Posts

Don’t Assume That Top Google Search Results Are Guaranteed Safe

/in /by

We hate to encourage paranoia, but all is not well with Google Search. Recently, we’ve heard of multiple instances where people were nearly taken advantage of due to relying on the top result in a Google search. In one case, a user called a purported HP support phone number directly from the search results but ended up speaking with a scammer. In another, a user thought they were downloading the latest version of Dropbox but got malware instead. In neither case could we reproduce the error, but they may have resulted from “SEO poisoning,” a malicious technique in which cybercriminals manipulate search engine optimization (SEO) strategies to elevate harmful websites in search results. In short, don’t assume that a site at the top of Google search results is guaranteed safe when downloading software or contacting a company. It’s best to navigate directly to a company’s official website before trusting that corporate information and software downloads are legitimate.

(Featured image based on an original by iStock.com/Armastas)

Social Media: You know that the phrase “I read it on the Internet, so it must be true” is absurd, but you should extend that skepticism to Google search results. We’ve seen two recent instances of malicious content bubbling to the top of searches. Trust but verify.

Security Precautions to Take While Traveling

/in /by

When we think about digital and device security, we mostly think about the fixed locations where people spend most of their time—home, school, and work. But what about when you’re traveling? Some security concerns remain the same when you’re on the road, but new ones crop up.

We’ll assume that you already keep your devices up to date, use FileVault on Macs, have at least a six-digit iOS passcode, have strong password habits, and use multi-factor authentication wherever possible. Other options are more specific to travel.

As with our more general article about increasing security last month, we’ve divided our list of suggestions into two parts: things that everyone should do and measures that only people who worry about being specifically targeted should employ.

Sensible Travel Security Precautions for Everyone

These suggestions are appropriate for everyone who travels, and they’re aimed primarily at avoiding relatively common problems: loss, theft, data loss, and generalized snooping:

  • Focus on physical security: As a tourist, you may be targeted by thieves, so it’s important to keep your iPhone in a secure pocket whenever you’re not using it. Carry an iPad or laptop in a bag that can’t be snatched, or leave them locked or at least concealed in your hotel room.
  • Enable Find My for all your devices: You should have already done this, but if not, enable Find My to improve your chances of finding a device you lose or accidentally leave behind. It might help if the device is stolen, but local police cooperation for recovering stolen items can vary widely. Don’t attempt to recover a stolen device yourself.
  • Put AirTags in your luggage and laptop bags: AirTags can help you track down lost luggage—you can now share their locations with airlines—and prevent you from accidentally leaving bags behind. An AirTag may also help with locating a stolen item, but always work with local law enforcement.
  • Enable biometric authentication and Stolen Device Protection: Using Face ID or Touch ID wherever possible and having Stolen Device Protection enabled on your iPhone in Settings > Face/Touch ID & Passcode is even more important when traveling.
  • Use a VPN or iCloud Private Relay: Because you may be using Wi-Fi networks whose security you know nothing about, it’s best to use a VPN like Mullvad VPN, NordVPN, or ProtonVPN to encrypt all your traffic. At a minimum, use iCloud Private Relay, which requires an iCloud+ subscription and won’t encrypt traffic from most non-Apple apps.
  • Use iCloud Photos or another backup option: To ensure you don’t lose precious vacation photos, use iCloud Photos so all your photos are uploaded to the cloud whenever you have access. This will almost certainly require an iCloud+ subscription for sufficient storage space. If Wi-Fi and cellular are too slow or unavailable, consider an external SSD to which you can manually export photos and videos for backup. To speed up the process, you could create a shortcut that automatically copies all photos taken that day.
  • Use iCloud Backup: It’s best to use iCloud Backup to back up your entire iPhone every night. That way, if your iPhone is lost or destroyed, you may be able to buy a replacement and restore from backup in relatively little time. You will probably need an iCloud+ subscription to have enough backup space.
  • Practice dealing with a lost or stolen device: If the worst happens and you lose one of your devices while traveling, you need to know what to do. Immediately go to Find My on another device or iCloud.com and mark the device as lost. If there’s a chance of getting it back, stop there. However, if you believe the device was stolen, your data is at risk, and tracking it is no longer useful, use Erase This Device in Find My to wipe it. Activation Lock will remain enabled to prevent anyone from reusing the device.

