So much information about you is stored digitally: your identity, your finances, your health, and much more. And all of this information is either stored on or accessible from your computing devices, including your Mac, iPhone, or iPad.
There are many threats to your security and privacy when using these devices. Fortunately, there are many features built into these devices and their operating systems that can help you keep your data private. But it’s important to know about these features so that you can enable them and use them effectively.
In this article, I’ll look at ten things you can do to improve your security and privacy on your Apple devices.
Most of your data is protected by passwords. Whether this is on your Mac, where your login password ensures that only you can access the device, or on the myriad accounts you have across the Internet, on various websites and services. Just as a house can only be protected by a robust lock, your accounts need strong passwords to protect them.
A good way of understanding how to create strong passwords starts with understanding what sorts of passwords are weak. Read 4 Types of Passwords You Shouldn’t Create (Unless You Want Your Account Hacked) to find out four types of weak passwords, then read 4 Tips for Creating Secure Passwords to learn how to make stronger passwords.
Along with using strong passwords, you should also use a unique password for each site or service you use. That way, if one site gets breached and your password gets exposed, hackers won’t be able to break into all of your other accounts.
If you have a unique, strong password for every site, you most likely won’t be able to remember them all. Therefore, you’ll need a tool that can remember your passwords for you. This kind of tool is known as a password manager. With a password manager, you only have to remember one master password to unlock the app. (Of course, this means you’ll still need to memorize one long, complex master password in order to keep all your other passwords secure.) Your password manager can then generate and store complex passwords for each site, such as 77iKmzZ@j7oa6E. There’s no easy way to remember such a password, but your password manager can.
Apple’s Keychain, for macOS, iOS, and iPadOS, is a reliable password manager that comes included with Apple devices, and is also available on Windows. See Mac and iOS Keychain Tutorial: How Apple’s iCloud Keychain Works.
There are also many third-party apps and services that can manage your passwords. Whichever password manager you choose, using strong, unique passwords everywhere, and storing them in a trustworthy password manager, is one of the best ways to enhance your security. See How to Choose the Right Password Manager for You.
Many employers encourage or require their employees to change their password every month. Many employees may not have access to a password manager, so, when required to change their password, they simply change one character so it will still be easy to remember. For example, if an employee’s current password is MyGreatPassword, they might change it to MyGreatPassword2. The next time they’re required to change their password, can you guess what their “new” password might be? Most likely, MyGreatPassword3.
While changing a password could potentially protect you from a data breach, there is generally no upside to changing passwords regularly. And since you have so many passwords, changing all of them routinely would require a ridiculous amount of time. Both the U.S. Federal Trade Commission and the UK National Cyber Security Centre recommend against changing passwords regularly.
Although you may not have control over how often you change your work passwords, you can decide for yourself what to do about personal passwords. Rather than changing passwords regularly, only change them if a website or service warns you about a data breach, or if you have reason to believe someone has accessed one of your accounts.
And if you do get a data breach alert, don’t click on a link in that alert e-mail; it might be a phishing scam. Instead, use an existing bookmark to go to the site, or carefully type the usual site address into your browser if you don’t have it bookmarked. (Googling a site and clicking on the first link isn’t always the best, because scammers may buy ads that appear at the top of the search results page.)
In the first tip, I explained that you need a strong password for your Mac and for websites and services. But the device that is the most at risk is the one you carry around, which can be more easily lost or stolen. While iPhones and iPads have protection that prevent the use of brute-force techniques, someone can discover your mobile device’s passcode by “shoulder surfing,” or looking over your shoulder as you type it.
In 2020, an iPhone user’s phone was stolen, and hackers got into the device. They didn’t just access what was on his iPhone, but they were able to see and change his Apple ID password, the one that protects all his Apple accounts and services. They were then able to access the user’s email, change other accounts, and so on.
When you set up an iPhone or iPad, Apple defaults to a six-digit passcode, but you can use a longer passcode, even one with letters and numbers. See If Hackers Crack a Six-Digit iPhone Passcode, They Can Get All Your Passwords to find out about how hackers can get access to all your data, and how to make your passcode more secure. And see the tip below about biometric mobile security, too.
