Steam and Netflix are two common ones. IDK if they encourage sharing, but they don't discourage it, and people do it. A niche one is all those accounts needed for API access.

 

[unchecked]

I typed a passionate post about why you shouldn't be sharing any passwords other than wifi passwords, but I realised it's actually useful for people who do have to share passwords and I don't need to use this function even when it's there.

 

[Darien Red Sox]

I'm all for this capability, however OldSchoolMacGuy your post is not 100% correct.

Once the password is shared via AirDrop (which is encrypted) it is added to the users keychain. At that point they can view it in plain text from the app & passwords section in settings. In my opinion this is a non issue because you trust the person enough to give access, but I wanted to point this out for general knowledge.

This is why it is a good idea to have a separate guest network. Your guests won't be able to see your stuff, and there is no need to worry about the guest who has never installed a security update and is probably loaded with malware. People also share passwords. I take it one step more, I have guest vouchers which will let them on my network for only 24 hours. After this they will need a new voucher.

 

[AtomicGrog]

Steam and Netflix are two common ones. IDK if they encourage sharing, but they don't discourage it, and people do it. A niche one is all those accounts needed for API access.

Yes I should have thought of Netflix. Personally I hate the concept... each profile should have a linked credentials. Had an inlaw come stay for a couple of months, wanted to use the family netflix account and he wasnt happy when i wouldnt directly give him my netflix details (I insisted in typing the details in myself...).

 

[Azeroth1]

If you actually do need to share a password (for some reason) despite it being a security risk, am I missing why not just copying and pasting it into an iMessage doesn’t accomplish the same thing?

 

[jasonsmith_88]

If you actually do need to share a password (for some reason) despite it being a security risk, am I missing why not just copying and pasting it into an iMessage doesn’t accomplish the same thing?

That's exactly it though. This mitigates the security risk of having a plain text password in a message that someone could accidentally access later on down the track.

Also, like any software, it makes the process easier. Using your logic we could all just be storing our passwords in Notes because it "accomplishes the same thing" as a password manager.

 

[RaceTripper]

I'm now considering to abdondon using 1Password, since AgileBits is pushing me towards a subscription based model. I'm on 1Password6 and they want $50 to upgrade to 7, or for me to switch to the subscription.

 

[jasonsmith_88]

I'm now considering to abdondon using 1Password, since AgileBits is pushing me towards a subscription based model. I'm on 1Password6 and they want $50 to upgrade to 7, or for me to switch to the subscription.

This is the first paid upgrade for 1Password in 5 years. I fail to see how charging money for software they've developed is "pushing you towards a subscription". You said it yourself - you have the option to purchase a licence for 7 if you don't want a subscription.

Or do you actually believe you're entitled to free upgrades for eternity because you paid once?

 

[RaceTripper]

This is the first paid upgrade for 1Password in 5 years. I fail to see how charging money for software they've developed is "pushing you towards a subscription". You said it yourself - you have the option to purchase a licence for 7 if you don't want a subscription.

Or do you actually believe you're entitled to free upgrades for eternity because you paid once?

Where did I imply I expect a free upgrade? I didn't, actually. You're just jumping to conclusions. I had a family license and now that requires a family subscription, so yes, they are pushing me towards a subscription.

However, I don't want to pay for futher updates if macOS and iOS free password mgt do the job well enough for me. I have no desire to pay for a commercial license if I don't need it. I prefer free.

 

[Junior117]

Where did I imply I expect a free upgrade? I didn't, actually. You're just jumping to conclusions. I had a family license and now that requires a family subscription, so yes, they are pushing me towards a subscription.

However, I don't want to pay for futher updates if macOS and iOS free password mgt do the job well enough for me. I have no desire to pay for a commercial license if I don't need it. I prefer free.

I'm not disagreeing with you and I don't think you have any intention of feeling entitled, but I think what jasonsmith_88 was referring to was this (bolded for emphasis):

I'm on 1Password6 and they want $50 to upgrade to 7, or for me to switch to the subscription.

When I read it, even I (briefly) thought you just wanted free upgrades, but perhaps you worded it wrong or I briefly misunderstood what you meant. I don't know. I do understand why you would be annoyed about it, though.

