Password security

SaraGonzales wrote:

I’m not really satisfied with the content of the explanation but I see your points. Thnx! 🙂❤️

A brief introduction to how passwords work:

• When you create a password your “plain text” password is processed by a computation conforming to standard SHA-2, called a “hash” algorithm that generates a very long string of characters (typically over 100).
• The hashed value (called a hash) cannot be used to determine the password you entered if a strong hash algorithm is used (SHA512 is one popular hash)
• Thus, your password is not stored anywhere in the site you are accessing, only the hash of it is, so the site can never tell you what the original password was.
• When you go to log in the server does the same computation, and if the result matches your password's hash you are allowed in to the site.

If the site is compromised and its user data is stolen typically the user IDs, personal data and the hashed values of passwords are stolen. However, there is a “brute force” way to find out the original password; simply try every combination of letters, numbers and punctuation with the hash algorithm until the result matches the hashed value of each password. With a powerful computer this will take only a few minutes for a short password (8 characters), but gets exponentially more complicated for longer passwords. By today’s standards a 20 character password is pretty secure, but with improvements on computing technology this won’t last forever.

When hackers have hundreds of millions of passwords to try to crack they will try the shorter ones first; as most people use 8-10 character passwords, this still gives the hackers tens of millions of accounts that they can breach. So your probability of having an account compromised is ultimately dependent on how long your passwords are.

Now on to how Apple, Google, or haveibeenpwned.com know if your password has been compromised. There are cybersecurity companies and individuals that search the “dark web” - the sites that cater to criminals - and buy the data stolen from compromised sites, and test the passwords. The results of their research are then shared with Apple, Google, Microsoft and other companies (and haveibeenpwned.com). When you use a password on your phone Apple can check the lists of compromised passwords collected by the cybersecurity companies, and tell you if it is on the list.

The next question is how Apple can know if you share passwords. There are 2 ways: If the password is already on a compromised list, it includes a count of how many times that password has been included in compromised data stolen from sites. The other way is the Keychain app on your phone, which stores the plain text passwords you enter. If you use Keychain the phone will fill in passwords for you, and the phone can search for duplicates. Note that none of this information goes to Apple; it is all on your phone, secured by your phone’s passcode and your Apple ID password if you enable iCloud sync for Keychain. Apple does not have access to your iCloud data, either, so there is no way Apple can know any of your passwords.

If you use Keychain your phone can also generate strong, random passwords when you create an account on a site, and store it in the Keychain. You don’t even have to know what these generated passwords are, because your phone fills them in.

AnitaRataic wrote:

Now, if apple really doesn’t gather user data (like it claims), why does it warn me that I have the same passwords over multiple apps?

Change a weak password on iPhone

https://support.apple.com/en-ie/guide/iphone/iphd5d8daf4f/ios

iPhone also securely monitors your passwords and alerts you if they appear in known data leaks. If you don’t want iPhone to perform this monitoring, go to Settings > Passwords > Security Recommendations, then turn off Detect Compromised Passwords.

All process is done on your iPhone. So no, they don’t collect your passwords. If you think otherwise perhaps you should consider to use other brand products instead…

No. Nothing to do with profile(s) configuration. That’s a feature of iOS 14 https://support.apple.com/en-ie/guide/iphone/iphd5d8daf4f/ios

AnitaRataic wrote:

Now, if apple really doesn’t gather user data (like it claims), why does it warn me that I have the same passwords over multiple apps?

Because you saved your passwords on your phone, so it can compare them to each other.

AnitaRataic wrote:

first off, we are on 14.4 iOS, not 14 so this info is actually obsolete.

No. User Guide is for iOS 14 and applies to all updates that were released for it.

dude, you do realize that anything you type as a password are bunch of zeroes and ones? I hope you do. If the iOS is capable of remembering my password then that password is saved somewhere.

In the initial post you claim Apple collects your password which is false claim. Yes passwords are stored on the device or in iCloud if you use iCloud Keychain, or elsewhere if instead you use other passwords manager.

That’s why you need a human being to block EVERYTHING when a breach happens.

No. You don’t need to block everything. If all your accounts use unique passwords then when breach happens to some service your other accounts are not affected. If you share same username and password in two or more services you risk of having other accounts being compromised too.

Or educate users how to create bulletproof password (and one only).