Increasing Travel Security for People Who May Be Targeted

Not all travel is fondue and gamelans. If you’re a journalist, activist, government employee, or corporate executive with access to sensitive data, you could be a target while traveling. This is particularly true if you are headed to countries like China, Russia, or others with authoritarian governments and powerful intelligence agencies. Along with the suggestions above, we recommend:

  • Be aware of local laws and government practices: It’s important to read up on regional laws regarding data access and potential government capabilities at your destination. Knowing what to expect can help you reduce your risks and take appropriate precautions.
  • Use caution with cellular access: Even if your carrier allows roaming, consider using a dedicated eSIM for international travel, separate from your personal one. That way, you can use local cellular networks without revealing your home number. Be aware that your traffic may be monitored.
  • Enable Lockdown Mode: If you’re concerned about your iPhone or iPad being targeted by local law enforcement or government intelligence agencies, turn on Lockdown Mode in Settings > Privacy & Security > Lockdown Mode. To increase security, it blocks most attachment types in Messages, complex Web technologies, incoming FaceTime calls from unknown callers, non-secure Wi-Fi network connections, and incoming invitations to Apple services. Plus, it excludes location information from shared photos, requires approval to connect accessories, and more.
  • Reduce and protect your use of cloud services: While using a VPN is essential, you should still avoid using cloud services much if government entities might have access to stored files. If you need to upload files, encrypt them first using the free and open-source Cryptomator.
  • Know how to disable Face ID and Touch ID: If you find yourself in a situation where you believe you may be compelled to unlock your iPhone or iPad with your face or fingerprint, press and hold the side or top button and either volume button to display the power off slider. This temporarily disables biometric authentication, requiring your passcode for the next unlock.
  • Use dedicated travel devices and accounts: If you’re traveling to a potentially hostile part of the world, we strongly recommend carrying only devices—preferably iPhones or iPads, which are more secure than Macs—configured to contain none of your personal data or regular accounts. Keep them with you at all times, assume they could be confiscated, and be aware you might be compelled to share passcodes or other account information. Create a separate Apple Account for such devices.

Best of luck in your travels! With just a little preparation, you can reduce the chances that something bad will happen during a vacation. If you’re traveling on business to somewhere more concerning, putting in additional effort could prevent truly problematic things from happening.

(Featured image by iStock.com/metamorworks)

Social Media: Security at home is one thing, but what about when you’re on the road? Many of the same precautions apply, but depending on your level of concern and where you’re going, additional techniques can help keep you and your data safe.

Never Save Your Work in These Locations

/in /by

In every job that involves interaction with the public, amusing “Can you believe…” stories about customers abound. They’re often triggered by seemingly reasonable behaviors that experts recognize as problematic. A well-known example from the early days of personal computing is a college student who kept track of his floppy disk by attaching it to his fridge with a magnet, not realizing that magnetic fields could disrupt the disk’s magnetic patterns and corrupt files. The advice from tech support? “Don’t do that.”

No one is sticking floppies to their fridge anymore, but we still occasionally see the modern equivalent: saving data or documents in places that are likely to disappear. Just as you shouldn’t write the only copy of essential information on an easily erased whiteboard, you shouldn’t store important data in any of these locations:

