Sunday, February 02, 2020

My advice for managing online credentials

I wrote this up for a book project on special needs iPhone users (Explorers), but it's also my recommendation for non-geek iPhone users. Credential management is definitely an unsolved problem ...


Every Explorer online identity involves, at the least, a “username” for the Explorer, a password and  either an iOS app name or a web address (URL). Most online identities also require an email address for communication, password resets and (alas) marketing. They may now require a mobile number and the answers to “secret questions”. All of this information makes up an online “credential”; but we often use the word “password” as a shorthand for the whole bundle

It’s hard to manage online credentials. I’m pretty technical, but I still find it a tough problem. Lots of people get locked out of their online services and need to do password resets or even start over with a new account. One day I think Apple will provide a full solution[1], but to date they’ve been reluctant to take this on. 

The good news is that most Explorers can get by with maybe 10-30 credentials and they don’t need to know most of them (more on this below). The key is to use as few online services as possible. Remember, every online service is another credential to manage!

I’m going to suggest three-and-a-half ways a Guide can manage an Explorer’s credentials. Each has advantages and disadvantages. For all of them I have two strongly held recommendations about passwords:

  1. Don’t reuse passwords for these important sites. If a password is captured (happens!) it becomes part of hacker libraries and will be applied to other Explorer accounts.
  2. Don’t follow the usual advice to create long random passwords. You’ll go insane trying to tap them out on an iPhone when you can’t see the password characters. Instead combine random pronouncable words, letters and symbols that you can tap. The password should be at least 14 characters. Flip through a dictionary to pick words randomly. This is good enough. You aren’t protecting nuclear launch codes.

Option One: Pencil and Paper

You may remember being told not to write down credentials on paper. That’s like the old advice to treat back pain with bed rest. We were wrong when we said that. Writing credentials on paper and saving them with your home paperwork is super secure. That’s what hard core security geeks do.

This does require good handwriting, but it works for a small number of credentials assuming you follow my password advice. If you need the credentials when you travel you can take a photo and keep it with your personal iPhone photos (be careful not to share it though!).

You do need a backup! You could copy by hand and mail the copy to a trusted friend. In theory public photocopiers are not secure, so I’d say just take a photo and keep it in your iCloud photos (not shared).

Option Two: Use an iCloud Secure Note on a Guide’s iPhone

I recommend this for the passwords my Explorers manage for themselves. An iCloud Secure Note  is protected by both your iPhone’s unlock passcode and by a special Secure Note password. The iOS User Guide explains how to create a Secure Note.

An iCloud Secure Note is automatically backed up and you can review old versions of the note. It can also be shared with an Explorer who is able to manage their own credentials.

This method is less secure than paper and pencil but is also less work — and you can copy/paste passwords from the Note rather than type them on iPhone, Mac, or a web browser[2].

The main risk of this method is accidentally deleting your credentials! Be sure to print out the Note periodically and store the paper copy at home. You can also restore a prior version but this is less reliable. Just print.

Option Three: Use 1Password or another reputable password manager

This is what most computer experts recommend, but true security experts are more cautious. When you use a password manager you are placing a great amount of trust in the vendor. There are so many ways a password manager vendor could steal credentials. Even if a vendor is honest and technically skilled, their products can be acquired by someone less scrupulous.

Of all password managers 1Password is most often recommended for the iPhone. It’s what I use, though I don’t use their Cloud service[3]. The Cloud service is obligatory for most people though, and it costs about $40 a year.

If you’re just managing a few Explorer credentials Paper and Pencil is simpler than a password manager and definitely more secure. If you use a password manager for your own credentials then it may be a good place to store an Explorer’s credentials.

Option Three and a half: Use Apple’s semi-secret password manager

Apple would take over credential management for their customers. It hasn’t happened yet, but they have partial solutions. You can part of Apple’s solution it you have enabled Keychain in Settings:Apple ID:iCloud and you’ve accepted Safari’s offer to save web site passwords. Just say “Hey, Siri, show me my passwords”. You can also go to Settings:Passwords & Accounts: and tap on “Website & App Passwords”.

Another part of Apple’s solution is “Sign in with Apple”. Apple wants iOS apps to support this and there’s a way for web sites to use it as well. This method never shows a password, it works with Face ID or Touch ID[4].

Both of these solutions are a work in progress. We will know Apple is serious if they create a separate App for managing credentials instead of hiding things away in Settings. Not all iOS apps store credentials in the keychain and “Sign in with Apple” is just beginning.

They are convenient for web sites and apps that aren’t important enough to be properly tracked. Just let the iPhone suggest a password and then forget about it. The iPhone will manage the password and if something goes wrong nothing much is lost.

These three-and-a-half options cover Guide management of Explorer credentials. In my next section I’ll go over which an Explorer will need to manage themselves and how to transition from Guide management to independent management.


