Posts

Make Sure to Back Up iPhone Photos on Your Mac

If your iPhone were to be stolen or suffer an unfortunate accident, would you lose all your precious photos? Those using iCloud Photos are probably shaking their heads smugly, thinking that all those baby and vacation photos are backed up securely in iCloud. iCloud Photos does indeed store a copy of all your photos, but you shouldn’t assume that everything in it is completely protected. Although it’s extremely unlikely that Apple’s systems would fail so that you’d lose anything, the contents of your iCloud account aren’t as safe as would be ideal.

An Aside to Explain Why iCloud Isn’t Perfectly Secure

Recently, Wall Street Journal reporters Joanna Stern and Nicole Nguyen covered a troubling form of crime aimed at iPhone users in an article (paywalled) and accompanying video. Thieves hang out in bars, looking for users who tap in their passcodes instead of using Face ID or Touch ID. Once they’ve learned someone’s passcode with surreptitious shoulder surfing, they grab the iPhone and run. As soon as they’re clear, they use the passcode to change the user’s Apple ID password and enable or reset a recovery key, which prevents the user from employing Find My to locate and lock the iPhone. Worse, with the passcode, they can make purchases with Apple Pay, access all passwords in iCloud Keychain, and use other information on the iPhone to facilitate identity theft. It’s a disaster.

But it gets worse, as the reporters detail in a new Wall Street Journal article (paywalled) and video. By enabling a recovery key, the thief disables Apple’s normal account recovery process for resetting the Apple ID password. In other words, if this were to happen to you, along with all the financial losses and headaches, you would lose access to your iCloud account, possibly forever, and with it, all your photos in iCloud. With luck, Apple will block this attack soon.

For now, follow this commonsense advice to reduce the chances of being victimized:

  • Pay attention to your iPhone’s physical security in public.
  • Always use Face ID or Touch ID in public.
  • If you must enter your passcode in public, conceal it from anyone nearby.
  • Never share your passcode beyond highly trusted family members.

Backing Up Your iPhone Photos

As with so many other modern ills, good backups go a long way toward minimizing the pain of problems. They won’t prevent someone from stealing your iPhone or locking you out of your account, but if that were to happen, at least you won’t lose all your photos!

There are two possible backup scenarios. Using iCloud Photos and downloading originals to your Mac is easiest but requires that you pay Apple for more storage if you have more than a handful of photos. If you don’t use iCloud Photos, you can just back up your iPhone to your Mac or, better yet, import images into Photos on the Mac and then sync them back. It’s more work and fussier, but doesn’t cost anything.

  • iCloud Photos: When using iCloud Photos, the trick to protecting your pictures is to sync the originals with your Mac. In Photos > Settings/Preferences > iCloud, select Download Originals to this Mac. The only downside of this approach is that you need enough disk space on your Mac to hold them all; if that’s not the case, you may need to move your system Photos Library to an external hard drive.
  • iPhone-only photos: If you aren’t using iCloud Photos, the best approach is to connect your iPhone to your Mac using a USB-to-Lightning cable or Wi-Fi and then import new snapshots into Photos on your Mac manually (select the iPhone in the Photos sidebar). It’s helpful to remove the original photos from the iPhone with the Delete Items checkbox after importing so you can manage them solely on the Mac.

    Then you can sync all the photos (or just desired ones, if your iPhone is low on space) back to your iPhone using the Finder. First, select the iPhone in a Finder window’s sidebar. Then click Photos in the button bar at the top, and select “Sync photos to your device from Photos” along with “All photos and albums” and “Include videos” in the options below. Finally, click Apply or Sync.

    Technically speaking, backing up your iPhone to your Mac without syncing to Photos also backs up your photos, but the only way to get them back is to restore a backup onto an iPhone. It’s much better to have all the photos accessible in Photos too.

Either way, once the photos are on your Mac, you should back up all your data using Time Machine, an Internet service like Backblaze, or a third-party app like Carbon Copy Cloner or SuperDuper. If you’re concerned about the quality of your backups for preserving photos, contact us for advice.

(Featured image by iStock.com/metamorworks)


Social Media: With new reports of iPhone theft victims being locked out of their iCloud accounts, it’s all the more important that you copy your iPhone photos to a Mac and then back up that Mac.

Is Your Wi-Fi Network a Security Risk?

With Wi-Fi security, it’s easy to fall into the “out of sight, out of mind” trap. Your Wi-Fi router probably lives in a corner or closet, and of course, Wi-Fi’s radio waves are invisible. But the ease of connecting your devices to your Wi-Fi network means it’s equally as easy for a hacker to connect to your network and eavesdrop on your traffic. Or rather, it’s easy unless you take advantage of the security options available in every Wi-Fi router.

