You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Twistan Author

Level 1

23 points

Illogical Apple ID Password Rules

Hello,

I am pulling my hair out about Apple's illogical way of thinking.

I tried for minutes to create a password for a new Apple ID, of course the session had timed out a couple of times 😠 until I realized that a "capital letter" does not qualify as a "letter".

I may add that I have a Ph.D in physics and that I thought that I knew what logical thinking was.

So,

"A1234567"

"AB123456"

are not accepted.

It has to be

"aB123456"

I would have expected that the following logics apply:

1. Assumption:

The main set is "letters" which contains two sub-sets, "upper case letters" and "lower case letters".

2. Conclusion:

Because "upper case letters" are members of the set "letters", "upper case letters" are "letters".

Obviously, the Apple "kids" are not making the same assumption.

Am I missing the point ?

Regards,

Twistan

Mac mini (Mid 2010), Mac OS X (10.7.3)

Posted on Mar 7, 2012 1:42 AM

82 replies

Mar 10, 2012 9:59 AM in response to Twistan

It's quite logical, actually. You can't please everyone. If Apple removes some of these rules, you'll get a myriad of unhappy customers complaining that it is not secure enough. If Apple put the rules back, then people would complain that the rules are too strict.

I'm not saying that you're whining or complaining, I'm just trying to say that Apple can't do anything without upsetting someone, and I'm sorry their current rules aren't working out for you.

Mar 10, 2012 10:23 AM in response to Twistan

What Apple has done is moved closer to what is considered a "strong" password as defined by NSA. A strong password is 8-12 characters long, no ditionary look-up words, no consecutive numbers or repeated letters, at least one capitol and one lower case letter, at least one number and at least one special character (the shift-numeral characgters).

See: Best Practices for Keeping Your Home Network Secure, April 2011, NSA Creative Imaging - 48039.

Mar 10, 2012 2:09 PM in response to Twistan

Hi,

At first I thought your examples highlighted a need for the Uppercase (Capital) Letter had to be second.

Then I remembered my own password has two Capital letters and one of them is the first character.

The rules you post do make it clear there is a distinction between Letters and Capital Letters

This then Implies that there should be two "Letter" characters of which there should be one of each "Upper" and "Lower" cases to use your assumption.

The Rules also do not say for @mac.com names and iCloud names that you may want to use in iChat or the Messages Beta have to be 16 characters or less to work with the AIM servers or that those passwords cannot have some characters that are not Letters (both sorts) or Numbers.

10:08 PM Saturday; March 10, 2012

 iMac 2.5Ghz 5i 2011 (Lion 10.7.3)
 G4/1GhzDual MDD (Leopard 10.5.8)
 MacBookPro 2Gb (Snow Leopard 10.6.8)
 Mac OS X (10.6.8),
"Limit the Logs to the Bits above Binary Images."  No, Seriously

Twistan Author

Level 1

23 points

Mar 10, 2012 9:31 PM in response to Ralph-Johns-UK

Hi,

the problem is not that there is a distinction between "letters" and "capital letters", the problem is that the "kids" doing the programming work don't care about giving proper definitions or they are not given the time for such unimportant matters.

My apologies to the non-scientific reader if I applied strict mathematical logics but I had always believed that computer programing was applied mathematics.

If you ever studied mathematics you will have learned that every subject starts with a precise definition of terms.

One of my favourite citations is the following:

"Définissez vos définitions !" (Voltaire)

(Define your definitions !)

Regards,

Twistan

Twistan Author

Level 1

23 points

Mar 10, 2012 9:47 PM in response to Ralph Landry1

Hi,

of course, I do see the need for strong paswords, but how many passwords have de facto been cracked by hackers because of their weakness ? I would guess very few.

There are many other security holes.

Besides, that was actually not the point. The point was that the programmers do not care about supplying proper definitions.

And talking about the NSA: I do not know whether you are old enough to remember the Zimmerman case. In the 1990's Zimmerman distributed a free, easy to use, RSA-based, cross platform encryption software called "Pretty Good Privacy" (PGP) with a key that strong that it would have taken the NSA months to crack a single key. I do not want to go into any more details here because the interested reader can google up what happened to Zimmerman.

Rumour has it that commercial encryption software must have security holes that national security agencies can exploit to crack a key.

Regards,

Twistan

Twistan Author

Level 1

23 points

Mar 10, 2012 9:53 PM in response to Miss Dee

Hi Miss Dee,

I can fully sympathise here. I might be on my way to become a grumpy old man....

My first "computer" was a PET 2000 (always lost level 10 chess games) and I wrote code using Basic and Fortran on "mainframes".

Regards,

Twistan,

Twistan Author

Level 1

23 points

Mar 10, 2012 10:10 PM in response to stevejobsfan0123

Hi,

the problem is that nobody can memorise 100 different passwords.

So, what do we do ?

One approach is to devise just a few passwords for all purposes. Even if these passwords are pretty strong they might not be accepted by some sites, and then you have to think of a yet another password and add it to your stock of passwords.

I personally wrote my own (very professional) Filemaker database (yes, I know you can use Apple's KeyChain but it is not really comfortable to use) just in case of a "memory leak".

Regards,

Twistan

Mar 11, 2012 12:30 PM in response to Twistan

Interesting.

7:30 PM Sunday; March 11, 2012

Please, if posting Logs, do not post any Log info after the line "Binary Images for iChat"

Mar 18, 2012 1:57 PM in response to Klaus1

Klaus1 wrote:

The instructions are crystal clear and work for the more than one million users who have posted here.

In which case, maybe you can tell everyone what, exactly, does "letter" mean? Perhaps you could supply the qualifying ASCII codes?

Mar 18, 2012 2:28 PM in response to Mars Express

HI,

I am sure my mother taught me about letters and later Capital Letters and that later still I learned they were also referred to as Lower and Upper case.

That would suggest that Apple's Instructions are set at about School Start as a reading age.

As Klaus1 has said for most people they work.

That said, it would appear that Apple made the "right" decision about the information.

9:28 PM Sunday; March 18, 2012

Please, if posting Logs, do not post any Log info after the line "Binary Images for iChat"

F10ydC4t

Level 1

0 points

May 1, 2012 10:42 AM in response to Twistan

I'm very mad with these rules. I want a password of MY choosing that I can remember, not a password of THEIR choosing that I can't remember.

Now, I have to write it somewhere which totally defeats the purpose of having a password at all.

May 1, 2012 12:31 PM in response to F10ydC4t

And that is despite your Alias here fulfilling the Rule Requirements 😉

8:30 PM Tuesday; May 1, 2012

Please, if posting Logs, do not post any Log info after the line "Binary Images for iChat"

May 30, 2012 3:48 PM in response to Twistan

I too agree that these rules are taking the wrong stance on securing my account. To help prove that, Apple have disallowed the use of the space, which all of the experts seem to agree is one of those 'special' characters that can be used in spades.

Now I have been forced to change my password because of my account being 'disabled' for some reason (thank you, hacker kid who has now forced me to write down my password), and can see right through the backwards reasoning in the inflexible rules that don't really do much to assist with intelligent password choice.

The no reuse period on old passwords is an entire year, so I'll have plenty of time to stew over this one, getting more and more upset every time I have to enter the bloody thing!

zhanklaa

Level 1

45 points

May 31, 2012 11:54 AM in response to Martin Ciastko

I have seen incredibly more strict standards than what Apple has in place for Apple ID's for example some systems require you to have a special character in your password. Where I used to work, we had to have password like this "Purp13r@1n"

With the amount of fraud going on right now it should be more strict...

May 31, 2012 4:35 PM in response to zhanklaa

For those who saw a link but didn't understand it, I'm going to link again to the best explanation of this issue by far: XKCD's correct horse battery staple.The passwords that we are being taught to need by companies such as Apple are less secure in almost every way, especially in that remembering complex non-linguistic strings being fundamentally impossible in humans, whereas far simpler things to remember (the correct horse battery staple) are actually incredibly simple to remember and use successfully.

But of course, correct horse battery staple (in case you haven't clicked on it, read it, and understood that it's not just a 'joke' comic yet) is completely incompatible with Apple's, and most other major companies' password policies. And to all of you users who say you've had it worse, ask yourself if you're comparing Apple's millions of global users to your company's hundreds, or thousands, of employees. We'll be correct in saying (again) that Apple has implemented their arcane and ineffectual rules in a neat UI (albeit employing poor linguistics). At least they got the bit where they tell you you're wrong with what you know to be true, fairly 'prettily' implemented.

And again, in case you're still holding out, correct horse battery staple. Read it and understand the real issue.

Illogical Apple ID Password Rules