[1] Apple has a partial solution for web sites but nothing for passwords entered in apps and elsewhere. Their longterm solution is called “Sign In with Apple” but it’s unclear if it will succeed or how serious Apple is about this.

[2] Browsers are not very secure though, so viewing readable passwords in a web browser is not ideal.

[3] 1Password still supports an old local storage method. It requires a very technical user to setup, it’s not well supported any more, and it’s not super reliable.

[4] Since Apple doesn’t support a guest/parent/Guide Face ID this could block Guide support for an app or site. More on this in the final chapter on political action!

Saturday, January 04, 2020

Apple's Family: The many surprises of creating an Apple ID with age 13 or under

(You can skip the rant to get to the tech details)

<rant>I frequently berate Apple for the radioactive-feces-infested-dumpster-fire that they’ve built out of Family Sharing and Parental Controls / Screen Time / Restrictions [1] … but my latest experience has added a note of sympathy for the engineers who offend Tim Cook and are HR assigned to work on this prior to leaving Apple.

Apple has built something insanely complicated. The intersection of user interfaces, regional rules and restrictions, content licensing, DRM, functional requirements, iOS, macOS, iCloud, sync, multiple OS versions … heck, there probably time zones in there too. At this point they might as well give up and throw a neural network at it.

Whatever your day job, be grateful this isn’t what you work on.

Things are almost as bad on the consumer side. There’s a reason I seem to be the only person alive trying to make remote Screen Time work. (It’s a book project, I don’t have a choice.) With some effort I’ve come up with practical recommendations for caregivers (example) — but they assume the software actually functions. In practice I have run into a wide range of bugs and weirdness, particularly since iOS 13 was released.<rant>

Among the many complications Apple contends with into are rules about how many devices and how many users can be a part of a Family for the purposes of both DRM management and remote Screen Time. These are poorly documented, but as best I can tell the limit is 5 family members and somewhere around 10 devices (it’s not clear how multi-user accounts on macOS are treated or Apple TV). Our family has five members so we’re pretty much at the limit and I think we’re at the absolute device limit as well.

I say “think” because it’s not clear that there are error messages, I think things simply break.

So the baseline situation is pretty bad, even before one runs into bugs with handing down devices between family members.

I made things worse though. For a book project I added a test account — sphone4all@icloud.com. That pushed us up to six family members and probably hit or exceeded our device limit. Since my test phone is an iPhone 6 [2] it can’t upgrade to iOS 13 and is no longer useful for the book project. So I decided to try to remove it.

That’s where my next set of problems began. I’d make the mistake of creating the book account with an “age” less than 13. Ages are important in Apple’s Screen Time world. Basically:

Age 18 or more: independence, controls stop working, can purchase ad lib, can be Organizer. (Basically at age 18 you need to remove children from Family.)

Age 13: non-vulnerable status but subject to controls, cannot be Organizer. Age 13-18 is the range for Screen Time and content sharing. If you are the caregiver for a vulnerable adult (ex: cognitive disability) and need Screen Time support you need to periodically adjust their birthdate so they are over 13 and under 18. (We need legislation so Apple supports cognitive disabilities they way they support visual disabilities.)

Age 12 or less: vulnerable status. See below for the special rules.

I’d blundered by creating an iCloud ID for a “child” account with a current age of < 13. These vulnerable user accounts are special:

  • They cannot be deleted by users. Only Apple can remove them. They can only be shifted between Family Organizers (supports divorce, parental death remarriage, etc). If a child should die, the grieving parents will need to work with Apple support.
  • The birthdates cannot be changed. (Of course.)
  • Since they cannot be deleted the Organizer iCloud ID they are associated with cannot become a non-Family ID.
  • Since the Organizer ID must stay a Family ID the payment method cannot be removed from it.

That last bullet point is important. It’s a bit weird, but Apple documents how to create an Apple ID that doesn’t have a payment method. You can use it to buy free apps and tunes.

You can’t, however, turn that Apple ID into a family organizer:

If you're the family organizer for a Family Sharing group and want to share purchases with your family, you're required to have at least one payment method on file. A payment method is also required to set up accounts for children.

If you have an Apple ID like that, and you try to make it a Family Organizer in macOS Mojave iCloud despite the warning, you’ll get this helpful error message:


“There was an unexpected error”. Yeah, Apple was serious about that “requires a credit card” warning, they just didn’t code the error handler response for those who ignored it. I figured given the kludgy workaround Apple documented that the warning was obsolete. Wrong.

Why does Family Sharing require a payment method? I suspect Apple’s hacked together back ends can’t prevent some purchases even when there’s no payment method — and Apple doesn't want to get stuck with the tab. Another possibility is that it’s needed as part of Organizer identity tracing in case a vulnerable child family member is at risk.