So you’ve got a strong password, but is that enough? The combination of your user name (or e-mail address) and password could have been exposed in a data breach, and you might not know about it. In order to ensure the best security, you need to add another element to your authentication, wherever possible. Two-factor authentication or 2FA (also known as multi-factor authentication or MFA) typically combines something you know (your user name and password) with something you have (a code generated by a device you own, or sent to you by a website or service when you attempt to log in). If you use Apple devices, you’ll have seen this, with Apple’s two-factor authentication for your Apple ID and iCloud account.
Apple’s system depends on trusted devices, but most 2FA systems use a code that you enter when you log into a site or service. You can use authenticator apps on your iPhone, or some password managers (including Apple’s Keychain), to generate these codes, or you can get them sent to you via SMS. This latter method, however, is inherently insecure, since SMS is not encrypted, and malicious cyber-criminals can use “man in the middle” or “SIM swapping” attacks to intercept your codes.
Do use 2FA whenever you can; and, if possible, use a code generated by an app or password manager rather than SMS. But if you only have SMS as an option, it’s better than not using any form of 2FA at all.
A passcode on your mobile device can be acceptably secure for some, but people are often tempted to use a PIN that is memorable. Often this involves dates or other numbers that are familiar, though you can use more than six digits, and even a fully alpha-numeric passcode if you wish. (See point number four above.)
But it can be annoying to type in a lengthy passcode every time you want to look at your iPhone or iPad. And, malicious people can watch over your shoulder, seeing what you type.
As an alternative to typing your passcode every time, Apple devices offer two standard forms of biometric login: Touch ID and Face ID. With these features, you enter your passcode whenever you restart your device, as well as every few days, but much of the rest of the time you can unlock it with your fingerprint or your face. Since you won’t have to enter your passcode very often, you can use a longer, more complex passcode for improved security.
Touch ID and Face ID are both very secure, but there are some caveats. See Which Is More Secure: Face ID, Touch ID, or a Passcode?
Instant messages are practical and easy to use, and, with the right apps, you can send sensitive information, such as passwords, financial information, personal photos, and more. However, not all messaging platforms are secure. SMS is not encrypted, so anything you send can be intercepted.
Encrypted messaging services include Apple’s iMessage, Signal, Threema, and others, provide robust security for your messaging. See 5 Encrypted Messaging Apps for Mac, iPhone, and iPad to find which apps you can use to stay secure.
Your iPhone and iPad are fully encrypted; their contents can only be accessed by someone who enters the correct passcode, or unlocks the device using Touch ID or Face ID. But your Mac’s drive may not be encrypted by default. Apple’s FileVault is a full-disk encryption feature that is part of macOS, and you should turn it on as soon as you set up a new Mac.
See How to Encrypt and Password Protect Files on Your Mac to learn how to use FileVault, and how to encrypt other files on your Mac.
Both hardware and software are updated regularly. You should update apps as soon as possible, unless they are mission critical and you have reason to believe that they may not work completely. You should also update your devices as soon as you can. Both major operating system updates (such as iOS 16 and macOS Ventura) and minor updates (for example, .1 or .0.1) often contain security fixes, sometimes to patch vulnerabilities that are actively exploited.
One important reason to always upgrade to the latest major Apple operating system is that Apple doesn’t patch all vulnerabilities in older OS versions.
Apple’s Find My app is designed to help you find an Apple device that you’ve lost or misplaced, to find your friends, and to track AirTags that are attached to your keys or other items. In addition to leveraging the massive network of Apple devices around the world to find your device, Find My allows you to remotely erase any device that is lost or stolen. Erasing a device is simple: for iPhones and iPads, which are encrypted by default, all that is necessary is remotely resetting the encryption key; even with the correct passcode, the data is inaccessible. For Macs, this is another reason why you should use FileVault; remotely resetting the FileVault encryption key is quick, and data becomes inaccessible almost instantaneously.
You can access Find My on any Apple device, and also on the iCloud.com website. Select a device, find where it is, and have it play a sound in case it’s slipped between the cushions on your couch. Or use the remote erase feature so anyone who finds your device can’t access it. See How to Use the Find My App to Locate Friends, Apple Devices, and AirTags.
You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: