Database breaches, phishing scams and emerging artificial intelligence tools have made simple passwords passé as a way of protecting online accounts — but you still have ways to shore up your defenses.
First, you need to be proactive with longer, unique passwords and extra layers of protection. A password manager app can help, and it’s far more secure than keeping your credentials in your Notes app or written down.
Password managers can also store passkeys, a more secure way of logging in that’s intended to replace passwords altogether. Here’s a quick introduction to it all.
Password Managers
Apps and web browsers that encrypt all your passwords behind one master password have been around for decades, but Apple Passwords and Google Password Manager for Android and web browsers are relatively recent — and free. Check your home screen for a Passwords icon, or command your virtual assistant to find it. The app requires your PIN or biometric data (a fingerprint, eye or face scan) to open.
Keep in mind that having all your passwords on a device that can be stolen — and snatched themselves if someone knows your lock-screen PIN code — is a security risk of its own. Turn on Apple’s Stolen Device Protection feature in the iOS settings, or Google’s Identity Check and other theft protection tools in the Android settings, for added protections.
Both the Apple and Google apps are intuitive and can automatically generate long, unique passwords when you are creating or updating an account. The apps save passwords (and passkeys) in one place and automatically supply your credentials when you log into a site. The apps warn you if any of your passwords are weak or have been compromised in security breaches. User guides are on the Apple and Google sites.
Apple Passwords also works with the iCloud Keychain service, which encrypts and synchronizes login credentials across Apple devices connected to the same Apple account. Windows-based PCs can tap into the passwords via Apple’s iCloud for Windows software, and a Google Chrome browser extension is available.
Google Password Manager works in much the same way for Google Accounts on different devices. For those not using Android, the password manager in Google’s cross-platform Chrome browser works similarly.
Samsung Galaxy owners also have Samsung Pass, which uses biometric information to log into accounts. It works on Samsung products and does not include a password generator, but integrates with the Samsung Wallet app.
But if you want a password manager with its own password, document storage and more flexibility across devices, subscription solutions are available. Wirecutter, a product-review site owned by The New York Times, recommends the 1Password ($48 annually) and Bitwarden ($20 annually) apps.
As passwords have shown their vulnerability, many websites have added two-factor authentication to the sign-in process. These are the short numeric codes typically sent as a text message to your phone.
You can voluntarily add the two-step verification in the settings for many types of accounts, as well as asking for alerts to show you signed in. For additional security, many experts recommend that you set up and use a separate authentication app to get your code instead of receiving it by text message. Wirecutter recommends Authy and Google Authenticator. Microsoft also makes an authenticator app.
The Passkey Revolution
With passwords proving a weak link in the security chain, a new standard for authentication has emerged: passkeys. (Note that passkeys are different from USB-based hardware security keys, which are another method to authenticate accounts.)
Instead of relying on alphanumeric characters, a person using a passkey logs into an account with unique biometric data or a PIN code. It’s like unlocking your phone, and you don’t have to rely on a password — or have it stolen. Passkeys rely on sophisticated cryptography between your device and the site you’re using to work.
Apple introduced passkeys for the iPhone and other devices in 2022, and Google began rolling out passkeys for its accounts in 2023. Samsung and Microsoft also support passkeys. While the technology is still nascent, the list of those using passkeys is growing and currently includes Amazon, eBay and PayPal.
If a site supports passkeys, it may prompt you set one up the next time you log in. You can also check your account’s password and security settings for a passkey option. The steps for setting up the passkey can vary depending on your software and hardware, but onscreen instructions will guide you.
To prevent hackers from exploiting account-recovery tools, Google advises keeping two-step verification enabled. Microsoft recommends removing old password-reset methods from your account settings.
Many password managers also store passkeys now. Some even let you know when you can upgrade from a password to a passkey for an account — which is a nice thing if you’re weary of worrying about passwords.
J.D. Biersdorfer has been writing about consumer technology for The Times since 1998. She also creates the weekly interactive literary quiz for the Book Review and occasionally contributes reviews.
The post Tired of Hacked Passwords? Help Is on the Way. appeared first on New York Times.