So, what do you do when you have too many kids and you need to dump one that’s under 13?

The only recourse, short of phoning Apple support, is create another full Apple ID (age over 18), make it a Family Organizer, and transfer the sub-13 to that “Organizer”. You need hardware to create a full Apple ID, but if you have a Mac you can do it just by adding a system user. I did that to upgrade a limited Apple ID I’d created long ago to a full Apple ID. I then tried to use this fake parent/Organizer without a payment method, which is how I got the “unexpected error”.

After I added a real payment method and confirmed iTunes could see the account change I tried to again make that Apple ID the Organizer for a new family. This took a while. At first the macOS Mojave iCloud Preference Pane would simply display a blank window. After about five minutes it worked. I presume a back end system got updated.

From there I hopped through the transfer process between the macOS account for my new Organizer Apple ID and my iPhone that currently managed my faux 11yo. Some of the screens i saw are illustrative:

I got an error message during the process saying the request had expired, but it went through anyway. I think I got that errant error message because I backed up a screen to do a screenshot. Yeah, this stuff is fragile.

So it appears for now that I’ve moved my fake 11yo from my true Family to a new fake Family where it will sit for another 2 years. Then it will turn 13 and I can vaporize it (I’ve created a future task :-) and then I can remove the payment method for the fake Organizer.

Once I get my strength up I may try to contact Support about some of the other problems with our Family Screen Time, like that handed down device still stuck to my daughters account (or I can just wait until she’s 18 and exits).

Now I need some Scotch, but it’s still a bit early here ...

- fn-

[1] Extending the existing Family Sharing to enable remote Screen Time management was a fatal error.

[2] The iPhone 6 can’t move beyond iOS 12, but Apple is still supporting iOS 12 on it, and since iOS 12 is superior to 13 in several ways the 6 is arguably now a better phone than the 6s.

See also:

Saturday, December 21, 2019

Share Sheet crash in iOS 13.3 - try removing apps that have associated share sheet actions

I upgraded from iOS 12 to 13.3. Most things worked (Parental Controls/Screen Time may be more broken, but it’s always broken), but I had one significant bug.

If I opened a .docx (Word) file in Mail.app it would display in the docx viewer as expected. If I then tapped the share sheet icon the viewer would crash.

David Yeh found a workaround — do a long press on the document and then use the share sheet from that popup screen. Another contributor suggested removing and restoring the mail account, that didn’t work for me.

Today I found a fix for my case. I deleted two utilities: Pinner (last updated 2y ago) and Opener (frequently updated) then restarted my phone. That removed their associated share sheet action apps.

Now the share sheet works for me.

I’ll reinstall Opener if I find I miss it. Pushpin.app was updated relatively recently so I’ll use that instead of Pinner (really, I only use the Pushpin app action).

Sunday, December 01, 2019

How to create a file system reference to an iCloud Note

My daughter wanted us to use a shared Apple Note for trip planning. That's fine, but I wanted a way to reference it from the macOS folder that held other trip documents.

This worked:
  1. Open Safari and view the specific Note.
  2. Drag the URL ref to desktop creating a .webloc file, name it as desired
  3. Store .webloc file in folder
Funny bit: If you double-click the .webloc file it doesn't open Safari. It opens Mojave Notes.app with the specific Note selected and contents displayed.

This is the actual webloc content (I tweaked the GUID just in case it allows global access):
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>URL</key>
<string>https://www.icloud.com/notes/0HxBnHC0QgNjaCyxlsPXOLLvw</string>
</dict>
</plist>

Unable to use MarsEdit with Blogger - Google web OAUTH failure with DHCP mode on AirPort Extreme

I'm now unable to use MarsEdit with Blogger on Mojave or High Sierra. When Google asks me to authenticate instead of getting the usual embedded web page for entering credentials I get a blank page.

Either Google has changed something so this only works on Catalina or there's something odd about my Google accounts. I've tested with

  • two non-2FA Google Apps identities that used to work
  • my personal 2FA Gmail Google ID
  • my wife's personal Gmail Google ID never used for blogger
  • two user accounts on my Mojave machine
  • 1 user account on High Sierra
  • Admin and non-admin account
  • Clearing caches with Onyx
  • I think I also tried an older version of MarsEdit that was on my old account on the High Sierra machine
macOS Console has not been helpful, but I have yet to download and try it using Consolation.
 
MarsEdit dev (Daniel Jalkut) says it works for him on Catalina and on pre-Catalina.

Update 12/6/2019: I eventually realized the problem was my home network. I have a Comcast Xfinity router and an Apple AirPort Extreme. Both have had no configuration changes in months, but Comcast recently updated my service and the AirPort firmware went to version 7.9.1 a few months ago.
 
