Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Share Passwords With AirDrop From iOS 12's New Password Management System
- Thread starter MacRumors
- Start date
- Sort by reaction score
This is likely a bug, not a feature. Sharing passwords with others is against every security principle. Besides, if you have iCloud Keychain enabled, the passwords are already available on every device logged into the same account.
Last edited:
I’ve been in the scenario with my kids of having to sign in to minecraft on their devices, my auto generated passwords are a pain in the ass to type manually - air dropping them over, using it and then deleting it seems much easier. You’re right though, sharing passwords is generally a bad idea
Great. I wanted to have this feature for a while. iOS is improving steadily. Looking forward to this.
This is a good point. 1Password, as an example, allows you to create passwords like this.
The problem is that for good password security, you still still use a different password for every site, even if it's a hard one. So it's still too hard to remember 50 different passwords if they're all different strings of random words.
Agreed, once you’ve logged into your iPhone/iPad/AppleID that should automatically unlock all your apps.
Yeah, definitely true. It's vital to use a password manager now that we all have dozens (if not hundreds) of logins.
Not ONE comment or question about integration with the desktop OS?
More than one place requires passwords not just be of a certain length, but include a capital, a number and a punctuation symbol. For a plain website, not even one where you can buy stuff!
More than one place requires passwords not just be of a certain length, but include a capital, a number and a punctuation symbol. For a plain website, not even one where you can buy stuff!
No, I'd love for YOU to enlight us about why you think it's NOT safe. It's been a cornerstone of Mac security, protected by AES-256, and also part of iPhone security. And yes, there have been the occasional trojans out there that have masqueraded as other things, and tried to fool people into logging into keychain to steal passwords.
But as a technology, no, I haven't heard a thing about it being an insecure platform.
Clever. You don't have to write or say it, so no opportunity for an uninvolved party to see or overhear.
…you can — it's called Keychain, and it fills in the password for you. It knows that password because it's stored in a database, which is encrypted, in turn, with the credentials you unlock using Touch/Face ID.
[doublepost=1528569814][/doublepost]
The article already mentions that this works with macOS.
That's why Apple came up with a format for such password rules.
[doublepost=1528569976][/doublepost]
No, this is a feature.
At some point, the password has to arrive at the target website. You can either have the user type it in manually, which is error-prone, insecure, and blames the user for a problem they didn't cause, or you can help automate this process.
[doublepost=1528570031][/doublepost]
Compared to what, exactly?
[doublepost=1528570064][/doublepost]
No, sir, the onus is on you to explain the extraordinary claim.
Ok, so why does 1Password tell me this is a high security password? Are you saying that's incorrect?
It depends. Crackers can more easily combine multiple dictionary words than they can try out random character combinations, for obvious reasons.
For a password you'll only use on one service in particular, I don't think stringing words together is a great idea. You have no reason to ever remember that password (your password manager already will), so that benefit goes away. Instead, just use ~20 characters of gibberish.
For a password you frequently have to type in yourself, it makes more sense.
Fair point, but I still wonder why a major password manager would show this as "very secure".
But yeah, most of the time since I know it's in 1Password, I go with some kind of "089)(^h439IGU0^@#" type business.
Oddly the one big exception is my Apple ID password which I still find myself having to manually input WAY more often than I'd like. There's always some stupid popup (App Store is terrible about this) that is often a modal dialog that won't accept my thumbprint, and because it's modal, it prevents me from going over to 1Password to retrieve a password. So for my Apple ID, of all things, I'm usually having to use something easy to remember/type. The two-factor authentication always asks for a 6-digit code from another device, so I think that's another layer of security hopefully.
Not sure but I would never consider passwords using only lower case characters as secure. The idea is fine, but use words that are slightly transformed as to not enable dictionary attacks.
Eg.: Do 2 small Brees make enuff Honey? NO!
It’s so stupid but easy to remember and uses all types of chars
Just my 2 cents
There are legitimate reasons to share passwords, and one of the requirements of security is that it's not user-hostile. Right now, it's hard to share complex passwords, leading people to send them insecurely, like over SMS.
[doublepost=1528614241][/doublepost]
I read the article, and I think it's nonsense TBH, as do half the commenters on it. Doesn't matter if attackers know the scheme. You measure password strength in the most pessimistic way, where you assume the attacker knows the scheme you use to generate it but not the random number seed. The security of the password is its entropy.
As Chucker said, a totally random string is still better if you don't care about memorizing it. Either way, you calculate how long it takes and pick what you consider acceptable. XKCD's way is good enough for most.
Last edited:
"There are legitimate reasons to share passwords".
No. Not really. In many cases it's illegal too.
"one of the requirements of security is that it's not user-hostile."
I don't understand. Do you mean a password should be easy to remember, and thats a security requirement?
"good enough for most"
Isn't that a nice cushion.
Yes, really.
Colleague: I need to check something on our corporate PayPal/SendGrid/airtravel/… account; what was the password again?
Me: I’d tell you, but random MacRumors guy says that’s not legitimate.
Should those sites offer sub accounts? Probably, but in many cases, they don’t. So instead, you share passwords in your team, and hope for software that makes that part more secure.
Jebus... That's a really terrible example, as at least PayPal offers multiple users on Business accounts.
But random MacRumors chucker says otherwise. So PayPal might be wrong.
It doesn't matter how bad the example is; suffice to say there are plenty of cases at my workplace where suppliers we work with only offer a single account.
And if that scenario isn't good enough for you, try explaining to your spouse that you can't give them your Netflix account for security reasons.
That your workplace has shoddy password management isn't a case for sharing passwords.
And Netflix is a household account. Still doesn't need to share the password.
There are plenty of cases, none of them illegal:
- With Netflix and many other family things, you do need to share the password with your family. E.g. my parents and I share an iTunes account so we can have all our purchased media in one place.
- My friends all share Steam passwords to play each other's games. It's not illegal. I don't even think it's against the rules; you still can't both play it at once.
- In small team situations, there are many sites for which there's no option but to share the password.
Not every service has managed sub-accounts. Even if they do, it's different for every site, and the learning curve is far from worthwhile. Like iTunes technically has a way to do it, I think, but it makes things harder for zero benefit if it's within your family anyway.
So people share passwords. Making passwords hard to share is a user-hostile action. User-hostile action makes people distrust you and do things their own insecure way instead, in this case sharing passwords unencrypted via SMS. Another common user-hostile action is requiring impossible-to-remember passwords that people end up storing insecurely.
It is. If you can estimate a 540 year cracking time, the service probably won't exist for that long, or you'll be dead, or quantum computers will advance enough to require a change of security anyway.
Last edited: