Share Passwords With AirDrop From iOS 12's New Password Management System

[oneMadRssn]

Ok, so why does 1Password tell me this is a high security password? Are you saying that's incorrect?

View attachment 765555

Yes. How do you think those password security strength meters work? They don't hash the password, and then run the best-known dictionary attack on the hash trying to decrypt it. No, it just counts the length and diversity of characters - it's a simple and quick estimation of whether it is a good password or not.

Here's the thing: with the amount of people still using "password" or "baseball" as their passwords, it doesn't really matter. Anything is better than that. If the XKCD system works for you, use it - you'll still be ahead of 99.9% of the population in terms of password strength so that's great. Just don't advertise the XKCD system as somehow being "the best" or "good advice."

The best and good advice is to use a password manager, like you do, and use it to generate random strings (as long as is permitted) mixed-case, mixed symbol. Nothing beats a password like:

NH^pfsAz*VB989mty&7C@6kYdD4qANeQmPk8yT*%hJ@2MJ22CnN@tFK#​

[doublepost=1528660573][/doublepost]

There are legitimate reasons to share passwords, and one of the requirements of security is that it's not user-hostile. Right now, it's hard to share complex passwords, leading people to send them insecurely, like over SMS.
[doublepost=1528614241][/doublepost]
I read the article, and I think it's nonsense TBH, as do half the commenters on it. Doesn't matter if attackers know the scheme. You measure password strength in the most pessimistic way, where you assume the attacker knows the scheme you use to generate it but not the random number seed. The security of the password is its entropy.

As Chucker said, a totally random string is still better if you don't care about memorizing it. Either way, you calculate how long it takes and pick what you consider acceptable. XKCD's way is good enough for most.

I'd say XKCDs way is better than good enough for most. I just don't think it's the best advice to be giving people seeking advice. The best advice is: use a password manager to generate a random string.

 

[dfs]

This is the first paid upgrade for 1Password in 5 years. I fail to see how charging money for software they've developed is "pushing you towards a subscription". You said it yourself - you have the option to purchase a licence for 7 if you don't want a subscription.

Or do you actually believe you're entitled to free upgrades for eternity because you paid once?

 

[Unimpossible]

There are plenty of cases, none of them illegal:
- With Netflix and many other family things, you do need to share the password with your family. E.g. my parents and I share an iTunes account so we can have all our purchased media in one place.
- My friends all share Steam passwords to play each other's games. It's not illegal. I don't even think it's against the rules; you still can't both play it at once.
- In small team situations, there are many sites for which there's no option but to share the password.

Not every service has managed sub-accounts. Even if they do, it's different for every site, and the learning curve is far from worthwhile. Like iTunes technically has a way to do it, I think, but it makes things harder for zero benefit if it's within your family anyway.

So people share passwords. Making passwords hard to share is a user-hostile action. User-hostile action makes people distrust you and do things their own insecure way instead, in this case sharing passwords unencrypted via SMS. Another common user-hostile action is requiring impossible-to-remember passwords that people end up storing insecurely.

It is. If you can estimate a 540 year cracking time, the service probably won't exist for that long, or you'll be dead, or quantum computers will advance enough to require a change of security anyway.

On Netflix, you can log in once.

Regarding Steam. Sharing a password and setting up familiy/friend sharing is two completely different things.

And no wonder the world is full of stolen identities and hacked everything.
That security makes something a bit more user-hostile, is a fantastic compromise you should accept.

540 year cracking time?! That "comic" piece is ignorant and not very up to date. But that's "most people for you, regarding security awareness.

 

[dfs]

This is the first paid upgrade for 1Password in 5 years. I fail to see how charging money for software they've developed is "pushing you towards a subscription". You said it yourself - you have the option to purchase a licence for 7 if you don't want a subscription.

Or do you actually believe you're entitled to free upgrades for eternity because you paid once?

AgileBits has been very careful and very patient in explaining that you don't need to buy into their subscription model in order to use the app.

If I have any criticism it's that they are in the process of taking what was originally a brilliantly simple program and morphing it into an overcomplicated monster for no visible reason other than a mania for tinkering and looking busy (which is why I've skipped their last few upgrades). If they had put out an iPassword Lite I would have jumped on it.

But no matter. The very same day OS12 gets released AgileBits is history, everybody involved has a bright future in burger-flipping. I for one won't miss its annoyingly intrusive with its self-launching DO YOU WANT TO SAVE THIS feature.Or its endlessly wordy newsletters either.

 

[fairuz]

On Netflix, you can log in once.

Regarding Steam. Sharing a password and setting up familiy/friend sharing is two completely different things.

And no wonder the world is full of stolen identities and hacked everything.
That security makes something a bit more user-hostile, is a fantastic compromise you should accept.

