Scam-Proof September: passkeys, phishing red flags, password hygiene, plus a quick AI check-in

All the tips, plus the video replay (for a limited time)

🎥The Video Replay (available for a limited time)

Autogenerated English subtitles are available

🔐 Passkeys 101: what they are and why they help

What we discussed:

Passkeys replace passwords with public-key cryptography. Your device proves you are you with a biometric or device PIN. No shared secret sits on the website, which greatly reduces phishing and credential theft. We compared implementations on Windows Hello, Apple Keychain, and Android. We also noted some sites still keep a legacy password, which weakens the benefit.

Why it matters:

Less reuse, fewer leaks, and fewer fake logins to fall for.

What you can do:

• Turn on passkeys for banks, email, and payment apps first

• Note which device you enrolled and where the key lives (Keychain, Windows Hello, Android)

• Where possible, remove or rotate the old password after you add a passkey

• Keep a backup sign-in method documented for account recovery

🧰 Password hygiene tune-up

What we discussed:

Paper lists work only as well as your physical security. We covered offline vaults like KeePass (single encrypted file, no cloud by default), the need for a strong master password, and safe Windows Hello PIN rules. Linux, Proton services, and Tails on a USB stick came up for higher-security workflows.

Why it matters:

One strong vault plus unique passwords beats scattered notebooks and repeated logins.

What you can do:

• Pick a manager you will actually use; KeePass is a solid offline option

• Create a strong master password and store it safely

• On Windows, use a longer PIN and avoid patterns like 1111 or birthdays

• Migrate any reused passwords to unique ones over time

🎣 Phish spotting in 2025

What we discussed:

Two common traps: fake support pop-ups that “scream” and demand you call a number, and realistic Google Forms that impersonate schools or companies and ask for logins. Because forms live on trusted Google domains, they bypass simple red-flag checks.

Why it matters:

Scammers weaponize urgency and familiarity.

What you can do:

• If a site blares alarms, close the browser or restart the device; do not call any on-screen number

• Never enter credentials in a form you reached from email or chat; go to the official site directly

• Treat urgency as a warning sign; slow down and verify the source

🤖 AI updates you can use

What we discussed:

GPT-5 introduced auto-routing between models, which can produce inconsistent results. Setting a dedicated “thinking” model improved reliability for complex tasks. We also touched on image and audio tools: Flux for image generation, Gemini’s Nano Banana for quick edits, 11labs Music and SFX, Beethoven for licensed AI music, and a new multilingual model from ETH Zurich on PublicAI.

Why it matters:

Picking the right model and tool saves time and raises quality.

What you can do:

• For substantive work, choose a reasoning model and ask it to think step by step

• Use image tools for simple edits and mockups; keep temperature low for accuracy

• Prefer credit-aware music tools when publishing content

❓ Q&A highlights

What we discussed:

Are paper passwords safe? Only if the paper is secure. An offline KeePass vault with a strong master password is safer and still portable. Linux, Proton, and Tails can raise the bar for sensitive work.

What you can do:

• Move from paper to a vault as you have time

• Keep your vault file backed up and offline when possible

🔑 Key takeaways — your TL;DR checklist

• Turn on passkeys for your primary accounts

• Keep a single password vault with a strong master password

• Use unique passwords everywhere and retire weak PINs

• Treat urgency as a red flag; go to the source, not the link

• Pick the right AI model for the job; set it to think for complex tasks

Tools and links mentioned

• Passkeys explainer video (public-key crypto basics): https://www.youtube.com/watch?v=cEhc6vMFTh4

• Yubico Passkey Workshop (fundamentals): https://yubicolabs.github.io/passkey-workshop/docs/category/fundamentals

• Wired guide to passkeys: https://www.wired.com/story/what-is-a-passkey-and-how-to-use-them/

• Wired on Google Forms scams: https://www.wired.com/story/how-to-avoid-google-forms-scams/

• KeePass (offline vault): https://keepass.info/

• Windows Hello, Apple Keychain, Android passkeys (platform settings)

• Proton services, Tails OS, Rufus (advanced workflows)

• Flux image generation, Gemini Nano Banana, 11labs Music, Beethoven AI music, PublicAI multilingual model

Wildcard Wednesday returns next month

No slides. No sales pitch. Just practical security and tech you can use. Second Wednesday, 12:00 PM Pacific.

📆 Mark your calendars for high noon Pacific, the second Wednesday of every month!

You never know what we’ll get into next. But you will walk away smarter.

👉 Got a topic or question you want to bring up next time? Just reply and let me know.

In the meantime, if you need a hand or want to explore any of these topics further, you know where to reach me. 😉