AA

Um ...

"In the developer demo shown at the conference, the iPhone showed a 'Fix Passwords' button at the top that a user needed to tap to change multiple passwords in listed apps at once. Then Apple said it would use its artificial intelligence and Safari to update the password in the background, and let you know through an update that will state 'Security upgraded'.”

Huff Post:Apple Thinks It Has Solved A Major Password Problem. A Cybersecurity Expert Has Questions https://www.huffpost.com/entry/apple-password-app-update_l_6a331798e4b0dfdabceaf442 @huffingtonpost #infosec #Apple #passwords

Apple's New Password Feature Could Eliminate A Frustrating Problem For Millions Of Users

Here's when you can expect the new feature to roll out.

HuffPost
Jun 19 at 3:53pmWeb
Show threadhrbrmstr πŸ‡ΊπŸ‡¦ πŸ‡¬πŸ‡± πŸ‡¨πŸ‡¦2d ago
@AAKL for a dozen-ish passwords on throwaway sites w/no PII/financial info/other access (but all w/2FA enabled) this "feature" failed miserably.
Show threadAA2d ago
@hrbrmstr This description alone makes me wary: "Apple said it would use its artificial intelligence and Safari to update the password in the background."
Show threadhrbrmstr πŸ‡ΊπŸ‡¦ πŸ‡¬πŸ‡± πŸ‡¨πŸ‡¦2d ago
@AAKL it's a pretty basic headless safari agent that is not ready for prime time. this feels like Cook as Trump and some dev team as one of his cabinet departments telling him this is great and works well and it's just a paint-peeling, algae-ridden cesspool.
Show threadAA2d ago
@hrbrmstr I don't think feeding your passwords to Apple's AI, which is also Google's AI, is a good idea, let alone the politics.
Show threadhrbrmstr πŸ‡ΊπŸ‡¦ πŸ‡¬πŸ‡± πŸ‡¨πŸ‡¦2d ago
@AAKL heh. I didn't see it reach out to the DNS of the hosted models so it's all happening locally at least as far as i bothered to observe. it's a feature i def won't be recommending anyone use.
Show threadEpic Null2d ago

@AAKL @hrbrmstr One of the things that really bugs me is that if this was about allowing password managers to set and update passwords, Apple actually does have the influence to set the standard here. They might even come out of it with a lot of good will!

But instead they do... this?

Show threadAA2d ago
@Epic_Null @hrbrmstr Yes, Apple could do better. And I wouldn't give passwords to any AI, given the security (or lack of) environment
Show threadZeroTrustWraith1d ago

@AAKL @huffingtonpost I don't even use password lockers. They just increase your attack surface IMO. It can be a pain remembering complex and unique passwords but it gives me peace of mind.

I also highly suggest using app-based MFA but the best solution is hardware-based MFA (like FIDO2 Yubikeys).

Show threadmike8051d ago
@ZeroTrustWraith @AAKL @huffingtonpost I use Yubikey TOTP but I also backup the secret to an encrypted file. Do not trust any token system you cannot keep a backup of. And that includes passkeys unless you have a tool that can back them up to a file.
Show threadZeroTrustWraith1d ago
@mike805 @AAKL @huffingtonpost that would completely defeat the purpose of having a private key that never leaves the hardware.
Show threadmike8051d ago
@ZeroTrustWraith @AAKL @huffingtonpost I am more worried about losing access than getting hacked. I do not want to use cloud based authentication (the browser is not logged into any cloud) so I need something I can back up locally.
Show threadZeroTrustWraith1d ago
@mike805 @AAKL @huffingtonpost If you absolutely insist on a backup, I would just set it up so it can fall back to App-based MFA where possible. Enterprises do usually follow the 3-2-1 rule so it is possible but I wouldn't recommend it for the average user. You're adding complexities to it that some people might not understand.
Show threadEpic Null14h ago

@ZeroTrustWraith @mike805 @AAKL @huffingtonpost Honestly I feel this conversation shows that you two have VERY different threat models.

Security also involves ensuring that authorized entities maintain access, and this seems to be higher on Mike's priority list than yours. From that angle, a second factor that a third party can just revoke at any time seems like a valuble risk to model.

Show threadZeroTrustWraith9h ago

@Epic_Null @mike805 @AAKL @huffingtonpost That's a fair assessment. In relation to the CIA triad, availability isn't as big of a concern for me with FIDO2 keys. That is why I mentioned enterprise environments and the 3-2-1 rule for backups.

Even if I backed up the private key on my Yubikey, I wouldn't use someone else's customized tool to do it. I would figure out how to extract the private key by learning how to hack my own hardware with custom scripts I create.

The reason I didn't dive into this and advised against it is because it poses additional risks that less experienced users might not be able to properly mitigate. Essentially, this can actually increase your attack surface which could defeat the entire purpose of hardware-based authentication.