Last week, the makers of password management software Myki uncovered a phishing campaign that could steal Facebook logins from even the most astute users.

Upon visiting a malicious page, users would see a Facebook login pop-up that looked just like the real thing, even including "https://www.facebook.com" in the address bar. It turns out the entire pop-up window was a fake, nested within another web page whose goal was to steal passwords. The only giveaway? The pop-up window's edges would disappear when dragged outside the underlying page. A normal Facebook window would spill over the page's boundaries instead.

Of course, Myki cheerily points out another way to detect this kind of scheme: Just use a password manager, which would avoid auto-filling login details on bogus forms like this one. (Myki says it discovered this phishing scheme after customers complained that their login details weren't filling in on some sites.)

I previously covered password managers such as LastPass, Dashlane, and 1Password back in Issue #2. By using manager software, you can set strong passwords such as "7S$b@!QBA12" for individual sites, and lock them behind a master password that's still strong, but more memorable. At the time, I concluded that these tools are useful, but not worth the extra hassle for every password.

Since then, several things have happened:

• Apple's iOS has gotten better at working with third-party password manager apps. If you're signing into an app or website in iOS 12, you can now hit the password button above the keyboard to quickly plug in credentials from apps like LastPass. To enable this, head to Settings > Passwords & Accounts > AutoFill Passwords, then select your password manager app instead of iCloud.


• More Android devices now run Android 8.0 Oreo, which can fill in credentials from third-party password manager apps automatically. You can typically enable this within the settings menu of your password manager. (I've found that in some cases, you still have to long-press the login field, then hit "..." and select your password manager to fill things in, but that still beats the old way of manually copying and pasting your passwords from the app.)


• We continue to hear horror stories about widespread security breaches and the ramifications of poor password hygiene. (See, for instance, the story about the Nest camera that blared a nuclear warning in the previous issue of Advisorator. Google is now requiring some users to reset compromised passwords to avoid similar pranks.)


• I've continued to use LastPass, gradually training myself to rely on it more often. I use it to generate passwords for almost everything I sign up for now, and recently ran through its Security Challenge feature to replace weak passwords on existing sites.

While I wouldn't say that my overall conclusion has changed, I'm a bit more gung-ho about password managers than I was previously. Yes, setting it up and migrating your old passwords over is a pain. You might not do it all at once, and it might take months for this new usage pattern to ingrain itself. But eventually, you'll get better security and less hassle compared to memorization, especially now that mobile devices are more accommodating.

That's not to say I use a password manager for everything. For email, I still combine a memorable password with two-factor authentication, which requires a separate code (usually sent to your phone) to complete the login process. I strongly suggest you do the same for email and other accounts you deem especially sensitive. (Instructions are available for Gmail, Outlook/Hotmail, Yahoo, AOL, and lots of other services.) I've also stuck with simpler passwords for streaming services such as Netflix, because entering a machine-generated string of gobbledygook on my TV would be too much of a pain.

Over at Fast Company, my colleague Sean Captain recently came up with a similar set of password recommendations, though he goes further in a couple of areas: Instead of receiving codes for two-factor authentication via email, he uses an authenticator app (such as Google Authenticator) that generates codes on a timer. That's a bigger hassle, but it does protect against SIM card hijacking, in which attackers impersonate their victims and convince wireless customer service reps to issue new SIM cards. The attackers then use those cards to steal authentication codes and break into the victim's accounts. To avoid getting locked out of his accounts, Captain also uses a service called Authy to store backup authentication codes.

I'm sure I'll get to that level of security eventually, but one point that's often lost in these types of guidelines is that it's better to take small steps toward better security than to do nothing at all. If you're not using a password manager, or haven't set up two-factor authentication, you probably don't have all day to go through all your accounts and give them a security overhaul. But even taking those steps in bits and pieces can make a big difference over time.
 

If you use more than one streaming music service, or you're thinking about switching between services like Spotify and Apple Music, Soundiiz is a handy tool for transferring your precious playlists. I recently used this to port my music playlists from Google Play Music to a local Plex server, and while it didn't successfully capture every song, it still saved me a lot of time compared to manually creating Plex playlists from scratch.
 