  • Unsaved documents: While autosave is becoming more common, it isn’t universal and often doesn’t activate until a document has been saved for the first time. When you create a new document, always save it right away, before you do anything else. Otherwise, you risk losing all your work if the app crashes, the Mac kernel panics, or the power goes out.
  • Trash: We know, we know! Who would put something in the Trash that they want to keep? But it happens. Don’t do that! On the other hand, there’s also no reason to empty your Trash regularly unless you’re low on space. A good compromise is to choose Finder > Settings > Advanced and select “Remove items from the Trash after 30 days.” This way, you’ll always have a 30-day grace period to recover mistakenly deleted items.
  • Clipboard: Most people know that the clipboard serves as a temporary holding place, overwritten with each new Copy or Cut. However, if you’re unaware of this, you might write something lengthy, use Cut to place it on the clipboard with the intention of pasting it elsewhere, and then forget to do so right away, resulting in data loss on the next use of Copy or Cut. Always paste anything you cut immediately. Many utilities (such as Copy ‘Em, Keyboard Maestro, LaunchBar, Pastebot, and Raycast) provide clipboard history so you don’t lose clipboard data immediately, but you still shouldn’t rely on it persisting indefinitely.
  • Email Drafts mailbox: There’s nothing wrong with starting an email and coming back to it later to finish—that’s the point of the Drafts mailbox. It’s also a sensible way to begin a message on one device and complete it on another. However, avoid storing anything in Drafts for an extended period, and be aware that items there may disappear without warning. (And never, ever store anything in your email Trash mailbox—it will be deleted eventually.)
  • Temporary folders: Thanks to its Unix roots, macOS includes several temporary folders, one located at /tmp and others specific to each user. These folders are cleared regularly, such as when the Mac is restarted, left idle for a long time, or when drive space is low. Storing important data in a temporary folder is a digital version of Russian roulette.
  • Downloads folder: Although the Downloads folder isn’t inherently volatile, it’s unwise to store anything important there. You might forget about that document while tidying up and accidentally delete it, or you might use a cleanup tool in the future that does it for you.
  • USB flash drives: There is nothing wrong with putting files on a USB flash drive. However, avoid storing the only copy of an important file on one, as it is too easy for the drive to be lost or damaged.
  • Public computers, virtual machines, and sandboxed environments: This scenario is unlikely but not impossible. Imagine you’re working on a public computer in a lab and save a file on the desktop. When that computer reboots, it will likely delete all data to return to a fresh state for the next user. The same could apply to a virtual machine used for testing or a sandboxed environment that you log in to remotely.

There are also a few locations that generally aren’t problematic but deserve extra attention due to the higher likelihood of losing data:

  • Third-party app folders in ~/Library: Some apps store their data in folders they maintain within your user account’s Library folder. While this is acceptable for data managed by those apps, we advise against putting anything else in these folders since it’s impossible to know how the app might deal with data it doesn’t recognize during a cleanup or major update.
  • Desktop: It’s fine to work on documents stored on the desktop, but we recommend filing them away carefully when you’re finished. If you frequently move files in and out of your desktop, it’s all too easy to delete something important accidentally. Additionally, if you have iCloud Drive’s Desktop & Documents folder syncing enabled, you might unintentionally delete files from another Mac due to being in a different context.
  • Box, Dropbox, Google Drive, iCloud Drive: Cloud storage services are entirely acceptable locations for important data, but they all offer options that store files only online, downloading them only when necessary. These options may prevent online-only files from being accessible when you’re offline or from being backed up locally. Worse, if you share cloud storage with others for collaboration, they could accidentally delete your data. Be sure to enable any available version history options and ensure everything is backed up locally.
  • External drives or network storage: Many individuals and organizations store essential files and data on external drives and network storage. This approach is perfectly valid, provided that these locations are backed up. When designing your backup system, remember to include your external drives, network servers, and NAS devices. Lastly, if an external drive is encrypted, ensure that you have a backup of both its data and the decryption key.

If you want to avoid all these issues, save your files in your Documents folder and make sure you have a solid backup strategy.

(Featured image based on an original by iStock.com/shutjane)

Social Media: We won’t name names, but we’ve seen too many people saving important data in locations that are likely or even guaranteed to disappear. Here’s a list of places to avoid and another of spots that warrant caution.

When Purchasing a Fireproof Safe, Pay Attention to the Details

/in /by

The devastating losses caused by the Los Angeles wildfires have underscored the need to protect data from catastrophic events. A traditional offsite backup—periodically moving a hard drive to another location—might not have sufficed in areas affected by wildfires, where many structures were destroyed. An online backup using a service like Backblaze or CrashPlan is often a better solution, although it can become costly for multiple Macs, and some individuals and organizations are uncomfortable storing their data online, even with encryption.

