1 2 3 4 5 Previous Next 70 Replies Latest reply: Jul 16, 2013 7:46 PM by LLH62 Go to original post
  • 30. Re: Illogical Apple ID Password Rules
    Ralph Johns (UK) Level 9 Level 9 (67,495 points)

    And that is despite your Alias here fulfilling the Rule Requirements 

     

     


    8:30 PM      Tuesday; May 1, 2012


    Please, if posting Logs, do not post any Log info after the line "Binary Images for iChat"

     

      iMac 2.5Ghz 5i 2011 (Lion 10.7.3)
     G4/1GhzDual MDD (Leopard 10.5.8)
     MacBookPro 2Gb (Snow Leopard 10.6.8)
     Mac OS X (10.6.8),

    "Limit the Logs to the Bits above Binary Images."  No, Seriously

  • 31. Re: Illogical Apple ID Password Rules
    pawpoint Level 1 Level 1 (0 points)

    I find the password system re-assuring as it is more secure like this

  • 32. Re: Illogical Apple ID Password Rules
    Martin Ciastko Level 1 Level 1 (5 points)

    I too agree that these rules are taking the wrong stance on securing my account. To help prove that, Apple have disallowed the use of the space, which all of the experts seem to agree is one of those 'special' characters that can be used in spades.

     

    Now I have been forced to change my password because of my account being 'disabled' for some reason (thank you, hacker kid who has now forced me to write down my password), and can see right through the backwards reasoning in the inflexible rules that don't really do much to assist with intelligent password choice.

     

    The no reuse period on old passwords is an entire year, so I'll have plenty of time to stew over this one, getting more and more upset every time I have to enter the bloody thing!

  • 33. Re: Illogical Apple ID Password Rules
    zhanklaa Level 1 Level 1 (15 points)

    I have seen incredibly more strict standards than what Apple has in place for Apple ID's for example some systems require you to have a special character in your password. Where I used to work, we had to have password like this "Purp13r@1n"

     

    With the amount of fraud going on right now it should be more strict...

  • 34. Re: Illogical Apple ID Password Rules
    Martin Ciastko Level 1 Level 1 (5 points)

    For those who saw a link but didn't understand it, I'm going to link again to the best explanation of this issue by far: XKCD's correct horse battery staple.The passwords that we are being taught to need by companies such as Apple are less secure in almost every way, especially in that remembering complex non-linguistic strings being fundamentally impossible in humans, whereas far simpler things to remember (the correct horse battery staple) are actually incredibly simple to remember and use successfully.

     

    But of course, correct horse battery staple (in case you haven't clicked on it, read it, and understood that it's not just a 'joke' comic yet) is completely incompatible with Apple's, and most other major companies' password policies. And to all of you users who say you've had it worse, ask yourself if you're comparing Apple's millions of global users to your company's hundreds, or thousands, of employees. We'll be correct in saying (again) that Apple has implemented their arcane and ineffectual rules in a neat UI (albeit employing poor linguistics). At least they got the bit where they tell you you're wrong with what you know to be true, fairly 'prettily' implemented.

     

    And again, in case you're still holding out, correct horse battery staple. Read it and understand the real issue.

  • 35. Re: Illogical Apple ID Password Rules
    Beeblebrox Level 1 Level 1 (95 points)

    Exactly right Martin, re: spaces.

     

    Apple considers a password like: "1mAbrainiac" (which meets their requirements) to be moderately strong.

     

    Meanwhile, "Im A Brainiac" would take a lifetime to crack.

     

    To make 1mAbrainiac a strong password we would need to add a symbol like "%".

     

    But the problem is, most of us are constantly entering our Apple ID password on our iPhones/iPads.  I'm constantly mistyping my new Apple ID password because I'm having to switch between alpha->numeric->alpha->symbol.

     

    Super irritating when I could have an uncrackable password that is only alpha.

  • 36. Re: Illogical Apple ID Password Rules
    ireadinthedark Level 1 Level 1 (0 points)

    I, too, am angry that this is being forced upon us, instead of simply notifying us that our IDs are less secure than they suggest and letting us choose.  I also would feel more secure with a password I can remember (mostly unusual words, similar to the horse-staple-battery-correct idea) than one I need to write down.  Another choice would be to use site keys like some banks use, that have the added step of showing you a picture you uploaded after entering your username, but before you enter your password.  Or, simpler yet for humans would be a two-stage password (enter one, Apple verifies it matches the username, then enter the second).  I prefer freedom of choice to this kind of denial of service.  Wasn't our nation founded on the idea of liberty and freedom and stuff?

  • 37. Re: Illogical Apple ID Password Rules
    Beeblebrox Level 1 Level 1 (95 points)

    Well, liberty and freedom is a two way street. Apple can do what it wants since it is a private business.

     

    But the larger point is, that they are, ironically, behind the times on this issue.

     

    Their policy is essentially:

     

    1. Make your password something that you can't use for any other site or service since it is likely that the other site or service has a different set of idiotic rules (e.g. my bank disallows symbols altogether.)

     

    2.Make your password so complicated you have to write it down

     

    3. When you write it down, put it in an easily accessible place so you can find it quickly. A post it note (physical or virtual) will do.

     

    Recommendation to Apple for a password rule change (as if anyone there reads these discussions):

     

    Rule 1. Choose at least three pronouncable words separated by a single space.

    Rule 2. There is no Rule 2.

     

     

    Done.  Eveyone will have an unbreakable password that is easy to remember and easy to key in on a smart phone.

