Apple is killing the password

FOR YEARS, WE’VE been promised the end of password-based logins. Now the reality of a passwordless future is taking a big leap forward, with the ability to ditch passwords being rolled out for millions of people. When Apple launches iOS 16 on September 12 and macOS Ventura next month, the software will include its password replacement, known as passkeys, for iPhones, iPads, and Macs.

Passkeys allow you to log in to apps and websites, or create new accounts, without having to create, memorize, or store a password. This passkey, which is made up of a cryptographic key pair, replaces your traditional password and is synced across iCloud’s Keychain. It has the potential to eliminate passwords and improve your online security, replacing the insecure passwords and bad habits you probably have now…

If you are new to an app or a website, there’s the potential that you can create a passkey instead of a password from the start. But for services where you already have an account, it’s likely you will need to log in to that existing account using your password and then create a passkey.

Apple’s demonstrations of the technology show a prompt appearing on your devices during the sign-in or account-creation phase. This box will ask whether you would like to “save a passkey” for the account you are using. At this stage, your device will prompt you to use Face ID, Touch ID, or another authentication method to create the passkey.

As Apple’s passkeys are based on the wider passwordless standards created by the FIDO Alliance, there’s the potential that they can be stored elsewhere, too. For instance, password manager Dashlane has already announced its support for passkeys, claiming it is an “independent and universal solution agnostic of the device or platform.”

RTFA for all the instruction you’ll need to begin using passkeys. Time for another change that makes using the Web easier.


Attention tourists entering USA — Your social media accounts are subject to inspection

Meet your tour guides

The federal government is taking another step it says would make the US homeland safer from terrorism. US border authorities are proposing that millions of tourists entering the country each year reveal their social media identities…

Here’s what will be asked: “Please enter information associated with your online presence — Provider/Platform—Social media identifier.” This field doesn’t call for additional information such as passwords, but it’s likely to yield many if applicants aren’t paying attention and overshare…

The agency said the form travelers fill out enables “the Department of Homeland Security (DHS) to perform its mission related to the screening of alien visitors for potential risks to national security and the determination of admissibility to the United States.”

The proposal comes six months after President Barack Obama signed the Visa Waiver Program Improvement and Terrorist Travel Prevention Act of 2015 that added other questions to US-bound travelers. The form now asks applicants about which countries they’ve been to after March 1, 2011. It also asks which countries they are nationals or citizens of and for which nations they have passports and Global Entry codes.

Some of Donald Trump’s police state scenario doesn’t sound especially out of line with what our government has decided is already acceptable protocol for entering the Land of the Free. Anyone giving odds on whether the answers go automagically to the NSA and FBI? Or not.

Delhi Police don’t respond to complaint hotline for eight years — say they lost the password!

Police in India have failed to act on hundreds of corruption complaints over an eight-year period because they did not know a computer password, it seems.

Delhi officers could not operate a portal holding more than 600 complaints – a lapse that has gone undetected since 2006, the Indian Express Newspaper said. The complaints came from India’s anti-corruption agency, called the Central Vigilance Commission.

But two senior police officers have now been trained in the system, and can access the 667 cases that have piled up since the portal launched. One officer told the paper the oversight was “a technical problem”, and complaints are now being addressed…

Despite the confusion, police in Delhi “remain committed to public grievances“, a senior officer told the Indian Express.

Um, OK.

So much for Constitutional protection — judge orders woman to give up password to hard drive

Phil DuBois defended Phil Zimmermann & PGP against the Feds

American citizens can be ordered to decrypt their PGP-scrambled hard drives for police to peruse for incriminating files, a federal judge in Colorado ruled today in what could become a precedent-setting case.

Judge Robert Blackburn ordered a Peyton, Colo., woman to decrypt the hard drive of a Toshiba laptop computer no later than February 21–or face the consequences including contempt of court.

Blackburn, a George W. Bush appointee, ruled that the Fifth Amendment posed no barrier to his decryption order. The Fifth Amendment says that nobody may be “compelled in any criminal case to be a witness against himself,” which has become known as the right to avoid self-incrimination.