Before looking at those options, let’s discuss the importance of securing your wireless network. The fact is, we all send sensitive data over Wi-Fi and onto the Internet. That data includes passwords, financial information, and personal details, all of which could be used for identity or outright theft. For those who work at home, it may also include important corporate credentials and information. In addition, if your Wi-Fi network is open for everyone and has a bandwidth cap, you could be throttled or incur additional charges due to extra usage from someone using your network without your knowledge. Worse, someone could engage in illegal activity from your network, potentially putting you at legal risk.

Here are six ways you should secure your Wi-Fi network, plus another that’s usually not worth the effort. Exactly how you go about these tasks varies depending on your Wi-Fi router, but they should all be easy to accomplish.

1. Change Your Wi-Fi Router’s Default Password

Every Wi-Fi router has an app- or Web-based administrative interface where you can adjust settings, including security options. The first thing you should do when setting up a new Wi-Fi router is change the password for accessing that admin interface. (And if you didn’t do that when you set up your current Wi-Fi router, go do it now. Immediately. We’ll wait.) The default passwords are well known to hackers, who can use them to take over routers and turn off all the other security settings.

2. Change the Default Network Name (SSID)

Every Wi-Fi network has a name—technically an SSID, or Service Set Identifier. There’s no security benefit in changing it to anything in particular, but you should change it from the default name. That’s because default names often identify the router’s manufacturer, such as “Netgear” or “Linksys,” and some routers have known vulnerabilities or password styles that make it easier to break in. Of course, the main advantage of changing the network name is that it makes it easier to pick out from any other nearby networks.

3. Update Your Wi-Fi Router’s Firmware

Wi-Fi router manufacturers frequently fix security vulnerabilities and release new firmware versions. Check to make sure your Wi-Fi router has the latest firmware available, and if there’s an option for it to update its firmware automatically, turn that on.

4. Disable WPS (Wi-Fi Protected Setup) If Possible

When you connect a new device to your Wi-Fi network, you need to enter your Wi-Fi password. That’s entirely reasonable, and Apple devices automatically offer to share that password with your other Apple devices and other people in your Contacts. More generally, a technology called Wi-Fi Protected Setup (WPS) was designed to enable connecting without typing the Wi-Fi password, either by entering an 8-digit PIN or pressing a button on the router. The button is fine—no one can connect without physical access to the router. But the PIN is horribly insecure and can be brute forced with readily available cracking software. If your router supports WPS—not all do, happily—turn it off entirely.

5. Create a Guest Network

You’ll probably want to give visitors access to your Wi-Fi network so they can get to the Internet. The best way to do that is to create a guest network—a feature in nearly all Wi-Fi routers—separate from your main Wi-Fi network. It has a different name and password, and its traffic is isolated from yours, ensuring that even if a hacker were to access it, they wouldn’t be able to eavesdrop on your communications. It can have a simpler password since all it’s protecting is your bandwidth. One additional tip—put “Internet of Things” devices like smart appliances, video game consoles, and the like on your guest network to ensure they don’t provide access to your main network’s traffic if they’re hacked. You probably won’t want to do that with HomeKit devices, which will work better on the same network as your Apple devices.

6. Use Strong WPA2 or WPA3 Encryption

After changing the default admin password, this is the second-most important piece of Wi-Fi security advice. All traffic on a Wi-Fi network can (and should) be encrypted so hackers can’t eavesdrop with impunity. The first wireless security protocol was WEP (Wired Equivalent Privacy), which was commonly used from the late 1990s through 2004. Unfortunately, WEP is so easily broken today that it’s no longer considered secure. If you still use WEP, immediately switch to WPA2 (Wi-Fi Protected Access). There’s also WPA3, which is even more secure but is available only in hardware sold in the last few years.

Don’t Bother Hiding Your SSID

Finally, you may see suggestions that you should hide your Wi-Fi SSID, which prevents nearby devices from displaying it when they list available networks. That might seem like it would improve security, but all it does is prevent the sort of people who aren’t a threat anyway from seeing it. Anyone with the necessary software and skills to break into an unprotected or weakly protected Wi-Fi network can still detect and access a hidden network. They might even be more interested in what’s there, given that the network owner took the trouble to hide it. As long as you follow all the other advice in this article, there’s no benefit in hiding the SSID as well.

