Why storing passwords on iOS is UNSAFE!

I came across this tweet earlier this week from @BrentLindeque who shared a story about a friend of his who had their bank accounts cleaned out after being robbed of her iPhone.

The guys who stole the phone forced her to give them her pin code to the phone. Usually this wouldn’t be an issue, because most of the new iPhones are “protected” by facial recognition, right.

But, a while back Apple released an update which picks up if you wearing a mask (yay, thanks Covid) and then immediately prompts you to put in a pin code. See the problem?

One of the other newer features of iOS is that it has the ability to save all your passwords on your device. You are usually prompted when signing into an app or website on the device, and asks you if you want to save your password. To access the full list of passwords, you need to do an authentication process either by Biometrics/Facial recognition or if that fails, ie, you wearing your Covid mask, YOU HAVE TO PUT IN YOUR PIN. Which then exposes every single password on your phone!!

This is a massive security flaw if someone gets your phone, and knows your password, and then has access to every single one of your passwords.

So, how do we fix this? 3 quick suggestions:

  1. Delete all the passwords saved in your device. Yes it’s a nice to have, but rather use a dedicated Password Manager like LastPass or 1Password. Both of these are MUCH more secure being protected by a Master Password AND 2 Factor Authentication
  2. Enable 2 Factor on everything. More and more sites are offering 2 Factor authentication with apps like Authy or Google Authenticator. Hoping that sooner, all sites will offer this
  3. Change your 4 digit pin code to either an alpha-numeric passcode or even a 6 digit pincode. A four-digit PIN can be used to create 10,000 different combinations, while a six-digit PIN can be used to create one million

I know this may be a small part of security and we may not all fall victim to the horrendous torment the lady went through in the above story, but it is still rather scary how easy it is to lose almost everything just by knowing a 4 digit pin code!!