Apple News: Apple ID hacking attempts?

https://www.macrumors.com/2024/03/26...ishing-attack/

I have not experienced this thank goodness but it's unusual for apple to be the target of hacks like this.

I actually got a log-in allow notification with the map and passcode entry request — someone in Sao Paolo had apparently tried to log in using my Apple ID with the correct password and was only stopped by two-factor authentication.

Holy shit.

Ars Technica covered this too, as an "MFA Fatigue Attack". Oh, and AT&T has just admitted a data breech (method unknown) of 73 million current & former accounts. Including 49 million unique email addresses, and almost 44 million Social Security numbers. Plus snailmail addresses, phone numbers, date-of-birth, full names, plus (salted & hashed?) passwords.

Hope everyone is following good security practices: long random passwords, unique to every site. No reuse of passwords anywhere. This quarantines a compromise to a single account or service. Also, keeping the keys to everything you own on a single smartphone may not be so smart. Desktop or laptop, passwords on an encrypted thumb drive, roll your own solution. So a single smartphone breech doesn't reach everything. Ideally, spread things around so there isn't a single point of failure. It's less convenient, but good security always is.

If you haven't already, sign your emails up to the Have I Been Pwned website. Should your email(s) appear in data leaks, the site will email you with the details. I don't know of a similar service for leaked Social Security numbers.

Hot take: if the password is long enough using mostly lowercase dictionary words is fine (and easier to type).

I like the Stanford password recommendations as a guide for creating passwords. It covers what length to use for various character groups (like all-lowercase) as well as sentence-passwords made of dictionary words. However, this guide has been unchanged since at least 2014. I'd add at least two characters to each recommendation, and at least two extra words to any sentence password.

There's always an XKCD.

https://imgs.xkcd.com/comics/password_strength.png

This-is-the-ideal-password-f0rmat.

Wait which O is a zero? I keep forgetting. And do you choose a new multi-word sentence for each website/login?

Don’t reuse passwords. :)

A good password manager will use a font which disambiguates a capital “o” from a zero.



Edit: I misunderstood your post. Though the XKCD mentions memorization, you shouldn’t actually do that without a password manager net (IMO).

Also relevant…

https://imgs.xkcd.com/comics/security.png

I never got into password managers. Is there something that works across any Apple/Android/Amazon/Windows device seamlessly? My iPhone keeps trying to recommend impossible passwords which is completely useless to me when I want to log in on Chrome on my work laptop.

1Password is what I use.

If you can install Dropbox on your work laptop there’s a Chrome plugin.

They claim it works on everything. Isn’t Amazon shit Android?

I'm trying to get away from Dropbox. It's becoming nagware, and since they got rid of hotlinking all of those years ago it doesn't really do anything for me that I can't do through OneDrive or Google Drive. The last killer feature was keeping my car tunes on it so they're synced across my tuning laptop, home desktops, and also available online. I'm doing that with Google Drive now but I'm not impressed with its slow syncing. Either way I'd only access Dropbox on my work laptop through the web interface.

It looks like they have their own servers if you want to use those, but I’m not familiar with it.

1password no longer requires dropbox. Which is good for me having multiple devices with 1password on it (phone, ipad, 2 laptops) and not wanting to pay dropbox for >3 devices.

idealpasswordBas3-sitesuffix!

I’m not sure I understand. Does this mean reuse the bas3 and change only the suffix?

That’s the same as reusing a password.

"Ideal password base" - "website" - "!"

I think? Is the risk that a person or even automated system, if they got the password into plain text, could recognize the site name as part of the password and extrapolate that to other sites? How many intrusions result in the password being revealed in plain text?

What to worry about here isn’t a brute-force intrusion on an account, it’s an intrusion on a site with poor security.

sitesuffix is not the site name but a clue. So for this site it might be AppleNN or something. (except on this site I use a completely random pw).

Then you have to remember all your different site suffixes.

There’s also the problem of the sheer number of sites where the only appropriate suffix is Hive-of-Scum-and-Villainy

Ah, you've banked at WF or BofA also?