What about a safe? Would storing one or more backup drives in a safe provide adequate protection? Possibly, but the details are critical. Some safes are designed solely to guard against theft, focusing on preventing thieves from opening the door. However, paper ignites at 451ºF (it chars around 387ºF), and most house fires reach temperatures between 800ºF and 1200ºF, so you may think that all you need to do is look for a “fireproof” safe. That’s a good start, but paper is actually much more resilient than magnetic and optical media.

Fireproof safes come with ratings that indicate the internal temperature they can maintain, with the most common being:

  • Class 350: Safes maintain an internal temperature of 350ºF, suitable only for paper.
  • Class 150: Safes keep the interior below 150ºF, which should protect magnetic media.
  • Class 125: Safes maintain temperatures under 125ºF, appropriate for optical media.

It is also important to determine how long the safe can maintain that temperature. Generally speaking, a fireproof safe is rated for 1 or 2 hours, indicating it can maintain the specified internal temperature for at least that duration. Time ratings represent minimums, not maximums, so the actual protection time may be longer.

In most cases, the protection time is likely to be longer. That’s because safes are tested in furnaces at temperatures that can be two to three times hotter than the average house fire. For example, Underwriters Laboratory (one of several independent testing labs) conducts tests at 1700ºF or 1850ºF. Additionally, while a house fire may burn for several hours, the average fire will consume everything near the safe within 20 minutes and then move on.

Wildfires are a different story. In extreme conditions, wildfire temperatures can range from 1500ºF to 2200ºF, approaching or exceeding the testing conditions. Wildfires also last longer, so a safe in a destroyed building may remain in embers for hours or even days before it can be recovered.

While temperature over time is the main factor to consider when researching a fireproof safe, also look for two other variables being mentioned as well:

  • Water resistance: Where there’s fire, there’s usually water. Thousands of gallons of water, some of which will undoubtedly affect the safe. Not all fireproof safes are waterproof, so verify whether a specific safe can withstand being doused by firefighters.
  • Impact protection: If the floor collapses, a safe on an upper story could fall a considerable distance. If you are considering such a location, ensure the safe can withstand the impact. To simulate realistic fire conditions, the test may involve withstanding a 30-foot drop onto a concrete floor, followed by reheating.

Finally, remember that if your safe is in a fire, the heat will cause its insulation to swell up, rendering the lock useless, regardless of its type. Typically, you will need to hire a locksmith to access the safe using instructions from the manufacturer.

If you’re going to trust your data to a fireproof safe, do your research to ensure that whatever you buy will meet your needs for fire, water, and impact protection. It won’t be cheap—depending on the size and other factors, a good fireproof safe can cost many hundreds or even thousands of dollars. However, this is one area where you definitely shouldn’t cut corners.

(Featured image based on originals by iStock.com/phive2015 and Hanna Plonsak)

Social Media: If the wildfires in Los Angeles have you considering a fireproof safe to safeguard backups and important documents, make sure to research temperature ratings over time and be mindful of water and impact resistance.

Don’t Listen to Anyone Who Tells You to Drag a Text File into Terminal

/in /by

In macOS 15 Sequoia, Apple made it more difficult to bypass Gatekeeper to run apps that aren’t notarized. (Notarization is one of the ways Apple ensures that apps distributed outside the Mac App Store are unmodified and free from malware.) Cybercriminals have responded to this increase in security with a new social engineering attack. They provide the victim with a disk image, ostensibly to install some desired piece of software, instructing the user to drag a text file into Terminal. Doing so executes a malicious script that installs an “infostealer” designed to exfiltrate a wide variety of data from your Mac. The simple advice here is to treat any guidance to drop a file into Terminal with extreme suspicion—no legitimate software or developer will ever ask you to do that.

(Featured image based on an original by iStock.com/Farion_O)

Social Media: Thing #17 to never do: Follow instructions to drop a text file into Terminal. It’s a great way to install malware and let cybercriminals steal your passwords, financial information, and more.

