New Apple iPhone app proves just how hard it is to kill the online password
Apple Intelligence was unveiled during Apple’s Worldwide Developers Conference in Cupertino, California, on June 10, 2024.
Source: Apple Inc.
For years, cybersecurity experts have been predicting the death of the online password as more advanced log-in features, from facial recognition to multi-factor authentication, become more common. But it seems like Apple has accepted that the password isn’t going away anytime soon. Its new Passwords app, introduced at Apple’s WWDC 2024 earlier this week, is one more solution to help protect online accounts and manage multiple logins. It doesn’t change the fact that putting all your logins in one place continues to come with risks.
“Passwords are really hard to kind of get rid of,” said Andras Cser, Forrester vice president, principal analyst.
The new Passwords app for iPhone, iPad, Vision Pro, Mac and Windows, lets users store all of their passwords, including verification codes, app passwords, Wi-Fi passwords, Passkeys and more. The offering is similar to other password managers on the market, including 1Password and LastPass.
“You can’t underestimate the power of having a default solution like this and having password security built in,” said Gadjo Sevilla, eMarketer senior analyst .”That’s probably going to entice the majority of of Apple customers to use the feature. It’s convenient. It’s there. It’s free.”
Passwords are a risky online security method
But that doesn’t change the basic concern about users relying on passwords as a default online security method.
“That’s the move: Obliterate the need for any password manager and just move to one-time passwords based on push notification-based authentication, biometrics or passkeys,” Cser said. “Moving away from passwords is probably the right message, not using free or upgraded password managers.”
Password hacking is on the rise, with IBM reporting a 71% increase in the number of attacks using valid passwords in 2023 compared to 2022. Apple, Google, and Microsoft have made moves to migrate more users to passkeys, which requires another device owned by the user to verify the login through face scans, fingerprints or other codes. This helps get rid of the biggest cybersecurity risk: people tend to have very poor password hygiene, including using the same password across accounts, which means if that password is stolen the hacker would have access to all of them.
Apple’s passkey system, Keychain, is only for products under its iOS operating system. This new Passwords app includes more systems compatibility, including Windows and different types of login verifications. The company did not say it will include any Google or Android passwords, which encompass a lot of accounts.
Password managers, like the Apple Password app, log different passwords, passcodes and logins securely under a safe account. And they do offer an added layer of protection: research from Security.org found those without password managers are three times more likely to be victims of identity theft. But whether free or paid versions of managers, none completely eliminates risk.
“They are a band-aid or wraparound,” Cser said. “Passwords are very vulnerable, and very much have run their course in protecting any kind of apps or resources and data. So then, it just puts all your eggs in one basket, regardless of who’s tool you pick, right?”
Apple did not respond to a request for comment by press time.
There are some concerns that if Apple holds all the digital keys to everyone’s password, then it could make people more vulnerable if the company is hacked. It’s not outside the realm of possibility: Apple’s iCloud was hacked back in 2014, leading to many leaks of private celebrity photos. LastPass was hacked in 2022, though customer data was not stolen.
“The one security issue ever is that anyone who gets your Apple ID and your password would get access to your iCloud Keychain or your Password app, because that is really the key authentication needed to safely access those stored passwords,” Sevilla said.
Apple, personal data, and privacy
Still, protecting large amounts of personal data is nothing new for Apple, and it has developed a relatively good track record of building its brand around privacy. It also has a hardline stance against sharing information with unauthorized third-party apps. Earlier changes starting with iOS 14.5 have asked users to opt into data sharing and blocked tracking applications, to the detriment of digital advertising companies reliant on that information for ad targeting like Facebook.
“Apple is a services company,” Sevilla said. “They have billions of credit card numbers. You can’t underestimate the amount of effort they will put into making sure that is locked down, and those are all tied into Apple IDs, Apple passwords. So I guess if you follow that example, they could probably be seen as far more secure than the standalone apps.”
Broader data sharing issues were raised at WWDC about Apple’s partnership with OpenAI, which it is using to allow Siri to access ChatGPT. Some, including Elon Musk, have raised concern that allowing OpenAI access to Apple user data could be a potential security violation. OpenAI uses user data and behavior to train its AI models.
While it may be highly unlikely, with users sharing their passwords with Apple, and Apple sharing data with OpenAI, cybersecurity experts say it presents at least the theoretical risk that OpenAI could use logins to look at personal data for its learning purposes.
Apple reiterated its commitment to data privacy at WWDC 24. Apple Intelligence, its entry into AI, will leverage cloud-based models on special servers using Apple Silicon to ensure that user data is private and secure. If a request needs to go to a cloud server, Apple says it will only send a limited selection of data in a “cryptographically” secure way.
“We’re not going to take that data and go send it to some cloud somewhere,” Apple senior vice president of Machine Learning and AI Strategy John Giannandrea said at the event. “Because we want everything to be very private, whether it’s running locally or on a cloud computing service, and that’s the way we want it so we can use your most personal data.”
Elon Musk attends the America First Policy Institute gala at Mar-A-Lago in Palm Beach, Florida, Nov. 14, 2024.