 
Update 12/7/2019: Today I discovered my AirPort Extreme Guest Network no longer works. That’s the network all our IOT devices connect to.  Turns out suggests that the Guest network doesn’t work in Bridge mode unless the internet router is configured for VLAN support. Would be nice if Apple documented some of this stuff. Maybe this is why they exited the router business.
 
So I have to go back to double NAT for now then try reverting the firmware. (Though once I’ve authenticated a blog I don’t need the web OAUTH, so there is that option.)
 
Update 12/8/2019: So I reverted from 7.9.1 (79100.2) to 7.7.9 and it still doesn’t work! So I think I’ve ruled out a problem with the AirPort Extreme firmware update. I think I tried an older version of MarsEdit. I can’t say for sure but now I suspect it’s something Google did that broken compatibility with Double NAT (DHCP) on the AirPort Extreme.
 
I went back to 7.9.1 (got an ominous notice that firmware update failed but it seems fine) and I guess I’ll use my TunnelBear VPN when I need to authenticate with Google. I’ll test periodically to see if Google fixes things.
 
I tried out Google OAUTH playground. It’s a bit above my pay grade but it seemed to work across my Double NAT setup.

Removing encryption from PDF on macOS with Chrome

My son's employer has one of those obsolete and spectacularly awful SAP style web sites that distributes pay statements.

The PDFs are encrypted. They won't render in macOS Mojave Preview; I can enter the password but I see a blank page. (For more on all the many issues with PDF on every platform but especially macOS see the great Eclectic Light series on macOS PDF by Howard Oakley.)

To remove encryption:
  1. Drop onto Chrome. Enter password. Chrome will render them.
  2. In Chrome select Print.
  3. Change print destination to PDF.
  4. Save.
The saved PDF is not encrypted and will render in Preview.

Thursday, October 31, 2019

Aperture to Photos.app - preparation (And CYME's Avalanche)

Original 10/31/2019

I despise Apple in general and Tim Cook in particular. I wasn’t always that way. In the 00s I was kind of fond of Apple.  That ended with the way Cook killed Aperture in 2014. Apple could have provided an exit, but they didn’t.

Being unable to leave Apple has not improved my mood over the past six years. The exit cost is too high. On the bright side my Apple resentment has made it easier to resist the Apple watch. So I have a bit more time in my life for family, bikes, skis, and CrossFit. Thanks Tim!

I’ll still be on Aperture into 2020, three years beyond my original plan. The Catalina catastrophe has made staying on Mojave more agreeable. I’ll have to switch sooner or later though, almost certainly by 2021. So I’m working on a list of what I need to do prepare. I’ll update this post with items I think about:
  1. Eliminate all stacks. I have hundreds of unwanted stacks created by Apple’s original hacked up iPhoto to Aperture migration (that was horrible). I need to edit each of the stacked images and remove the duplicate.
  2. Flatten the keyword hierarchy (the marvelous hierarchy is from a time when giants walked the earth).
  3. Regenerate images from RAW (this will take eons and is high risk).
  4. Be sure image locations and face recognition (never worked) are turned off.
  5. Simplify all smart albums not supported by Photos.app.
  6. Create an empty shell of current Library, then use that to import all images from past Library. Confirm everything is correct.
  7. Rebuild database to confirm no errors.
  8. Per Apple’s migration directions, create full-sized “previews”.
  9. Ensure iCloud is empty of images and that Photos.app destination library is empty with no iCloud sync. Disconnect from network.
  10. Import into Photos.app
  11. Validate.
This project will take many months, many backups, and purchase of at least one other 1TB SSD.

Update 2/17/2020: Avalanche claims ability to migrate from Aperture to Lightroom (Mojave and up). I'm looking for reviews.

Update 1/9/2022: Still on Aperture! Reviewing this post I decided to copy Apple's directions for migrating to Photos. (For older photos consider reprocessing before generating previews.)
Choose Aperture > Preferences, click the Previews tab, then change the Photo Preview setting to Don't Limit. Close the preferences window.
From the list of projects in the Library inspector, select all of your projects. For example, click the first project listed, then press and hold the Shift key while clicking the last project.
Click the Browser layout button in the toolbar, so that all photos are shown as thumbnails.
Choose Edit > Select All to select all of your photos.
Press and hold the Option key, then choose Photos > Generate Previews.
Aperture now generates full-size previews for every photo in your library. To follow its progress, choose Window > Show Activity from the menu bar. Quit Aperture when processing is complete.
Open the Photos app, then choose your Aperture library when prompted, as pictured above. If you aren't prompted to choose a library, press and hold the Option key while opening Photos. If your Aperture library isn’t listed, click Other Library, then locate and choose your library.

I tested CYME's Avalanche "export to file system". Unfortunately it doesn't export previews, only the master file. It's designed to translate Aperture's lossless edit directions to an alternative format, then have the receiving system generate the Previews.