Your password will be… Think you can remember that? |
My first problem is with the passwords themselves. They all follow the same pattern of four groups of letters or numbers, separated by dashes. If I were a hacker and could tell that the password was fifteen characters long, my first guess would be that the fourth, eighth, and twelfth characters were all dashes. And, of course, some sites don’t accept the passwords.
I recently ran into another problem. I signed up for Duolingo.[1] After talking with a friend who uses the site to improve her German, I decided to check it out to improve my French (my French is good, but it certainly could be better). I signed up and used, on the suggestion provided by Safari, a Keychain password. Because of the statement:
This password will be saved in your iCloud Keychain so it is available for Autofill on all your devices.I assumed that should I log on to Duolingo with my iPad, my password would be there. And just in case I wasn’t already likely to use my iPad for this, the friendly
Later that day, over dinner I decided to look at the Duolingo app.[2] I launched the app and it wanted my login. I entered my login name and waited for the password to fill in. Okay, that’s not how I expected it.
I am not blameless in this. I (unintentionally) set up a number of roadblocks to using Keychain on both my Mac and my iPad. It isn’t on automatically on your iPad. Further to make sure that you’re not highjacking the Keychain (even though it is tied to an Apple ID), you have to authorize your device after you turn on Keychain. There are a couple of ways to do this, but the “send a text to this number“ didn’t work because I had mis-entered my phone number on Keychain’s settings. Damn. I couldn’t revise my phone number on the iPad, because I hadn’t authorized it yet.
When I went to my Mac to change the number, it wanted me to prove it was really me by authorizing this with another device, although all it wanted my my iCloud password (which is not one of those set up by Keychain; more I will not say).
After all these things, I re-opened the Duolingo app, entered my username, and waited. The I quit the app, opened it again, and tried with my e-mail address, and I waited. Finally, I went to my Mac, reset my password, and logged in.
It turns out that the autofill stuff isn’t necessarily all that available. Application developers have to add Keychain access to their programs. If they didn’t do it, the app can’t your password. But then again, neither can some websites. I went to the Duolingo site on my iPad (using Safari) and entered my username. No dice. It’s a good thing I can remember that one.
Like the Heartbleed[3] crisis of a few months ago, this is a good reminder that there’s a need to manage passwords. Unfortunately, stuff that’s secure isn’t going to be simple, stuff that’s simple probably won’t be secure, and (alas) stuff probably can be neither simple nor all that secure. This would certainly make me think twice before letting Safari and my Mac turn my Facebook password into a series of three letter groups separated by dashes.
You can follow my blog on Twitter (@impofthediverse) or on Facebook.
No comments:
Post a Comment