540 year cracking time?! That "comic" piece is ignorant and not very up to date. But that's "most people for you, regarding security awareness.

With Netflix, you can only log in for them if you happen to be physically present. With Apple's method, you can do the same thing remotely to give them access without giving them your password.

What do you mean by sharing a password and setting up sharing permissions being different things? That's the point. Permissions are harder to set up and don't necessarily give you the same access as if you shared a password, and you trust your friends and family anyway. With Steam, for example, you can share games but only under certain restrictions like not being able to play online.

540 years at 1000 guesses per second is what they say there, better than the estimate they give for the shorter random password, and that comparison will not become outdated. But you may be thinking 1000 guesses/sec is outdated. Despite hardware advances, guesses per second is also roughly constant because the hashing difficulty is adjusted over time in any well-secured system*. Look at Bcrypt if you want to see how; it's pretty cool.

* Ofc MS Windows uses a crappy hash that makes guessing exponentially easier. IDK why they don't just use bcrypt, but I ask similar questions about the rest of their system, and it probably has to do with licensing.
[doublepost=1528692955][/doublepost]

I'd say XKCDs way is better than good enough for most. I just don't think it's the best advice to be giving people seeking advice. The best advice is: use a password manager to generate a random string.

It's true, this is the best. They don't say not to use a password manager, just that if you need to remember a password for some reason (maybe it's the password to your password manager or your PC), the word combo is a good way.

 

[chucker23n1]

That your workplace has shoddy password management isn't a case for sharing passwords.

And Netflix is a household account. Still doesn't need to share the password.

Must be nice living in your world.

 

[oneMadRssn]

It's true, this is the best. They don't say not to use a password manager, just that if you need to remember a password for some reason (maybe it's the password to your password manager or your PC), the word combo is a good way.

Fair enough, agreed it is a good way to memorize a password that must be memorized.

As an aside, if you know a foreign language, you can phonetically type out using the english letters a foreign language word combo.

Here is the famous XKCD password in russian:

pravilna loshadt akumulyator skrepka. "pravilnaloshadtakumulyatorskrepka" would be better password than "correcthorsebatterystaple"

 

[fairuz]

Fair enough, agreed it is a good way to memorize a password that must be memorized.

As an aside, if you know a foreign language, you can phonetically type out using the english letters a foreign language word combo.

Here is the famous XKCD password in russian:

pravilna loshadt akumulyator skrepka. "pravilnaloshadtakumulyatorskrepka" would be better password than "correcthorsebatterystaple"

Oh, that's even better. I know how hard it is to Google search transliterated words when I was learning a foreign language (non-Roman alphabet ofc), so I imagine it's not in their dictionaries.

 

[Unimpossible]

With Netflix, you can only log in for them if you happen to be physically present. With Apple's method, you can do the same thing remotely to give them access without giving them your password.

What do you mean by sharing a password and setting up sharing permissions being different things? That's the point. Permissions are harder to set up and don't necessarily give you the same access as if you shared a password, and you trust your friends and family anyway. With Steam, for example, you can share games but only under certain restrictions like not being able to play online.

540 years at 1000 guesses per second is what they say there, better than the estimate they give for the shorter random password, and that comparison will not become outdated. But you may be thinking 1000 guesses/sec is outdated. Despite hardware advances, guesses per second is also roughly constant because the hashing difficulty is adjusted over time in any well-secured system*. Look at Bcrypt if you want to see how; it's pretty cool.

* Ofc MS Windows uses a crappy hash that makes guessing exponentially easier. IDK why they don't just use bcrypt, but I ask similar questions about the rest of their system, and it probably has to do with licensing.
[doublepost=1528692955][/doublepost]

Share the password remotely?! You know it's via Airdrop, right?!

The difference in sharing a Steam password vs setting up account sharing in Steam, is that the former is probably not allowed, and the latter is.

And in what decade is 1000 guesses per second the norm?
That "comic" piece doesn't even consider dictionary attacks.
[doublepost=1528748975][/doublepost]

Must be nice living in your world.

It's quite awesome, not being ignorant.

 

[AtomicGrog]

Really? I can't think of a single major household service that I use that allows for more than one sign-on. As such, my wife and I have a 1Password vault that is shared via dropbox, and contains, banking, utilities, insurance, air miles, toll pass, and a bunch of other services such as Kohl's rewards.

Now, Apple's implementation here is of no use to me, cos I like to change passwords frequently, and I don't want to have to mess around communicating each change to my wife.

I know a lot of couples manage separate bank accounts, etc, but not everyone does. Also, even for the basic stuff, why wouldn't my wife have the admin password to our network and computers?

