SMUG Meeting May 17, 2022
Meeting notes by Kathleen Charters
We didn’t have a meeting in April because someone wasn’t here. Where they were is something of a mystery, with the only clue being the photo posted as the April 2022 website entry.
We (we?) had been planning to talk about accessibility, but this will require more planning. Accessibility is one of those topics where most people think they don’t care about the subject.
“Accessibility? What do I care about accessibility?” they say, as they squint at the fine print through glasses, raise the volume on their iPhone, and accidentally drop their cane into a mud puddle.
But these same people don’t think of headlights, taillights, horns, brakes, seatbelts, electric ignitions, heated seats, tinted windows, sun visors, electric windows, etc., as “accessibility” accommodations. We use accessibility accommodations all the time, but call them conveniences, safety measures, or just common sense. We (we?) need to give this topic more time, and one of us (us?) will be too busy over the next month.
So, we talked about passwords and password managers. Most people (yes, most) have terrible passwords and terrible password management. Password managers are designed to do exactly what the name suggests: keep track of your passwords. Newer ones go beyond this basic task to also critique your passwords (“Sorry, but ‘password’ is a terrible password”), and tell you when you’ve reused passwords (“You’ve used ‘Yevette’s Secret’ six times already!”), and tell you when passwords have been compromised (“Every password you’ve ever used on Yahoo has been hacked”).
Because we (we?) are cheap and don’t want to buy a password manager just for demonstration, or show off our own passwords (nope), most of the presentation will be on the password manager that comes with your Mac, Keychain Access, plus the password manager built-in to Safari.
Q&A
Experiment with Zoom Whiteboard
iPhone slow download speed – distance from cell tower affects this, cellular traffic may saturate bandwidth; news companies video now on YouTube and this could be busy; iPhone may not be on home network or home network is slow, complicated to troubleshoot; check General Settings and see how much space is available on the iPhone, if short on storage space this slows down the iPhone
If t=you move out of state, can a person maintain SMUG membership? There will be a few in-person sessions for things that cannot be done on Zoom; we will continue Zoom for things that do not require rebooting a machine; Lawrence is a member of Washington Apple Pi and attends Saturday 6 am PT meetings once a month
Automatic updates – are there days of delay from the time of release, and when the update is available?
If know update is available, can force the update; releases for automatic update are staggered since 2 Billion devices need to be updated, takes 2-3 days if do not prompt for it; do not turn off automatic updates; it is a good idea to turn on automatic updates; Apple pushes out profiles of things with bad behavior so this is not allowed, independent of other types of updates; more secure to stay updated; machine turned off will not receive automatic updates, need to leave on 1-2 times a week all night so get the updates
Astound is Wave Cable under new management, no change in how well it provides service (pained cries of anguish)
How to get the weather for the local area? iPhone iOS13 on weather app is purchased from Dark Sky; go into preferences to set for local weather; sets preference to local location and the app drops the preference, old iOS means no current support; Dark Sky app shows local weather and has a wonderful interface; older app based on Weather.com sold to IBM and degraded performance; do not pay for weather app since data comes from NOAA and belongs to the public
Music downloaded from a site – how to remove it from a computer? If downloaded from Apple App Store or Amazon, the download is put into the iMusic directory by default; use Spotlight to find a title in .MP4 or .MPA format, if downloaded from a site, the file may be in the Download Folder or a Music folder
Business meeting
President Sabrina
Lawrence is back from vacation with his 4-year-old granddaughter
Library resuming in-person meetings, Library meeting room reserved for September for a demonstration, not sure what people will be willing to do at that time – depends on risk level; could move to fellowship hall at Trinity UMC for more space
Zoom during winter when the sun goes down before the meeting is over, and whenthe weather is a barrier to driving
Potential SMUG Community service offering: Computer Literacy for Seniors – what devices are capable of; Mac and PC; hold on a Saturday afternoon in a larger space
Alternative – half of the year meet in the morning, half of the year meet in the evenings
Variety of Zoom and in-person options
SMUG $1,762.62 balance – Church room rental estimated at $60 for Fellowship Hall; may waive this for a community event
Passwords and Password Managers
Slides from meeting:
Passwords on Phone:
PIN 4 digits 10K combinations – fraction of a second to break this
PIN 6 digits 1M possible combinations – fraction of a second, so Apple has created an option that bricks the phone after 10 successive failures to type the correct PIN
8-character passwords (upper and lower case letters, numbers, etc.) 208 billion tries to break vs 15-character passwords 4.63 octillion tries. If use upper and lower case takes longer to break, special characters increase security even more since much harder to break; longer is more secure – try memorable phrases for long passwords, examples:
Jonathan Swift invented Yahoos
Sequin is obsessed with lavender
This way to the Irrigation Festival
Do not set a password that requires several changes of keyboard; use upper and lowercase characters, use spaces, should be memorable but not tied to you or anything about you
Guideline: For every site, use a different (unique) pass phrase; use a password manager to maintain this
After 10 tries, the iPhone is bricked; no one can get into it; FBI news conference complaining about Apple
Example of Solar Wind incident: auditors wanting an easy way to monitor machines, but “easy” was also a vulnerability
Example of target population: if a hacker breaks into the IRS due to a simple password and compromises tax returns, the hacker can take over the identity of millions of people, and take out loans, raid bank accounts, etc.