Website Owners: Identifying Copyright Infringement Link Insertion Scams

/in /by

We regularly warn Internet users about online scams and phishing attacks. Most of these are relatively easy to identify and avoid once you’re aware of telltale signs. Unfortunately, we’ve encountered a newer type of scam that’s more difficult to identify, partly because it plays on fears of legal action.

Website owners are the target of this scam email, which purports to come from a lawyer. The message states that an image on your site has been used without permission. Such a claim is all too believable for many, especially those who may not have been as careful about usage permissions in the distant past as they are today. The message includes a link to the image, a link to the purportedly infringing page, and a threat to initiate legal action if certain actions aren’t taken within five business days

Unusually, the email doesn’t ask you to take down the infringing image or pay a retroactive licensing fee. Instead, it says you must credit the image’s copyright holder and include a link. Such a simple request seems like a huge win—instead of paying a licensing fee or worrying about being sued, you can twiddle a little HTML and move on with your life.

Don’t do it! This is what’s called a “link insertion scam.” It exploits the search engine optimization principle that links on reputable sites provide legitimacy to linked sites, helping them move up in the search rankings. Unfortunately, the reverse is also true; linking to a scammer from your website will cause Google and other search engines to penalize your site in the search rankings.

Unfortunately, these copyright infringement scams look legitimate at first glance, as you can see in this example. The From and Subject lines don’t seem forged or malformed, and there are no obvious grammatical errors or indications that the writer doesn’t speak fluent English. And when you click the link in the signature, you end up at what appears to be the website of a real law firm. What should you do if you receive a message like this?

First, don’t panic. Just because the message looks legitimate doesn’t mean it comes from a real lawyer. Also, don’t call your lawyer unless they’re willing to work for free. You can save stress, time, and money by evaluating the message yourself.

A few details in the message suggest that it’s not real:

  • The domain in the From line’s email address—elitejusticeadvisors.biz—sounds sketchy and doesn’t match the company name.
  • The Subject line of “DMCA Copyright Infringement Notice” sounds official, but those familiar with the DMCA will know that it can be used only for a formal notice-and-takedown process, not to make demands for attribution or payment. But most people won’t know that.
  • The message is addressed to the generic “Dear owner of,” whereas legitimate messages from a lawyer would be addressed to a specific entity.
  • The required link URL points to a telecom news site in Sri Lanka, and it’s odd that an Arizona lawyer would be working for such a client.
  • The example of the purportedly infringing image is hosted at Imgur, a consumer image-hosting site known for funny pet pictures and cringeworthy GIFs. Legal firms would always use some sort of case management site.

Those details may feel wrong, but they’re insufficient to prove it’s a scam. You’ll need to dig deeper. Here are some ways you can do that:

  • Investigate the domain: Do a Web search on the domain in question: elitejusticeadvisors.biz. Because others have written about this scam, articles identifying it as a scam will appear on the first page of the results.
  • Search for the lawyer and firm: The lawyer’s name is too generic to yield revealing results, but if you do a Web search on “Dean Parker Commonwealth Legal Services,” you’ll once again see that others have identified it as a scam.
  • Check a state bar association directory: Most state bar associations or state courts have a searchable directory of licensed legal professionals. A quick search of the State Bar of Arizona’s member directory reveals that no “Dean Parker” is licensed in Arizona.
  • See if the headshot matches a real person: If the website provides a headshot, you can copy the image (Control-click it and choose Copy Image) and paste it into the TinEye reverse image search engine. Since all the results say “generated.photos,” it’s a good bet that the image was AI-generated.
  • Search for the company’s full name and address: As with the name of the lawyer, the generic-sounding name of the law firm will probably match other companies. However, if you search for the full name and address, you’ll likely turn up articles about it being fake.
  • Visit the address virtually: With Apple Maps and Google Maps, you can verify that a business is present at a location (or not) and often view the offices using Google Street View. Both mapping tools show no law firm at the provided address. Additionally, the building does not have a fourth floor, as specified in the address.
  • Ask ChatGPT: Now that ChatGPT has access to current Web information, it’s worth pasting the complete contents of the message into a ChatGPT conversation and asking it to tell you about the message. Start generally, but then ask if it thinks the message might be a scam, and if so, to suggest ways you could verify your suspicions.