Get your point regarding some of those shared items but you share your banking password? ick

 

[chucker23n1]

Get your point regarding some of those shared items but you share your banking password? ick

So? Many couples share a bank account.

 

[Unimpossible]

So? Many couples share a bank account.

Yes. But you're missing the point.
You still have seperate logins, two credit cards to the same account, but two different pin codes, etc, etc.

 

[Mr. Heckles]

Yes. But you're missing the point.
You still have seperate logins, two credit cards to the same account, but two different pin codes, etc, etc.

Why do you care? Does it affect you? No? Ok then. What might work for them may not work for you. My wife can access my 1Password vault if needed. When I kicked the bucket, she’s going to need it.

 

[Unimpossible]

There it is. "Why care".
I care because sloppy and ignorant password handling does affects me, and everyone else.

 

[Mr. Heckles]

There it is. "Why care".
I care because sloppy and ignorant password handling does affects me, and everyone else.

Does he have your banking password? No? Ok. Your bank account is safe.

 

[adbe]

Yes. But you're missing the point.
You still have seperate logins, two credit cards to the same account, but two different pin codes, etc, etc.

For what earthly reason? You're preaching "good password practices" but you're serving dogma here, not reasoned out arguments.

Neither my wife or I know my banking password. 1Password does. That password is thus as secure as 1Password itself. The fact that I have a shared login is mere convenience, and means I can ensure the password gets changed from time to time where my wife might forget.

You on the other hand have two passwords, which arguably means a brute force attack has double the odds of succeeding. What's the benefit?

 

[Unimpossible]

Why do you care? Does it affect you? No? Ok then. What might work for them may not work for you. My wife can access my 1Password vault if needed. When I kicked the bucket, she’s going to need it.

There

For what earthly reason? You're preaching "good password practices" but you're serving dogma here, not reasoned out arguments.

Neither my wife or I know my banking password. 1Password does. That password is thus as secure as 1Password itself. The fact that I have a shared login is mere convenience, and means I can ensure the password gets changed from time to time where my wife might forget.

You on the other hand have two passwords, which arguably means a brute force attack has double the odds of succeeding. What's the benefit?

Simple. Legal reasons.
Ans I don't have two passwords for one account. It's two seperate accounts with it's own password and other security meassures.
That you quote "convenience" as your reason, isn't surprising.
[doublepost=1528836382][/doublepost]

Does he have your banking password? No? Ok. Your bank account is safe.

This didn't make any sense. Try again.

 

[Mr. Heckles]

This didn't make any sense. Try again.

You said:

There it is. "Why care".

I care because sloppy and ignorant password handling does affects me, and everyone else.

And I said:

Does he have your banking password? No? Ok. Your bank account is safe.

So how does his personal poor bank account password affect you? It doesn’t. At all.

Unless he’s the head of Sony with a file named “passwords”, and you work for Sony, you’re fine.

 

[adbe]

Simple. Legal reasons.
Ans I don't have two passwords for one account. It's two seperate accounts with it's own password and other security meassures.
That you quote "convenience" as your reason, isn't surprising.

Again you're very self righteous, but you can't provide an actual argument, just "reasons", oh but they're "legal" reasons.

You either have shared checking and savings accounts with your spouse or you don't. If you do, trust me on this, your bank doesn't give a rats ass which name is on the transaction. If push comes to shove, you're both culpable and they'll go after whoever looks easiest to shake down.

Unless you're worried about divorce, in which case, I'll take my "convenience" and leave you to your own problems.

 

[chucker23n1]

Yes. But you're missing the point.
You still have seperate logins, two credit cards to the same account, but two different pin codes, etc, etc.

What you're preaching here sounds great on paper but isn't how the real world works, and instead of telling people how wrong they are, you could benefit from some more empathy.

 

[Unimpossible]

Again you're very self righteous, but you can't provide an actual argument, just "reasons", oh but they're "legal" reasons.

You either have shared checking and savings accounts with your spouse or you don't. If you do, trust me on this, your bank doesn't give a rats ass which name is on the transaction. If push comes to shove, you're both culpable and they'll go after whoever looks easiest to shake down.

Unless you're worried about divorce, in which case, I'll take my "convenience" and leave you to your own problems.

Again, it's not about sharing accounts. Why is this so difficult to understand?
Try telling your bank or credit card company that you've shared your pin code with someone, although you have a shared account.
[doublepost=1528873179][/doublepost]

What you're preaching here sounds great on paper but isn't how the real world works, and instead of telling people how wrong they are, you could benefit from some more empathy.

I dont know which world you're referring to, but it works like this in mine, and millions of others.
Be wrong for all I care. Just learn. And don't argue about it like you're right.