  • 38. Re: Illogical Apple ID Password Rules
    dreamtraveler Level 1 Level 1 (0 points)

    Apple's password requirements aren't stringent enough for Apple, apparently. I followed the password requirements EXACTLY when I tried to change my password (and got green checkmarks beside each "rule"), but when I hit "save" a sign with red letters appeared saying that "a more complex password is required." Needless to say I'm really annoyed.

  • 39. Re: Illogical Apple ID Password Rules
    ChrisJMichaels Level 1 Level 1 (0 points)

    I use a system that every year (school year) I change my password. It's a word, and a two digit number, along with a string of 0's. Now, not only do I HAVE to use a capital letter (which is time consuming when I'm in a hurry and distrubs the typing flow) I can not have more than 3 of the same character in a row! 5 years I've used that system, and now that's completly out the window! Apple. Change it. Now.

     

    <Edited by Host>.

  • 40. Re: Illogical Apple ID Password Rules
    Ralph Johns (UK) Level 9 Level 9 (67,495 points)

    I don't see that as adding anything constructive to the Conversation.

     

     


    10:44 PM      Thursday; July 26, 2012


    Please, if posting Logs, do not post any Log info after the line "Binary Images for iChat"

     

      iMac 2.5Ghz 5i 2011 (Lion 10.7.2)
     G4/1GhzDual MDD (Leopard 10.5.8)
     MacBookPro 2Gb (Snow Leopard 10.6.8)
     Mac OS X (10.6.8),

    "Limit the Logs to the Bits above Binary Images."  No, Seriously

  • 41. Re: Illogical Apple ID Password Rules
    aldous1334 Level 1 Level 1 (0 points)

    why would "Im A Braniac" be hard to crack as a password? i thought password programs put together full words when guessing passwords before going to random keys. would "correct horse battery staple" also be easy since they are 4 common english words?

  • 42. Re: Illogical Apple ID Password Rules
    Ralph Landry1 Level 7 Level 7 (32,450 points)

    Those suggested passwords would hardly slow down a cracking program...use of dictionary look-up words is a very unsecure approach, even if they are words that do not mean anything when combined.  A secure password should not ever include a clear text word.  If you want to use a word, then substitue a number for a letter that is visually similar, a special character for a letter, embed a capital letter, etc.  Take a word like haymarket and make it 4@yMarket...and now you have a 4 replacing the h which is some typefaces would be an upside down h, @ for the a, a capital letter in the middle, and 8 characters long.  That would be a fairly strong password, easily remembered by the user, and hard to break by most cracking programs. 

  • 43. Re: Illogical Apple ID Password Rules
    Sandra Foster Level 4 Level 4 (1,460 points)

    I have no problem with Apple's password requirements -- perhaps because my iTunes account was hacked. I'd had the same "real word" (mistake #1) password for some time (mistake #2). My account was hacked to the tune of about $500. I didn't have to pay the bill, but Apple did. Yes, they have plenty of money, but they wouldn't have if we all had easily-hackable passwords and they continually had to pay developers for software for which they didn't receive anything themselves. Just think of all of the extra personnel they'd have to hire, too, to take care of the problems.

     

    I now have a much better password, which I plan to change regularly. How do I keep track of the very weird passwords I use these days (a different one for every site where I need to log in)? I use 1Password (NAYY), which allows me to remember only my master password; it then fills in my login information for me. I know it's not the only app out there that does this, but it's the one that was recommended to me by someone whose opinion in this sort of thing I respect.

  • 44. Re: Illogical Apple ID Password Rules
    Beeblebrox Level 1 Level 1 (95 points)

    @"aldous1334writes:

    why would "Im A Braniac" be hard to crack as a password?

     

     

     

    The benefit of "Im a Brainiac" over "1mAbrainiac" is that the first one is is easy to remember, longer, while still having 2 symbol characters.

     

    It was mentioned earlier but I encourage you to visit GRC's How Big Is Your Haystack and use the calculator to determine the difficulty of any given password.

     

    Note: The site has a disclaimer saying the calculator doesn't determine "password strength" - but the practical effect is that it is helpful as long as you don't use a commonly selected word like 123456, etc for your password.

     

    Back to your question; an Apple approved password like "1mAbrainiac" certainly is a strong password (GRC shows it would take 16 million centuries to crack it assuming one thousand guesses per second) but my problem is that such passwords are not easily memorized by the user so they have to be documented elsewhere.

     

    What is interesting is that "Im A Brainiac", a much easier password to remember, would take 4 TRILLION centuries to crack (assuming one thousand guesses per second). Adding just two more characters (in this case, spaces) makes it just that more difficult to crack.

     

    Real world, pronouncible password choices are only really an issue if you are using a single common dictionary word that can be guessed through a lookup table. But as soon as you make it into a phrase, especially a non-guessable or longer phrase, then that method no longer works. Instead, the hacker has to use brute force tactics instead.

     

    Bottom line, the ONLY way to make passwords secure AND user-memorizable is for companies like Apple to allow users to choose a passPHRASE.

     

    Apple could have just 2 rules:

     

    Your password must be:

     

    1. at least 15 characters long

    2. contain at least 2 non-consecutive spaces or symbols

     

    I could choose something that conforms to Apple's current password requirements, run them through GRC's calculator and find that the unmemorizable password that Apple forced me to choose is an order of magnitude easier to crack:

     

    "Monkey12" conforms to Apple's requirements and would take 70.56 centuries to guess.

     

    Meanwhile, I'd like to be able use a passphrase like:

     

    "password monkey" (15 characters). GRC calculates would take 1 hundred trillion centuries to crack that one!