Illogical Apple ID Password Rules

And that is despite your Alias here fulfilling the Rule Requirements 😉

8:30 PM Tuesday; May 1, 2012

Please, if posting Logs, do not post any Log info after the line "Binary Images for iChat"

 iMac 2.5Ghz 5i 2011 (Lion 10.7.3)
 G4/1GhzDual MDD (Leopard 10.5.8)
 MacBookPro 2Gb (Snow Leopard 10.6.8)
 Mac OS X (10.6.8),
"Limit the Logs to the Bits above Binary Images."  No, Seriously

I too agree that these rules are taking the wrong stance on securing my account. To help prove that, Apple have disallowed the use of the space, which all of the experts seem to agree is one of those 'special' characters that can be used in spades.

Now I have been forced to change my password because of my account being 'disabled' for some reason (thank you, hacker kid who has now forced me to write down my password), and can see right through the backwards reasoning in the inflexible rules that don't really do much to assist with intelligent password choice.

The no reuse period on old passwords is an entire year, so I'll have plenty of time to stew over this one, getting more and more upset every time I have to enter the bloody thing!

I have seen incredibly more strict standards than what Apple has in place for Apple ID's for example some systems require you to have a special character in your password. Where I used to work, we had to have password like this "Purp13r@1n"

With the amount of fraud going on right now it should be more strict...

For those who saw a link but didn't understand it, I'm going to link again to the best explanation of this issue by far: XKCD's correct horse battery staple.The passwords that we are being taught to need by companies such as Apple are less secure in almost every way, especially in that remembering complex non-linguistic strings being fundamentally impossible in humans, whereas far simpler things to remember (the correct horse battery staple) are actually incredibly simple to remember and use successfully.

But of course, correct horse battery staple (in case you haven't clicked on it, read it, and understood that it's not just a 'joke' comic yet) is completely incompatible with Apple's, and most other major companies' password policies. And to all of you users who say you've had it worse, ask yourself if you're comparing Apple's millions of global users to your company's hundreds, or thousands, of employees. We'll be correct in saying (again) that Apple has implemented their arcane and ineffectual rules in a neat UI (albeit employing poor linguistics). At least they got the bit where they tell you you're wrong with what you know to be true, fairly 'prettily' implemented.

And again, in case you're still holding out, correct horse battery staple. Read it and understand the real issue.

Exactly right Martin, re: spaces.

Apple considers a password like: "1mAbrainiac" (which meets their requirements) to be moderately strong.

Meanwhile, "Im A Brainiac" would take a lifetime to crack.

To make 1mAbrainiac a strong password we would need to add a symbol like "%".

But the problem is, most of us are constantly entering our Apple ID password on our iPhones/iPads. I'm constantly mistyping my new Apple ID password because I'm having to switch between alpha->numeric->alpha->symbol.

Super irritating when I could have an uncrackable password that is only alpha.

I, too, am angry that this is being forced upon us, instead of simply notifying us that our IDs are less secure than they suggest and letting us choose. I also would feel more secure with a password I can remember (mostly unusual words, similar to the horse-staple-battery-correct idea) than one I need to write down. Another choice would be to use site keys like some banks use, that have the added step of showing you a picture you uploaded after entering your username, but before you enter your password. Or, simpler yet for humans would be a two-stage password (enter one, Apple verifies it matches the username, then enter the second). I prefer freedom of choice to this kind of denial of service. Wasn't our nation founded on the idea of liberty and freedom and stuff?

Well, liberty and freedom is a two way street. Apple can do what it wants since it is a private business.

But the larger point is, that they are, ironically, behind the times on this issue.

Their policy is essentially:

1. Make your password something that you can't use for any other site or service since it is likely that the other site or service has a different set of idiotic rules (e.g. my bank disallows symbols altogether.)

2.Make your password so complicated you have to write it down

3. When you write it down, put it in an easily accessible place so you can find it quickly. A post it note (physical or virtual) will do.

Recommendation to Apple for a password rule change (as if anyone there reads these discussions):

Rule 1. Choose at least three pronouncable words separated by a single space.

Rule 2. There is no Rule 2.

Done. Eveyone will have an unbreakable password that is easy to remember and easy to key in on a smart phone.

Apple's password requirements aren't stringent enough for Apple, apparently. I followed the password requirements EXACTLY when I tried to change my password (and got green checkmarks beside each "rule"), but when I hit "save" a sign with red letters appeared saying that "a more complex password is required." Needless to say I'm really annoyed.

