If you’ve resisted requiring a password on your Mac after it wakes up or comes out of the screen saver because it’s too much work to enter repeatedly, an Apple Watch can make authentication much easier. In previous versions of macOS, just wearing an unlocked Apple Watch is enough to enter your Mac’s password; in Catalina, the Apple Watch can also enter your password when prompted by apps. First, make sure your Apple Watch has a passcode (in Watch > Passcode), is on your wrist, and is unlocked. Then, in System Preferences > Security & Privacy > General, select “Use your Apple Watch to unlock apps and your Mac.” From then on, most of the time your Mac or an app wants your password, your Apple Watch will provide it automatically. (This feature requires that the Mac dates from mid-2013 or later, that all devices use the same iCloud account, and that the Apple ID uses two-factor authentication instead of two-step verification.)
If you own an iMac Pro, or a Mac mini, MacBook Air, or MacBook Pro model introduced in 2018 or later, your Mac has one of Apple’s T2 security chips inside. On the whole, having a T2 chip in your Mac is a good thing, thanks to significantly increased security and other benefits, but there are some ramifications that you may not realize.
What Is a T2 Chip?
Let’s step back briefly. In late 2016, Apple introduced the T2’s predecessor, the T1, in the first Touch Bar–equipped MacBook Pros. The T1 offered three primary capabilities:
- Management of the Touch Bar’s Touch ID fingerprint sensor and storage of sensitive biometric information
- Integration of the System Management Controller, which is responsible for heat and power management, battery charging, and sleeping and waking the Mac
- Detection of non-Apple hardware
The T2 builds on the T1’s foundation, adding four more important capabilities:
- Real-time encryption and decryption of data on built-in SSDs
- Support for invoking Siri with “Hey Siri”
- Image enhancement for built-in FaceTime HD cameras
- Optional protection of the Mac’s boot process to prevent it from starting up with an external drive
All these functions become possible because the T1 and T2 are essentially separate computers inside your Mac, much like the A-series chips that power iOS devices. They have their own memory and storage, and run an operating system called bridgeOS that’s based on watchOS.
Some of these features enhance performance by offloading processing (like enhancing FaceTime HD and listening for Siri) to a separate chip. Others increase security by ensuring that they can’t be compromised by an attack, even if macOS itself has been infiltrated.
How Does a T2 Chip Increase Your Security?
There are four basic ways that the T2 chip increases security, two of which apply only to the MacBook Air and MacBook Pro models.
The T2 chip ensures that all the components involved in the Mac’s boot process, including things like firmware, the macOS kernel, and kernel extensions—can be cryptographically verified by Apple as trusted. That prevents an attacker from somehow inserting malicious code at boot and taking over the Mac.
There are two gotchas, however. First, Secure Boot trusts only code that’s signed by Apple, with one exception: a specific bootloader signed by Microsoft to enable Windows 10 to work with Apple’s Boot Camp technology for running Windows on a Mac. That means you can’t boot from Linux in Boot Camp, for instance.
Second, with Secure Boot in its default settings, you can’t boot from an external drive at all. That’s great for security but can make troubleshooting internal drive problems tricky. To control these settings, Macs with T2 chips have a Startup Security Utility available in macOS Recovery (boot while holding down Command-R). You can use it to allow booting from an external drive for troubleshooting reasons and to turn down security if you need to install an older version of macOS or install macOS without an Internet connection available.
Because the T2 contains both a crypto engine and the SSD controller, it enables on-the-fly encryption and decryption of all data stored on the internal SSD. It uses the same technology as FileVault and requires a password at startup. Macs with internal hard drives and external hard drives don’t receive the T2’s protection but can still be encrypted via FileVault.
The big win from the T2 encrypting all stored data is that there’s no way to decrypt the data without the password—as long as your password can’t be guessed, there’s no reason to worry about your data if your MacBook Pro disappears. The potential downside here is that it’s impossible to recover data from a damaged Mac without the password.
The T2 chip also controls what happens with failed password attempts. Fourteen tries are allowed without delays, and then tries 15 through 30 are permitted with increasingly long delays (1 hour between tries for the last three). After that, more attempts are possible, but after 220 total attempts through various approaches, the T2 chip will refuse to process any requests to decrypt data, rendering it unrecoverable. In short, back up your data!
The T2 chip manages the Touch Bar’s Touch ID fingerprint sensor that lets you log in to your MacBook Air or MacBook Pro without entering your password. Even so, the password is required after turning the Mac on or restarting, and the Mac also requires the password if you haven’t unlocked it in 48 hours, if you haven’t provided the password in the last 156 hours and used your fingerprint over the previous 4 hours, or if the fingerprint read fails five times.
This isn’t exactly related to the T2 chip, but all T2-equipped MacBook Air and MacBook Pro models feature a hardware disconnect that disables the microphone whenever the lid is closed. That prevents any software from turning on the mic and eavesdropping on you. No disconnect is necessary for the FaceTime HD camera when the lid is closed because its field of view is completely obstructed in that position.