1Password demonstration – gives critique of password and site security; have this on every device and synced through iCloud; stores many kinds of information (e.g., SSN)
Demo of 1Password with screenshots of various messages. Note the circular icon on the right that rates the password
Terrible password warning
Very good password but re-used warning
Unsecured Website flag (http://) (Site should be https://)
Two-Factor Authentication Available
Vulnerable, terrible password
Fantastic password
1Password is an annual subscription, highly recommended, easy to use, and gets to set up in a way that makes sense to the user
LastPass – first year got hacked and information stolen; much improved since then
Two-Step (Two-Factor) Authentication
Enter User Name, Enter Password, then the user is sent a code to the registered phone (or may designate another device) to enter in
Apple offers this for AppleID; a new Mac knows if you have an iPhone, and the user will be asked to enter the code sent to the iPhone; Google uses two-factor identification; Apple Watch can be used to log in to a desktop computer
Apple – silently sends information about bad websites (XProtect); Safari will not allow you to go to a known hacked website (e.g., Russian sites stealing credentials)
Keychain Access – on computer, Spotlight can find it (Cloverleaf command key and space bar is the shortcut to bring up Spotlight)
Navy Federal Credit Union has very good security; it will offer to send a code to phone, text, or e-mail
Use of Keychain allowing program to set a password – do not know what it is on Phone the way can query it on a Mac; cryptic list: login, local, system, system roots; shortcut is hold down command key then press space bar; Keychain can be put on the dock; Keychain can create a secure note as local item, synch to iCloud and on all devices
System roots certificate for commonly used sites – computer sends password as a complex number formed from user name + password; make user name less common; sends certificate for the type of program + user name + password as a long stream of numbers; receiving site recognizes the certificate and matches in order to let in account
login – account
Local items – things stored on computer, Get Info – can show password for the account if enter computer password to get Keychain access to this information
Username may be different for different accounts
macOS is built on UNIX; the computer considers itself to be a user called Root. If you have admin rights, you can access this. Apple does not allow you to log into an account as Root, so you cannot get into other accounts on a machine – used to be able to do this until about 15 years ago
Monterey – Apple ID – iCloud (sync Keychain, mail, contacts, calendar; not photos unless purchase extra storage; may need extra space for mail if you have a large volume)
iPhone 6 – end of life
iPhone X and up have a security chip to protect from people trying to break in, and get automatic updates
Switch from Keychain to OnePassword is manual; keep both. If set up using Keychain (runs all the time), the password will be stored automatically when creating an account. Keychain on the desktop is different; when on iOS, get Safari Web passwords
Use of biometrics – use the appropriate password after confirming who is asking to share the password by fingerprint; the password is the backup when the touch interface is not working
Admin password – Do not lose this; keep on OnePassword so have it wherever you are on any device you have with you; example of having password not recognized – might be too short or two long, might not match what thought entered – a space or something else because something is touching the keyboard; keyboard errors more likely in winter due to static; electrical impulse can add to password without user knowing
Most common mistake – using the same password for more than one account; if hacked at one account and reuse that password, hackers have access to multiple accounts; Yahoo account has released over 1 B accounts to hackers on two different occasions; Yahoo has had three owners in the last 4 years
Keychain is free; part of macOS and iOS
1Password is a subscription – has more safety features
Go into the store and start a new account, then want to get rid of it; how to delete it? Log in, go to account, delete the account; dormant accounts are a risk; if a hacker gets access to it, they can do a lot of damage to your reputation by pretending to be you; go into profile to delete an account
Unsubscribing from spam only confirms you are a real person; do not do this; mark as spam to train Apple Mail and Google Mail, and it will send to the Spam folder, and increases the spam score for that; need to provide feedback
Unsubscribing from known sources is fine
Can decrease the amount of e-mail from a merchant by specifying a digest
Went to a site and was not allowed to automatically save the created password; mid-range vendors hard hit by robots have increased security by preventing stored passwords from being used; want the user to type the password
Remember this password – it will auto-fill and log in based on what is stored
Safari – preferences, new feature “Passwords” which flags easily guessed passwords and stores the Web passwords, can delete it, different from KeyChain, old password -> new password will grade how secure the new password is;
Laptop – needs a very secure password; small and portable, since easily stolen; 15-20 character passwords are essential
Local desktop – does not have to be as secure; if you forget this after 3 guesses, Mac adds a delay which is twice as long every time you use it
Autofill only remembers the last one that is successful; KeyChain will list changed passwords; it cannot print
Next meeting
June – Apple TV is a $149.00 device; account with YouTube TV changed monthly to Google, not WAVE/Astound or Comcast; unlimited recordings; think about how to demo; can add HBO+ or another service; can get TV with this built in
July – Accessibility
August – WordPress to run the Website; manage using a Web browser
Q&A
Gmail problems – open and blank content then fills in after several minutes, this is a bandwidth issue, must have all information before it fills in the screen
Pass the Net Neutrality Act to get better service from ISPs