 

[adbe]

Moreover I cant think of many services that have the intent of being used as a shared user capability. mail/chat, banking, gaming to name a few seek to prevent sharing of credentials.

Really? I can't think of a single major household service that I use that allows for more than one sign-on. As such, my wife and I have a 1Password vault that is shared via dropbox, and contains, banking, utilities, insurance, air miles, toll pass, and a bunch of other services such as Kohl's rewards.

Now, Apple's implementation here is of no use to me, cos I like to change passwords frequently, and I don't want to have to mess around communicating each change to my wife.

I know a lot of couples manage separate bank accounts, etc, but not everyone does. Also, even for the basic stuff, why wouldn't my wife have the admin password to our network and computers?

 

[RaceTripper]

I'm not disagreeing with you and I don't think you have any intention of feeling entitled, but I think what jasonsmith_88 was referring to was this (bolded for emphasis):

When I read it, even I (briefly) thought you just wanted free updates, but perhaps you worded it wrong or I briefly misunderstood what you meant. I don't know. I do understand why you would be annoyed about it, though.

Yeah, I think $50 is overpriced for the upgrade. It used to be $30. I believe the reason for overpricing the standalone upgrade is to encourage (well, really push) users towards the subscription. I plan to stand pat with 1Password 6 that I have, and see how the iOS12/Mojave password management work out.

I'm a software engineer myself, so I really don't expect AgileBits to give me a free upgrade when their business model is to sell commerical software/subscriptions, but I also don't want to continue paying for proprietary/commercial software when there are free alternatives that work well enough for me. It sounds like that might be on the way.

 

[Junior117]

Yeah, I think $50 is overpriced for the upgrade. It used to be $30. I believe the reason for overpricing the standalone upgrade is to encourage (well, really push) users towards the subscription. I plan to stand pat with 1Password 6 that I have, and see how the iOS12/Mojave password management work out.

I'm a softweare engineer myself, so I really don't expect AgileBits to give me a free upgrade when their business model is to sell commerical software/subscriptions, but I also don't want to continue paying for proprietary/commercial software when there are free alternatives that work well enough for me. It sounds like that might be on the way.

I understand where you're coming from. I do think $50 is a bit much, but I'm actually personally fine with $40 (provided the updates and improvements that they've made are valuable enough to me). My only guess with respect to why the pricing is so high is that they believe that $50 would be enough to make them enough money. But I don't work for them, so I don't know; just spit-balling (not to say that what they're doing is justified, in case you were wondering).

 

[scoobydoo99]

Alright, since nobody else has, I'll just drop this here. There's no real reason to make your password "BKtat8uW(aJb" unless you're already using a password manager and will never have to type it — or you just hate yourself.

If you're wanting or needing to remember passwords or relate them to other humans, you can make memorable ones that are just fine (source):

View attachment 765217

the four random words is norders of magnitude easier to crack than a password of the same length that includes 1 character from each of the four categories: lower case, upper case, number, symbol. All it takes is one character of each, then fill in the rest to get the desired length (i.e. difficulty)
D0g!................................

 

[BiscottiGelato]

If this shares the password without revealing plaintext, this is kinda cool!

 

[ulyssesric]

This would be great only if you stay within Apple ecosystems. A complex, non-human memorable password means that you'll have a very difficult time when you're using anything other then a computer, such as a game console.

 

[Vjosullivan]

Alright, since nobody else has, I'll just drop this here.

We've successfully trained everyone to...
(source):

View attachment 765217

In a company where "everyone" has been trained (i.e. forced) to use "four dictionary word" passwords, cryptic random passwords are infinitely more secure. And you still need a password store if you have more than a couple of dozen different passwords anyway.

 

[coffeemadmanUK]

Many, many systems will not allow a password like "correct horse battery staple". This is not useful advice since you can't use it everywhere.

To be fair I have seen websites that don't allow anything other than letters and numbers, some that require a capital, some that require a symbol etc. There is never any specific advice that would work across the board - so I wouldn't say it isn't useful advice.

For me the issue with passwords like that is when I want to log into a website on a computer I've never used before - a password manager doesn't help me.