So there you have it. The T2 chip significantly increases the security of your Mac, but it comes with tradeoffs that make it harder to boot from external drives or run other operating systems.
One of the big no-nos with passwords is sending them to other people as plain text in email or a text message conversation. You presumably trust your recipient with the password, but what if their email was hacked or phone stolen? Instead, always use a site like 1ty.me or One-Time Secret, which lets you turn a password into a Web link that can be opened only once. Send that link to the recipient, and when they get the password out, they can store it in a secure password manager like 1Password or LastPass.
By default, Safari on the Mac hides full Web addresses—technically known as URLs—from you, showing just the site name in the Smart Search field at the top of the window. If you click in the field or press Command-L, the full URL appears, which is good for checking that you’re really where you think you should be and not on some dodgy site. It’s also useful if you need to copy just a portion of the URL to share or otherwise work with. To make that check easier, go to Safari > Preferences > Advanced and next to Smart Search Field, select “Show full website address.” Then you can verify that the URL looks right with a glance.
We often recommend using a password manager like 1Password or LastPass, but we’ve gotten a few questions asking why we’re so adamant about this. Lots of people think that all they need to do to keep their online accounts secure is create a single password with some numbers, often switching a lowercase L with a 1 and a capital E with a 3. And that’s for accounts people care about—for those that they don’t see as important, they’re likely to use a simple password like their child’s or pet’s name. Plus, most people don’t think they have much to protect or that they would be targeted by hackers, so they reuse the same password across multiple sites.
Guess what? Such an approach is extremely dangerous on today’s Internet. First off, no one is explicitly targeted. The bad guys get passwords by stealing them by the millions from Web sites with lax security. Then they use sophisticated hardware that can try over 350 billion passwords per second to decrypt as many of the stolen passwords as possible. All passwords under 13 characters can be cracked easily by such hardware.
Next, imagine you have a password on a shopping site whose passwords are stolen. The attackers can log in to that site, change your shipping address, and order items with your stored credit card. But they won’t stop there. They’ll use automated software to try that username and password combination on lots of other high-profile sites: Google, Apple, Amazon, eBay, Facebook, many banks, and so on. If they can get in anywhere, they’ll take over the account and exploit it in any way they can, which could involve stealing money, ordering goods, or using it to reset passwords and lock you out of other accounts. It can get ugly fast.
Use a password manager to generate, store, and enter strong passwords, one for each site, and you’ll never have any of these problems. A sufficiently strong password (16 characters minimum, but we recommend 20 when possible) will withstand cracking efforts for centuries, and if you have a different password for every site, even one password being compromised won’t expose any of your other accounts to abuse.
Here then are five reasons for using a password manager:
- Generate strong passwords: A password should be random, or it should be a long collection of words (think 30+ characters). Password managers can generate such passwords for you, so it’s easy to make a new one for each Web site.
- Store passwords securely: If you’re going to put all your eggs in one basket, you want that basket to be well protected. Password managers employ their own strong encryption and various other techniques to ensure that your passwords are safe.
- Enter passwords for you: No one can remember and type long, random passwords, but having a password manager enter the password for you is even easier than typing a weak password. Log in faster than ever before!
- Audit existing accounts: Password managers learn the credentials you use for existing accounts, and they can tell you which passwords are weak and which have been reused.
- Access passwords on all your devices: It’s even harder to type passwords on an iPhone or iPad, but good password managers have apps for mobile devices that sync with your password archive so all your passwords are available whenever you need them.
There are many different password managers, but for most people, there are three main choices. If you use only Safari on the Mac and in iOS, Apple’s built-in iCloud Keychain feature may be sufficient.
If you’re mostly an Apple user but also need support for Windows and Android, or if you want to share some passwords with family members or your workgroup, 1Password is the best choice. It costs $3 per month for an individual or $5 per month for a family, with team and business accounts as well. 1Password also offers add-ons for non-Apple browsers like Chrome and Firefox.
And if 1Password is too expensive, or if you’re platform agnostic, LastPass offers a solid set of features for free. Additional features and password sharing cost $3 per month for individuals and $4 per month for families, and again, team and enterprise accounts are available.
If you need help choosing among these three or setting them up, particularly in the context of a small business, get in touch with us. And if you’d like us to write more about each of these options, just drop us a note and we’ll see what we can do.
We’re seeing an uptick in email phishing attacks purporting to come from Microsoft about Office 365. They’re quite convincing messages that tell users that their credit card payment has failed, that an account needs renewing, or that a password needs to be confirmed. Needless to say, they’re all complete scams, and clicking a link in them takes you to a malicious Web page that will try to steal your password or credit card details. As we noted in “Gone Phishing: Five Signs That Identify Scam Email Messages,” large companies never send an email asking you to click a link in order to log in to your account, update your credit card information, or the like. Hover over links to see where they go before clicking anything, and stay safe out there!