Bonus Advice: Use a VPN When on Public Wi-Fi Networks

Ensuring the security of your Wi-Fi network is essential, but what about public Wi-Fi networks in coffee shops, hotels, and airports? Because they’re open to anyone within range, they’re insecure by definition, and anyone on the network could theoretically see any other user’s traffic. Don’t panic. Most Web connections now use HTTPS, which encrypts traffic between you and the destination site (look for https at the start of URLs or a lock icon in the address bar of your Web browser). To ensure that all traffic is protected from prying eyes, use a VPN (Virtual Private Network), which creates an encrypted pipe from your computer to a VPN server elsewhere. Many organizations provide or even require VPN use so that traveling or remote employees can’t inadvertently use unencrypted connections. If your organization doesn’t have a VPN now but would like to set one up, contact us.

(Featured image by iStock.com/CASEZY)


Social Media: As more personal and work information passes through Wi-Fi networks, it becomes increasingly important that you follow this advice to secure your network.

Here’s How to Stop Getting Paste Permission Requests

In iOS 16, Apple tightened security by displaying a confirmation alert when you copy data from one app and paste it into another. More security isn’t bad, but these alerts can become annoying if you copy and paste frequently. In iOS 16.1, Apple added a setting to control the behavior for each app. If you get these alerts too often when pasting in an app, go to Settings > AppName > Paste from Other Apps and switch it from Ask to Allow. Many apps don’t include the setting; hopefully, any apps where you paste often will have this setting or include it soon.

(Featured image based on an original by iStock.com/AaronAmat)

How to Restore Missing SMS Two-Factor Authentication Codes

Many websites, from Adobe to Zendesk, let you receive two-factor authentication codes via SMS text messages. That’s good—any form of two-factor authentication is better than none—but you’re often effectively locked out of your accounts if those text messages don’t arrive. A simple fix is to call your cellular carrier and ask to have any blocks removed from your account. Automated scam and fraud prevention systems may have installed those blocks—it wasn’t necessarily related to anything you did—and the carrier can remove them easily.

(Featured image by iStock.com/tsingha25)

What Should I Do If I Get an “AirTag Found Moving With You” Message?

First, don’t panic. Most likely, you’re borrowing something with an Apple AirTag location tracker attached to it, or someone left something with an attached AirTag in your car. Second, tap the alert to open the Find My app, which displays a map showing where the AirTag has been with you, which might shed some light on where it started traveling with you. Third, in the Find My app, tap Play Sound to try to locate the AirTag by its audible alert. Fourth, if you find the AirTag, hold it near your iPhone until a notification appears, and tap that for more information, including the last four digits of the owner’s phone number (search for it in the Contacts app to see if it’s anyone you know). We’re being intentionally brief here—for significantly more detail, including advice on contacting local law enforcement—read Apple’s support article.

(Featured image by iStock.com/BackyardProduction)

Use Face ID While Wearing a Mask in iOS 15.4

Shortly after the start of the COVID-19 pandemic, Apple made it so your Apple Watch could unlock your Face ID-enabled iPhone when you were wearing a mask. Starting in iOS 15.4, the company has taken the next step and enabled Face ID on the iPhone 12 and later to work even when you’re wearing a mask. If you didn’t already set up Face ID with a mask after updating to iOS 15.4, go to Settings > Face ID & Passcode and enable Face ID with a Mask. You’ll have to run through the Face ID training sequence again, and more than once if you sometimes wear glasses, but it’s quick and easy. Face ID may not work quite as well when you’re wearing a mask, and it doesn’t support sunglasses, but it’s way better than having to enter your passcode whenever you’re masked.

(Featured image by iStock.com/Prostock-Studio)

Export Passwords from Safari to Ease the Move to a Password Manager

Although Apple has improved the built-in password management features in macOS and iOS (you can now add notes to password entries!), third-party password managers like 1Password and LastPass are still more capable. For those still getting started using a password manager, another new capability will ease the transition: Safari password export. To export a CSV file of your Safari passwords, choose Safari > Preferences > Passwords, and enter your password when prompted. From the bottom of the left-hand sidebar, click the ••• button, choose Export All Passwords, and save the Passwords.csv file to the Desktop. After you import the file into 1Password (instructions), LastPass (instructions), or another password manager, be sure to delete the exported file and empty the trash.

(Featured image by iStock.com/metamorworks)

Plan for the Future by Establishing a Legacy Contact

Have you heard the expression “hit by a bus”? It’s a somewhat macabre attempt to inject a little levity into planning for the unthinkable event of dying without warning. No one expects to be hit by a bus, but people do die unexpectedly in all sorts of ways. That’s terrible, of course, but it’s also incredibly hard on that person’s family, who suddenly must deal with an overwhelming number of details. Many of those details revolve around the deceased’s digital life—devices, accounts, passwords, subscriptions, and more.

