Howard Oakley:

One of the primary aims of most malware is to trick you into giving it your password. Armed with that, there’s little to stop it gathering up your secrets and sending them off to your attacker’s servers. One of your key defences against that is to know when a password request is genuine, and when it’s bogus. By far the best way to authenticate now is using Touch ID, but many Macs don’t support it, either because they can’t, or because their keyboard doesn’t, and there are still occasions when a genuine request may not offer it. This article looks at the anatomy of a range of genuine password requests. Note that these dialogs aren’t generated by the app, but come from the macOS security system, hence their consistency.

It’s kind of scary that there isn’t really anything about the standard Mac password dialogs that malware couldn’t duplicate. I don’t know why Apple hasn’t figured out a way to modify the rest of the screen in a way that only they could do. But, in practice, the fake dialogs seem to be very sloppily designed, so it’s good to review Oakley’s catalog.

I use a USB keyboard that doesn’t support Touch ID 99% of the time. Even when using my MacBook Pro’s internal keyboard, I tend not to use Touch ID because it rarely works. (It doesn’t work well on my iPad Air, either, though it was very reliable back before iPhones switched to Face ID.)

Mac macOS 15 Sequoia macOS Tahoe 26 Malware Passwords Security Touch ID

Comments