Some of the above search suggestions identify the scam only because the scammer has reused the same company name, lawyer name, physical address, and website. If you were the first to be targeted by a new scam, the state bar association search and physical address check would be the most likely to expose it.

Let us leave you with an important caveat. You shouldn’t assume that all copyright infringement messages are scams. A legitimate DMCA takedown notice will ask you to remove the content, and a real copyright infringement message—probably from a company that specializes in such matters rather than a lawyer—will likely demand payment. In both cases, take down the offending image right away. If you really were using an image without permission, some payment may be required, and if the amount feels excessive, contact a lawyer specializing in copyright infringement cases. They may be able to negotiate a lower payment or point out issues that will make the claim go away.

(Featured image based on an original by iStock.com/Olivier Le Moal)

Social Media: If you receive what looks like a copyright infringement message complaining about an image on your website, don’t panic—it might be a scam. We help you identify such scams and explain what to do if the message turns out to be real.

Use Guided Access for Securely Allowing Others to Use an App on Your iPhone or iPad

/in /by

iPhones and iPads are highly personal devices, but you might want to let someone else use a particular app on yours without letting them poke through Messages, Mail, and Photos. For example, a child could play a game, a volunteer could check in attendees, or a friend could take photos. To allow this, Apple created Guided Access, which you turn on in Settings > Accessibility—give it an easily remembered passcode and decide if you want to let the display auto-lock. Then, to turn on Guided Access, open the app you want to share and triple-click the side or top button. Options let you control buttons, the accelerometer, software keyboards, touch input, and a time limit. To end a Guided Access session, triple-click the side or top button, enter the Guided Access passcode, and tap End.

(Featured image by iStock.com/Userba011d64_201)

Social Media: If you’d like to allow a child, friend, or colleague to enjoy a specific app on your iPhone or iPad while keeping them focused and preventing access to everything else on the device, check out Apple’s Guided Access feature.

Watch Out for PayPal Invoice Phishing Scams

/in /by

We’ve seen an uptick in fake invoices from scammers using PayPal. Because they’re being sent through PayPal itself, spam filters won’t catch them, and they have few of the usual markers of phishing email (but look for sketchy names and email addresses at the top). Some are even forged to appear as if they come from Apple. Never pay a PayPal invoice that you can’t tie directly to something you’ve ordered, and don’t call the number listed—the scammer will try to convince you that the invoice is real. If you receive one of these invoices, click the “Report this invoice” link at the bottom to help protect others who might have received it, and forward the message to phishing@paypal.com. Don’t mark the invoice as spam, though, since that will train your email client to be suspicious of legitimate messages from PayPal.

(Featured image by iStock.com/Moostocker)

Social Media: Beware of PayPal invoice scams that might even appear to come from Apple. Should you receive one, report it to PayPal to help protect other people, but don’t mark the message as spam.

Beware Fake “Sextortion” Scams

/in /by

All those data breaches are coming back to haunt us. Once our phone numbers and addresses began to be leaked, it was only a matter of time before scammers would personalize their attacks to make them seem more real. The latest “sextortion” scams purport to have compromising video of you taken from your computer’s webcam, backing it up with your phone number and a Google Street View-like image that matches your leaked address. They make a lot of claims and dire-sounding threats, but talk is cheap, and there’s nothing behind them. Do not pay the scammers!

(Featured image by iStock.com/Thapana Onphalai)

Social Media: Scams are starting to incorporate personal information stolen in data breaches, so you may get “sextortion” threats that purport to know your phone number, address, and more.

Passwords Becomes a Real App in macOS 15 Sequoia, iOS 18, and iPadOS 18

/in /by

Although we’re still fans of 1Password, and there are plenty of other good password managers out there, like BitWarden and Dashlane, Apple has finally removed the last hurdle to using its built-in password management capabilities.