We strongly encourage everyone, regardless of age or infirmity, to think about what your family would want and need to do with your digital presence in the event of your death. The ultimate guide to this topic is Joe Kissell’s book Take Control of Your Digital Legacy, although the current version is a little out of date and is slated for updating in 2022.

The next edition of that book will undoubtedly discuss Apple’s new Legacy Contact feature, introduced in iOS 15.2, iPadOS 15.2, and macOS 12.1 Monterey. It enables you to specify one or more people as a Legacy Contact. Should you die unexpectedly, those people can use an access key along with your death certificate to access much of your Apple content and remove Activation Lock from your devices. (If you have time to prepare for your passing, it’s easier to share all your passwords and passcodes explicitly.) The person or people you set as Legacy Contacts don’t have to be running Apple’s latest operating systems or even be Apple users, though it’s easier if they are. (Like so many other things in life.)

Don’t put off specifying someone as a Legacy Contact, whether it’s a family member or close friend. The entire point of the “hit by a bus” scenario is that it’s both unexpected and could happen at any time. (It’s possible to get access without being a Legacy Contact, but it requires a court order and will undoubtedly be significantly more work.)

Apple provides good directions for the Legacy Contact feature, and while we’ll summarize the steps below, read Apple’s documentation to get the word from the horse’s mouth. Apple’s support pages include:

What Data Can a Legacy Contact Access?

Apple has the full list at the link above, but in short, a Legacy Contact can access anything stored in iCloud, including photos, email, contacts, calendars, messages, files, and more, as well as the contents of iCloud Backup. Not included are licensed media (music, movies, and books), in-app purchases (upgrades, subscriptions, and game currency), payment information (Apple ID payment info or Apple Pay cards), and anything stored in the account holder’s keychain (usernames and passwords, credit card details, and more). A Legacy Contact cannot access the deceased’s devices—Apple is incapable of sharing passcodes. However, Apple can remove Activation Lock so those devices can be erased and reused.

How Do You Add a Legacy Contact?

Adding someone as a Legacy Contact is easy. You must be running iOS 15.2, iPadOS 15.2, or macOS 12.1 Monterey to initiate the process, and two-factor authentication must be turned on for your Apple ID (this is a very good idea anyway).

On an iPhone or iPad, go to Settings > Your Name > Password & Security > Legacy Contact > Add Legacy Contact. On a Mac, use System Preferences > Apple ID > Password & Security > Legacy Contact > Manage. You can choose a group member if you’re in a Family Sharing group or pick someone from your contacts list.

As part of the process of picking someone, Apple allows you to share the access key via Messages if they’re running iOS 15.2, iPadOS 15.2, or macOS 12.1 Monterey. If they accept, a copy of the access key will automatically be stored in their Apple ID settings. If they’re not running a necessary operating system or don’t use an Apple device, you can instead print out an access key QR code and give that to them. You might also want to print a copy to store with your will and other important documents.

It may often be appropriate to act as a Legacy Contact for the people you’re asking to be your Legacy Contacts, particularly with spouses or adult children.

How Does a Legacy Contact Request Account Access?

Let’s assume the worst and pretend ​​that someone who has added you as a Legacy Contact has passed away. To request access to their Apple ID, you need the access key that the person shared with you and a copy of their death certificate. You can find the access key on an iPhone or iPad in Settings > Your Name > Password & Security > Legacy Contact > Contact’s Name, and on the Mac in System Preferences > Apple ID > Password & Security, where you click Manage next to Legacy Contact settings and then Details next to the person’s name. It’s also possible that the person shared the access key as a document stored with their estate planning documents.

The screens that provide the access key also have a Request Access link. Tap or click that and follow the instructions to upload the death certificate. If you don’t have an appropriate Apple device, you can also do this on the Web at Apple’s Digital Legacy – Request Access page.

Apple evaluates all access requests to make sure they’re legitimate, and once approved, sends you an email with more details and instructions. That email will also include a special Legacy Contact Apple ID that replaces the deceased’s previous Apple ID. You can use that Apple ID to log in to iCloud.com or download data at privacy.apple.com, sign in to an Apple device, or restore an iCloud backup to another Apple device. Having an access request approved also removes Activation Lock from the deceased’s Apple devices so you can restore them to factory settings and set them up again, either fresh or with the Legacy Contact’s Apple ID’s data.

The main limitation is that the Legacy Contact Apple ID is good only for 3 years, after which the legacy account is permanently deleted. So be sure to download everything important fairly quickly—don’t just keep using the Legacy Contact Apple ID or assume that you’ll be able to go back to it at any time.

We sincerely hope that you never have to act as Legacy Contact for a loved one, but we can say from experience that this new feature can only help make an already stressful time more manageable.