“I find and conclude that the Fifth Amendment is not implicated by requiring production of the unencrypted contents of the Toshiba Satellite M305 laptop computer,” Blackburn wrote in a 10-page opinion today. He said the All Writs Act, which dates back to 1789 and has been used to require telephone companies to aid in surveillance, could be invoked in forcing decryption of hard drives as well…

Which is about what I’d expect from a fossil appointed by a tool.

Colorado Springs attorney Phil Dubois, who once represented PGP creator Phil Zimmermann, now finds himself fighting the feds over encryption a second time.

“I hope to get a stay of execution of this order so we can file an appeal to the 10th Circuit Court of Appeals,” Ramona Fricosu’s attorney, Phil Dubois, said this afternoon. “I think it’s a matter of national importance. It should not be treated as though it’s just another day in Fourth Amendment litigation.”

Today’s ruling from Blackburn sided with the U.S. Department of Justice [and Homeland Insecurity, the TSA and just about every Brown Shirt in the Kool Aid Party] which argued, as CNET reported last summer, that Americans’ Fifth Amendment right to remain silent doesn’t apply to their encryption passphrases…

The question of whether a criminal defendant can be legally compelled to cough up his encryption passphrase remains an unsettled one, with law review articles for at least the last 15 years arguing the merits of either approach…

Many principled Americans have confronted the threat of contempt of court in the course of defending civil rights and civil liberties hated by the least principled segment of American jurisprudence and politics. Opportunism governs the mindset of small-minded bureaucrats — whether the question is one of war and peace or privacy and testimony.

I don’t expect them to change. I not about to start cooperating, either.

Wi-fi owner fined for lack of security

German citizens are responsible for the security of their own private wireless connections, a court has ruled.

The ruling comes after a musician sued the owner of a network connection that had been used to illegally download and file-share music.

The owner had proof that the householder was on holiday at the time but the court ruled that the network should have been password-protected.

The court’s verdict was that the owner could be fined up to 100 euros. “Private users are obligated to check whether their wireless connection is adequately secured to the danger of unauthorized third parties abusing it to commit copyright violation,” the court in Karlsruhe said.

While it did not find the owner guilty of actual copyright violation the ruling was that the person must take a degree of responsibility for their connection being used to break the law…

Even if there isn’t a legal issue, there could still be an issue if your broadband provider or package has a limit on how much you can use your connection or terms and conditions about how it should be used.”


Good thing we needn’t worry about this happening in the GOUSA. Americans aren’t responsible for anything, you know.

Easy login plans gather pace among heavy hitters on the Web

Plans for a system that would allow people to use one username and password across the internet have moved closer with a number of popular sites agreeing to the scheme in recent weeks.

Earlier this month Facebook became the most recent site to sign up to OpenID, joining the board of the scheme that provides users with a single digital identity which can then be used across many websites.

Microsoft and Google were early adopters of the single sign-on scheme, and have since been joined by the likes of AOL, Yahoo, IBM and PayPal. The idea is that just as you can use e-mail anywhere on the web to sign up for a new service, you should be able to do the same thing with an Open ID – but without having to create a new password,” Chris Messina, an Open ID board member told BBC.

He admitted that the risk of what would happen if Open ID got hacked was “a very good question” – but added that the risks in the current system are even greater.

It is also hoped that the Open ID system will reduce people’s vulnerability to phishing scams, as they will not be typing in their username and password into a fake website set up to get their personal details.

Interesting enough to me that I think I’ll give it a try.

San Francisco mayor secretly visits jailed admin – gets password

The man held in jail accused of launching a cyber coup against San Francisco gave up the passcode to the city’s computer system during a secret prison visit by mayor Gavin Newsom.

Terry Childs, a 43-year-old computer technician with the city, had allegedly blocked access to a new computer system. He was arrested at the weekend and held on $5m bail.

But following a press conference at which Newsom said Childs was “very good at what he did” but had become a “bit maniacal”, the technician’s lawyer contacted the mayor’s office to arrange a meeting.

Without the knowledge of police or his own city attorneys office, which is prosecuting Childs, Newsom visited the technician and the password was divulged.

A spokesman for the mayor said that he, “figured it was worth a shot, because although Childs is not a Boy Scout, he’s not Al Capone either”.

Probably not any loonier than the average network administrator, either.