Soundiiz costs $4 per month, but there's no reason to keep a subscription going unless you need to constantly keep multiple music services in sync. You can easily sign up for a month, run a one-time transfer, and cancel to avoid being charged again. (If you'd rather avoid paying, check out Tune My Music, which is free but supports a less extensive list of services.)
 

Big tech's home takeover: It's getting harder to make your home smart without permanently picking a side between Google, Amazon, and Apple. Each company makes its own smart speakers, of course, but we've also seen Google and Amazon sell complete security systems through their respective Nest and Ring brands. Amazon even sells smart home hubs, smart plugs, and microwaves that are exclusively tied to its Alexa platform. These systems are seldom designed to work with one another, so the more you invest in one company's products, the harder it is to switch.

Control over your home Wi-Fi network could be the next frontier. Last week, Amazon acquired Eero, a maker of mesh routers that can cover in entire home with Wi-Fi. Although the reasons behind the acquisition are a bit murky, Eero collects a lot of data about what devices people are using and how often, and Amazon could use that data to figure out what other products to build or companies to buy. It's not hard to imagine Amazon slashing Eero's prices to put more of these routers in the market, just like it did last year with Ring's doorbell cameras. Perhaps Google will starting pushing its own mesh Wi-Fi routers harder for similar reasons. Ostensibly that's not a bad thing, but as I wrote at Fast Company last week, Eero had talked about building its own smart home platform to take on the likes of Amazon and Google. Now, it's simply become a cog in Amazon's machine.

In fairness, plenty of platform-neutral smart home products still exist. Philips Hue bulbs are designed to work with every major platform, as are ecobee thermostats, and door locks from August and Canary, to name a few examples. Sonos is even working on the first smart speakers with both Alexa and Google Assistant voice controls built in. But as tech giants' smart home ambitions expand into new areas, they're creating a minefield of incompatibility.

Cheaper fast charging for iPhones: One of Apple's stingier moves in the past couple years has been its insistence on bundling iPhones with USB-A chargers. Compared to the newer USB-C standard, USB-A cables don't charge as quickly, and you can't plug them into newer MacBooks without an adapter or a separate cable. If you want fast charging, you have to spend $19 on Apple's official USB-C to Lightning cable, along with a power adapter.

Now, Apple has begun certifying third-party cables under its MFi program. Among the first vendors is Anker, which will ship USB-C to Lighting cables for a slightly more reasonable $16 later this month. Anker also sells a fast-charging power adapter with both USB-C and USB-A ports for $23, which is $6 less than Apple's comparable 18W USB-C adapter. (Anker's adapter is on sale for $18.39 through the end of the month.)

Rumor has it that Apple will continue to ship USB-A to Lightning cables with its next iPhone, so a fast-charging cable and adapter could be a good investment even if you plan to upgrade this year.

Unsend Facebook Messages: Ever send something in Facebook Messenger that you wish you could take back? Now you can, at least for 10 minutes. Just tap the message you want to delete, then hit "Remove." You'll see options to remove the message for everyone, or just for you. Bear in mind that Facebook will show a "message removed" note after you do this, so you might still have some explaining to do.

Facebook first promised a message retraction feature last April, after TechCrunch reported that only CEO Mark Zuckerberg and other executives had this capability. Still, the new feature isn't the same as Zuck's version, which let him pull back messages over a much longer period.
 

Happy Presidents' Day! There are plenty of tech deals about today, most of which are dubious at best. Here are a handful that stand out to me:

• Apple iPad (2018 model) with 128GB storage: $330 on Amazon (reg. $430)
• Microsoft Surface Pro 6 bundle (Intel Core i5 CPU, 128GB storage, Surface Pen, Type Cover keyboard): $800 from Costco (reg. $1,000)
• Microsoft Surface Go for $349 (reg. $399), Type Cover keyboard for $95 (reg. $130)
• Amazon Fire TV Recast over-the-air DVR back down to $190 (reg. $230)
• Amazon Fire TV Stick 4K for $40 (reg. $50)
• Google Pixel 3: Buy one (from $799), get one 50 percent off
• Refurbished, unlocked iPhones (AT&T and T-Mobile only): 6S for $150, 6S Plus for $220, 7 for $235
• TP-Link smart plug for $14 on Amazon