Carlos Barria | Reuters
X’s new terms of service, which took effect Nov. 15, are driving some users off Elon Musk’s microblogging platform.
The new terms include expansive permissions requiring users to allow the company to use their data to train X’s artificial intelligence models while also making users liable for as much as $15,000 in damages if they use the platform too much.
The terms are prompting some longtime users of the service, both celebrities and everyday people, to post that they are taking their content to other platforms.
“With the recent and upcoming changes to the terms of service — and the return of volatile figures — I find myself at a crossroads, facing a direction I can no longer fully support,” actress Gabrielle Union posted on X the same day the new terms took effect, while announcing she would be leaving the platform.
“I’m going to start winding down my Twitter account,” a user with the handle @mplsFietser said in a post. “The changes to the terms of service are the final nail in the coffin for me.”
It’s unclear just how many users have left X due specifically to the company’s new terms of service, but since the start of November, many social media users have flocked to Bluesky, a microblogging startup whose origins stem from Twitter, the former name for X. Some users with new Bluesky accounts have posted that they moved to the service due to Musk and his support for President-elect Donald Trump.
Bluesky’s U.S. mobile app downloads have skyrocketed 651% since the start of November, according to estimates from Sensor Tower. In the same period, X and Meta’s Threads are up 20% and 42%, respectively.
X and Threads have much larger monthly user bases. Although Musk said in May that X has 600 million monthly users, market intelligence firm Sensor Tower estimates X had 318 million monthly users as of October. That same month, Meta said Threads had nearly 275 million monthly users. Bluesky told CNBC on Thursday it had reached 21 million total users this week.
Here are some of the noteworthy changes in X’s new service terms and how they compare with those of rivals Bluesky and Threads.
Artificial intelligence training
X has come under heightened scrutiny because of its new terms, which say that any content on the service can be used royalty-free to train the company’s artificial intelligence large language models, including its Grok chatbot.
“You agree that this license includes the right for us to (i) provide, promote, and improve the Services, including, for example, for use with and training of our machine learning and artificial intelligence models, whether generative or another type,” X’s terms say.
Additionally, any “user interactions, inputs and results” shared with Grok can be used for what it calls “training and fine-tuning purposes,” according to the Grok section of the X app and website. This specific function, though, can be turned off manually.
X’s terms do not specify whether users’ private messages can be used to train its AI models, and the company did not respond to a request for comment.
“You should only provide Content that you are comfortable sharing with others,” read a portion of X’s terms of service agreement.
Though X’s new terms may be expansive, Meta’s policies aren’t that different.
The maker of Threads uses “information shared on Meta’s Products and services” to get its training data, according to the company’s Privacy Center. This includes “posts or photos and their captions.” There is also no direct way for users outside of the European Union to opt out of Meta’s AI training. Meta keeps training data “for as long as we need it on a case-by-case basis to ensure an AI model is operating appropriately, safely and efficiently,” according to its Privacy Center.
Under Meta’s policy, private messages with friends or family aren’t used to train AI unless one of the users in a chat chooses to share it with the models, which can include Meta AI and AI Studio.
Bluesky, which has seen a user growth surge since Election Day, doesn’t do any generative AI training.
“We do not use any of your content to train generative AI, and have no intention of doing so,” Bluesky said in a post on its platform Friday, confirming the same to CNBC as well.
Liquidated damages
Another unusual aspect of X’s new terms is its “liquidated damages” clause. The terms state that if users request, view or access more than 1 million posts – including replies, videos, images and others – in any 24-hour period they are liable for damages of $15,000.
While most individual users won’t easily approach that threshold, the clause is concerning for some, including digital researchers. They rely on the analysis of larger numbers of public posts from services like X to do their work.
X’s new terms of service are a “disturbing move that the company should reverse,” said Alex Abdo, litigation director for the Knight First Amendment Institute at Columbia University, in an October statement.
“The public relies on journalists and researchers to understand whether and how the platforms are shaping public discourse, affecting our elections, and warping our relationships,” Abdo wrote. “One effect of X Corp.’s new terms of service will be to stifle that research when we need it most.”
Neither Threads nor Bluesky have anything similar to X’s liquidated damages clause.
Meta and X did not respond to requests for comment.
WATCH: Bluesky CEO: Our platform is ‘radically different’ from anything else in social media
-
Sports2 years ago‘Storybook stuff’: Inside the night Bryce Harper sent the Phillies to the World Series
-
Sports8 months agoStory injured on diving stop, exits Red Sox game
-
Sports2 years agoMLB Rank 2023: Ranking baseball’s top 100 players
-
Sports1 year agoGame 1 of WS least-watched in recorded history
-
Sports3 years ago
Team Europe easily wins 4th straight Laver Cup
-
Environment2 years agoJapan and South Korea have a lot at stake in a free and open South China Sea
-
Environment2 years agoGame-changing Lectric XPedition launched as affordable electric cargo bike
-
Business2 years agoBank of England’s extraordinary response to government policy is almost unthinkable | Ed Conway