Apple Platform Security

HE IS USING ICLOUD KEYCHAIN. I USE MINE AND THOSE MESSAGES ARE CONSTANT CAUSE YOU HAVE SAME PASWORDS FOR OTHER EMAILS WHICH YOU SAVED ON YOUR DEVICE.

No. You should not use the same one password across multiple different services. Its a bad solution. Start using passwords managers such as iCloud Keychain or other from different developers.

This message from a profile on your device installed by your Corporate/Enterprise/organisation or School Management.

Normal (Personal) users of the iPhone do not get this kind of warning.

Contact the system administrator of your device, else remove the profile. If you have installed any profile on your own --> Install or remove configuration profiles on iPhone - Apple ...

AnitaRataic wrote:

Well this is en excellent explanation how stuff works today! Very well elaborated! Kudos! 👏

HOWEVER!

Hashes as you said can be breached and today we have some seriously powerful computers. So no problem for a real hacker.

what you didn’t take into consideration is social management hacks+computing hacks. That is EVERYTHING!

imho the future is complete biometrics because if someone forces you to unlock your device with a fingerprint and/or face recognition- you got waaay too bigger problems than securing your accounts.

Those are really good points. What I left out is salted hashes, which are much more secure and harder to crack. Not all sites salt hashes, however, and, if a site is totally compromised, the salt algorithm can be stolen also.

Social engineering is certainly an option for criminals. That’s where 2 factor authentication helps, as long as the support people can’t bypass it. With Apple and Google’s 2FA support cannot bypass it, however, AT&T’s techs (and probably other carrier's) can choose to ignore it, which is how SIM swapping can still be done (which can get around most 2 FA schemes). Physical security keys are better, but inconvenient. I’m currently reading Bruce Schneier’s latest book Click Here to Kill Everybody which has a chapter discussing security vs convenience, and the fact that convenience usually wins (witness the fact that a lot of users refuse to use Apple’s 2FA implementation, which is stronger than most).

Now, when you think about it - why would apple cross reference passwords in reality?

how to actually help user to be safe with passwords (ie save her/him from its own “stupidity” 😁)? People don’t understand online security and they don’t have to - that’s why you have developers.

the easiest way to keep user safe is to guide her/him to create the most secure general password there is. You log in to all apps you have with that password (bear with me lol, I know how that sounds 😂). Now if you forget that password or get hacked, you call apple emergency number and block the whole account with all the apps on all your devices (until the problem is resolved).

also, I bet that would save some serious server capacity.

voila! 🙂

You have no concept of how passwords work. So please read up on how they work so you will be able to discuss them intelligently.

The flaw in your logic is there is no such thing as a bullet-proof password.

I’ve worked in “IT” since before you were born, including managing and building secure applications, including cybersecurity, for fortune 500 companies, both mainframe and distributed systems. I currently manage several secure web applications deployed on Amazon AWS.

SaraGonzales wrote:

Now, when you think about it - why would apple cross reference passwords in reality?

Because users duplicate passwords, don’t or can’t or won’t use password managers, and credentials-stuffing is quite successfully breaching duplicates.

Myself included. I had an old throw-away password for a not-used-in-a-decade account that ended up at a completely different entity through corporate acquisitions, and some schmuck caught it.

how to actually help user to be safe with passwords (ie save her/him from its own “stupidity” 😁)? People don’t understand online security and they don’t have to - that’s why you have developers.

Alas, there is also somebody utterly new to all of this hundreds or thousands of times a day, as new folks arrive and as existing folks learn. Something I need to remember, both for those newly arriving in a discussion or topic, and because I’m working on some new stuff where I am entirely ignorant of how some of it works and have some work ahead to better understand.

the easiest way to keep user safe is to guide her/him to create the most secure general password there is. You log in to all apps you have with that password (bear with me lol, I know how that sounds 😂). Now if you forget that password or get hacked, you call apple emergency number and block the whole account with all the apps on all your devices (until the problem is resolved).

There’s a fair amount of design work involved to implement that, without also implementing a backdoor for somebody to breach the account. And blocking access on failure is a wonderful way to create a denial-of-service; where some schmuck can keep locking you out, with barrages of wrong passwords.

also, I bet that would save some serious server capacity.

Probably not. A password hash lookup is pretty fast, all things considered. And wicked easy to shard the requests across different pools of servers, too.

Areas of security can be wonderfully subtle, too. Information can leak in all sorts of interesting ways.