Starting in macOS 15 Sequoia, iOS 18, iPadOS 18, and visionOS 2, Passwords is now a real app rather than being trapped inside Safari, System Settings, and Settings. If you have resisted using a password manager or don’t wish to continue subscribing to an alternative, give Apple’s Passwords a try. It makes creating, maintaining, and entering passwords faster, easier, and more secure than doing it by hand. Those already using a password manager can export their accounts and import into Passwords.

What You’ll Find in Passwords

We’ll focus on the Mac version here, but the other versions are nearly identical apart from their screen sizes.

The left-hand sidebar, reminiscent of Reminders, provides categories of accounts:

  • All: Select All to see all your accounts, regardless of what shared group they may be in.
  • Passkeys: If you have any passkeys for large websites like Apple, Google, and others, they’ll appear here.
  • Codes: Passwords can create, store, and enter two-factor authentication codes for sites that support them. If you need to look one up manually because Passwords couldn’t autofill it, you’ll find the associated account here.
  • Wi-Fi: This category contains stored passwords for all the known Wi-Fi networks on your device. Because known Wi-Fi networks aren’t synced between devices, the number of these will vary between your devices.
  • Security: If you have any accounts with weak passwords, accounts you previously shared and stopped sharing, or accounts whose passwords were leaked in a security breach, they’ll appear here. Edit these accounts and click the Change Password button to start the process; when the password changes, they’ll disappear from this category.
  • Deleted: Any accounts you delete stay here for 30 days before being deleted for good. You can delete any of these accounts immediately or restore them to their previous group.
  • Shared Groups: If you use Family Sharing, you automatically get a Family Passwords group to simplify sharing important accounts with your family members. But you can also share accounts with other groups of Apple device owners. To move an account to a group, choose it from the Group pop-up menu.

The middle pane lists the accounts in the selected category. You can sort the list using the menu with vertical arrows, search for a specific account, and manually add a new one with the + button. Otherwise, scroll through the list and click an account to view it in the right-hand pane.

At the top of the right-hand pane is an AirDrop button and an Edit button. Click AirDrop to share an account with someone nearby or Edit to make changes or set up a two-factor verification code. If you want to copy information, click the User Name, Password, Verification Code, or Website item to get a Copy menu. The password becomes visible when you mouse over it. Clicking Website also offers an Open Website option and lets you add more sites where the password should autofill.

Setup Requirements

Most people shouldn’t need to do anything to start using Passwords. However, if you have trouble, check the following items:

  • Turn on Password AutoFill: If your device isn’t entering passwords for you, turn on AutoFill Passwords and Passkeys in Settings/System Settings > General > AutoFill & Passwords. Also, ensure that Passwords is enabled in the AutoFill From section if multiple password managers are installed.
  • Turn on iCloud Keychain: If you want your passwords to sync securely among your devices, which makes life a lot easier, go to Settings/System Settings > Your Name > iCloud > Passwords and turn on Sync This Device.
  • Set up iCloud Passwords for other browsers: Apart from Safari, Chromium-based Web browsers (Arc, Brave, Google Chrome, Microsoft Edge, etc.) can access and autofill your saved passwords if you install Apple’s iCloud Passwords Chrome extension. (There’s also now an iCloud Passwords add-on for Firefox.) The overall experience is not as seamless as in Safari, requiring a once-per-launch code, and you have to create new accounts in Safari or manually in Passwords, but it works.
  • Configure settings: Choose Passwords > Settings (or look in Settings > Apps > Passwords for iOS 18 and iPadOS 18) to access options. Generally speaking, it’s fine to keep them all turned on.

If you have additional questions, check Apple’s documentation for detailed instructions for all the platforms on which Passwords runs. But realistically, Passwords is easy to use, and although the app itself is new, the underlying password management features and syncing have been in place for years, so they’re stable and reliable.

(Featured image by iStock.com/designer491)

Social Media: Apple’s new Passwords app in macOS 15, iOS 18, iPadOS 18, and visionOS 2 makes the company’s longstanding password storage and syncing features more straightforward and easy to use. It’s password management for the rest of us!