I use a system that every year (school year) I change my password. It's a word, and a two digit number, along with a string of 0's. Now, not only do I HAVE to use a capital letter (which is time consuming when I'm in a hurry and distrubs the typing flow) I can not have more than 3 of the same character in a row! 5 years I've used that system, and now that's completly out the window! Apple. Change it. Now.

<Edited by Host>.

I don't see that as adding anything constructive to the Conversation.

10:44 PM Thursday; July 26, 2012

Please, if posting Logs, do not post any Log info after the line "Binary Images for iChat"

 iMac 2.5Ghz 5i 2011 (Lion 10.7.2)
 G4/1GhzDual MDD (Leopard 10.5.8)
 MacBookPro 2Gb (Snow Leopard 10.6.8)
 Mac OS X (10.6.8),
"Limit the Logs to the Bits above Binary Images."  No, Seriously

why would "Im A Braniac" be hard to crack as a password? i thought password programs put together full words when guessing passwords before going to random keys. would "correct horse battery staple" also be easy since they are 4 common english words?

Those suggested passwords would hardly slow down a cracking program...use of dictionary look-up words is a very unsecure approach, even if they are words that do not mean anything when combined. A secure password should not ever include a clear text word. If you want to use a word, then substitue a number for a letter that is visually similar, a special character for a letter, embed a capital letter, etc. Take a word like haymarket and make it 4@yMarket...and now you have a 4 replacing the h which is some typefaces would be an upside down h, @ for the a, a capital letter in the middle, and 8 characters long. That would be a fairly strong password, easily remembered by the user, and hard to break by most cracking programs.

I have no problem with Apple's password requirements -- perhaps because my iTunes account was hacked. I'd had the same "real word" (mistake #1) password for some time (mistake #2). My account was hacked to the tune of about $500. I didn't have to pay the bill, but Apple did. Yes, they have plenty of money, but they wouldn't have if we all had easily-hackable passwords and they continually had to pay developers for software for which they didn't receive anything themselves. Just think of all of the extra personnel they'd have to hire, too, to take care of the problems.

I now have a much better password, which I plan to change regularly. How do I keep track of the very weird passwords I use these days (a different one for every site where I need to log in)? I use 1Password (NAYY), which allows me to remember only my master password; it then fills in my login information for me. I know it's not the only app out there that does this, but it's the one that was recommended to me by someone whose opinion in this sort of thing I respect.

@"aldous1334writes:

why would "Im A Braniac" be hard to crack as a password?

The benefit of "Im a Brainiac" over "1mAbrainiac" is that the first one is is easy to remember, longer, while still having 2 symbol characters.

It was mentioned earlier but I encourage you to visit GRC's How Big Is Your Haystack and use the calculator to determine the difficulty of any given password.

Note: The site has a disclaimer saying the calculator doesn't determine "password strength" - but the practical effect is that it is helpful as long as you don't use a commonly selected word like 123456, etc for your password.

Back to your question; an Apple approved password like "1mAbrainiac" certainly is a strong password (GRC shows it would take 16 million centuries to crack it assuming one thousand guesses per second) but my problem is that such passwords are not easily memorized by the user so they have to be documented elsewhere.

What is interesting is that "Im A Brainiac", a much easier password to remember, would take 4 TRILLION centuries to crack (assuming one thousand guesses per second). Adding just two more characters (in this case, spaces) makes it just that more difficult to crack.

Real world, pronouncible password choices are only really an issue if you are using a single common dictionary word that can be guessed through a lookup table. But as soon as you make it into a phrase, especially a non-guessable or longer phrase, then that method no longer works. Instead, the hacker has to use brute force tactics instead.

Bottom line, the ONLY way to make passwords secure AND user-memorizable is for companies like Apple to allow users to choose a passPHRASE.

Apple could have just 2 rules:

Your password must be:

1. at least 15 characters long

2. contain at least 2 non-consecutive spaces or symbols

I could choose something that conforms to Apple's current password requirements, run them through GRC's calculator and find that the unmemorizable password that Apple forced me to choose is an order of magnitude easier to crack:

"Monkey12" conforms to Apple's requirements and would take 70.56 centuries to guess.

Meanwhile, I'd like to be able use a passphrase like:

"password monkey" (15 characters). GRC calculates would take 1 hundred trillion centuries to crack that one!

The problem with thinking that substituting an "@" for an "a" or the typical "1" for an "i" is that this is what is expected by hackers.

The key is LONG passphrases with symbols to pad the words, eg: rain.hockey.rabbit (or use spaces instead of dots)

Either way, this passphrase would take 24 million trillion centuries to hack by brute force.

Meanwhile 4@Market would take 2000 centuries. Still a long time but several of orders of magnitude easier than rain.hockey.rabbit.