(Featured image by iStock.com/Olga Serba)


Social Media: Apple’s new Legacy Contact feature makes it simpler for you to give a family member access to your iCloud data after your death. Read on to learn how to make someone a Legacy Contact or what to do if you are a Legacy Contact.

Avoid Unusual Top-Level Domains in Custom Domain Names

Remember the heady dotcom days, when businesses were desperate to get a short, memorable, easily typed .com domain? It quickly became difficult to get what you wanted—so much so that deep-pocketed companies paid exorbitant sums for just the right domain.

Before we go any further, let’s make sure we’re all on the same page. Domain names are necessary because computers on the Internet are all identified by inscrutable numeric IP addresses. You can remember and type apple.com easily; 184.31.17.21 not so much. Domain names have two or more parts: the top-level domain (read from the end, such as com) and the second-level domain (like apple), plus optional third-level domains (which could give you support.apple.com).

Since the days of speculating in .com domains, however, hundreds of additional top-level domains have been opened up, including domains from .aaa to .zone. There are now top-level domains for .doctor, .florist, .lawyer, and many more, including the general .xyz. It might be tempting to switch from the awkward dewey-cheatham-howe.com to the shorter and more memorable dch.lawyer. And even if there isn’t a profession-specific top-level domain that works for you, you may think that if abc.xyz is good enough for Google’s parent company Alphabet, surely it’s good enough for you.

Alas, much as we appreciate the creativity and flexibility offered by these alternative top-level domains, we’d like to dissuade you from using one, if possible. Problems include:

  • Email deliverability: If you’re sending email using an alternative top-level domain or including links to that domain, it’s much more likely that your email will be considered spam by receiving systems.
  • SMS deliverability: Some SMS text message providers will automatically delete messages containing URLs with alternative top-level domains in an effort to protect their customers from phishing attacks.
  • Social media spam filtering: As with SMS text messages, social media posts that include URLs with alternative top-level domains may be categorized as spam or as linking to a malicious site.
  • Firewall blocking: Abuse of alternative top-level domains has become so commonplace by scammers that some companies prevent their employees from accessing websites using certain alternative top-level domains at the firewall level.
  • User perception: Although there’s no telling how anyone will react to a particular top-level domain, people won’t think twice about .com but might think .ooo seems sketchy. (We would.)

Obviously, it may not be possible to get the domain name you want in .com. What to do? There are a few strategies:

  • Expand or abbreviate: At this time, people mostly don’t see, remember, or type domains apart from those that go with businesses that do a lot of real-world advertising. So if you need to add or subtract words (or letters) in your domain to find a unique one, that can work.
  • Use a country domain: Two-letter top-level domains are restricted for use by countries, so .us is for the United States, .ca for Canada, and .au for Australia. Every country has different rules for who can register them. For instance, it’s possible to get a domain ending in .it (Italy) as long as you work through a registrar that acts as your representative there. .io (British Indian Ocean Territory) and .ai (Anguilla) are popular top-level domains among tech companies.
  • Stick with better, pricier alternatives: Not all alternative top-level domains are equally problematic. The classic .net and .org are fine, and .biz isn’t bad. But how to determine that? When you’re checking to see if a domain name is available, compare prices. For instance, at one domain name registrar, iphonewhisperer.xyz costs only $1 per year, whereas the iphonewhisperer.biz version is $4.98 per year, iphonewhisperer.net is $9.18 per year, and iphonewhisperer.studio is $11.98 per year. The more you pay, the less likely that domain has been abused by spammers and marked for filtering.

In the end, when it comes to domain names, it’s best to be conservative and stick with a top-level domain that won’t cause people or filters to think twice. That’s probably .com, if you can make the rest of the name work for you.

(Featured image by iStock.com/BeeBright)


Social Media: Tempted to get a short, memorable domain name ending in .xyz or .shop? As we explain, that’s a bad idea if you care about user perception, email and text message deliverability, and not being blocked by social media and firewalls. Details at:

About That Worrying Message Saying Your Password Has Been Breached…

In iOS 14, Apple added a feature that warns you when one of your website passwords stored in iCloud Keychain has appeared in a data breach. We’ve fielded some questions of late from people worrying if the message is legitimate, and if so, what they should do. What has happened is that online criminals have stolen username and password data from a company, and your credentials were included in that data breach. You should indeed change your password immediately, and it’s fine to let the iPhone suggest a strong password for you. Or, if it makes you feel more comfortable, you can usually change the password in Safari on your Mac instead. Either way, make sure it’s unique—never reuse passwords across multiple sites!

(Featured image by iStock.com/LumineImages)