Illogical Apple ID Password Rules

Exactly right Martin, re: spaces.

Apple considers a password like: "1mAbrainiac" (which meets their requirements) to be moderately strong.

Meanwhile, "Im A Brainiac" would take a lifetime to crack.

To make 1mAbrainiac a strong password we would need to add a symbol like "%".

But the problem is, most of us are constantly entering our Apple ID password on our iPhones/iPads. I'm constantly mistyping my new Apple ID password because I'm having to switch between alpha->numeric->alpha->symbol.

Super irritating when I could have an uncrackable password that is only alpha.

I, too, am angry that this is being forced upon us, instead of simply notifying us that our IDs are less secure than they suggest and letting us choose. I also would feel more secure with a password I can remember (mostly unusual words, similar to the horse-staple-battery-correct idea) than one I need to write down. Another choice would be to use site keys like some banks use, that have the added step of showing you a picture you uploaded after entering your username, but before you enter your password. Or, simpler yet for humans would be a two-stage password (enter one, Apple verifies it matches the username, then enter the second). I prefer freedom of choice to this kind of denial of service. Wasn't our nation founded on the idea of liberty and freedom and stuff?

Well, liberty and freedom is a two way street. Apple can do what it wants since it is a private business.

But the larger point is, that they are, ironically, behind the times on this issue.

Their policy is essentially:

1. Make your password something that you can't use for any other site or service since it is likely that the other site or service has a different set of idiotic rules (e.g. my bank disallows symbols altogether.)

2.Make your password so complicated you have to write it down

3. When you write it down, put it in an easily accessible place so you can find it quickly. A post it note (physical or virtual) will do.

Recommendation to Apple for a password rule change (as if anyone there reads these discussions):

Rule 1. Choose at least three pronouncable words separated by a single space.

Rule 2. There is no Rule 2.

Done. Eveyone will have an unbreakable password that is easy to remember and easy to key in on a smart phone.

Apple's password requirements aren't stringent enough for Apple, apparently. I followed the password requirements EXACTLY when I tried to change my password (and got green checkmarks beside each "rule"), but when I hit "save" a sign with red letters appeared saying that "a more complex password is required." Needless to say I'm really annoyed.

I use a system that every year (school year) I change my password. It's a word, and a two digit number, along with a string of 0's. Now, not only do I HAVE to use a capital letter (which is time consuming when I'm in a hurry and distrubs the typing flow) I can not have more than 3 of the same character in a row! 5 years I've used that system, and now that's completly out the window! Apple. Change it. Now.

<Edited by Host>.

I don't see that as adding anything constructive to the Conversation.

10:44 PM Thursday; July 26, 2012

Please, if posting Logs, do not post any Log info after the line "Binary Images for iChat"

 iMac 2.5Ghz 5i 2011 (Lion 10.7.2)
 G4/1GhzDual MDD (Leopard 10.5.8)
 MacBookPro 2Gb (Snow Leopard 10.6.8)
 Mac OS X (10.6.8),
"Limit the Logs to the Bits above Binary Images."  No, Seriously

why would "Im A Braniac" be hard to crack as a password? i thought password programs put together full words when guessing passwords before going to random keys. would "correct horse battery staple" also be easy since they are 4 common english words?

Those suggested passwords would hardly slow down a cracking program...use of dictionary look-up words is a very unsecure approach, even if they are words that do not mean anything when combined. A secure password should not ever include a clear text word. If you want to use a word, then substitue a number for a letter that is visually similar, a special character for a letter, embed a capital letter, etc. Take a word like haymarket and make it 4@yMarket...and now you have a 4 replacing the h which is some typefaces would be an upside down h, @ for the a, a capital letter in the middle, and 8 characters long. That would be a fairly strong password, easily remembered by the user, and hard to break by most cracking programs.

I have no problem with Apple's password requirements -- perhaps because my iTunes account was hacked. I'd had the same "real word" (mistake #1) password for some time (mistake #2). My account was hacked to the tune of about $500. I didn't have to pay the bill, but Apple did. Yes, they have plenty of money, but they wouldn't have if we all had easily-hackable passwords and they continually had to pay developers for software for which they didn't receive anything themselves. Just think of all of the extra personnel they'd have to hire, too, to take care of the problems.

I now have a much better password, which I plan to change regularly. How do I keep track of the very weird passwords I use these days (a different one for every site where I need to log in)? I use 1Password (NAYY), which allows me to remember only my master password; it then fills in my login information for me. I know it's not the only app out there that does this, but it's the one that was recommended to me by someone whose opinion in this sort of thing I respect.

@"aldous1334writes:

why would "Im A Braniac" be hard to crack as a password?

The benefit of "Im a Brainiac" over "1mAbrainiac" is that the first one is is easy to remember, longer, while still having 2 symbol characters.

It was mentioned earlier but I encourage you to visit GRC's How Big Is Your Haystack and use the calculator to determine the difficulty of any given password.

Note: The site has a disclaimer saying the calculator doesn't determine "password strength" - but the practical effect is that it is helpful as long as you don't use a commonly selected word like 123456, etc for your password.

Back to your question; an Apple approved password like "1mAbrainiac" certainly is a strong password (GRC shows it would take 16 million centuries to crack it assuming one thousand guesses per second) but my problem is that such passwords are not easily memorized by the user so they have to be documented elsewhere.

What is interesting is that "Im A Brainiac", a much easier password to remember, would take 4 TRILLION centuries to crack (assuming one thousand guesses per second). Adding just two more characters (in this case, spaces) makes it just that more difficult to crack.

Real world, pronouncible password choices are only really an issue if you are using a single common dictionary word that can be guessed through a lookup table. But as soon as you make it into a phrase, especially a non-guessable or longer phrase, then that method no longer works. Instead, the hacker has to use brute force tactics instead.

Bottom line, the ONLY way to make passwords secure AND user-memorizable is for companies like Apple to allow users to choose a passPHRASE.

Apple could have just 2 rules:

Your password must be:

1. at least 15 characters long

2. contain at least 2 non-consecutive spaces or symbols

I could choose something that conforms to Apple's current password requirements, run them through GRC's calculator and find that the unmemorizable password that Apple forced me to choose is an order of magnitude easier to crack:

"Monkey12" conforms to Apple's requirements and would take 70.56 centuries to guess.

Meanwhile, I'd like to be able use a passphrase like:

"password monkey" (15 characters). GRC calculates would take 1 hundred trillion centuries to crack that one!

The problem with thinking that substituting an "@" for an "a" or the typical "1" for an "i" is that this is what is expected by hackers.

The key is LONG passphrases with symbols to pad the words, eg: rain.hockey.rabbit (or use spaces instead of dots)

Either way, this passphrase would take 24 million trillion centuries to hack by brute force.

Meanwhile 4@Market would take 2000 centuries. Still a long time but several of orders of magnitude easier than rain.hockey.rabbit.

Beeblebrox - if that would the 2 rules, then that wouldn't actually be safer. Not if the hacker knows the rules.

Since 2 spaces are required, users would choose 3 random words. As a result, the most effective brute force strategy would be randomly guess 3 dictionary word sentences.

Foreknowledge about the rules doesn't really help when we're talking about long passphrases that include at least 2 padding symbols. The hacker doesn't know what the padding character is or the length of the passphrase. The key is not to make a more complex needle (such as doing symbol substitutions for letters) but make the haystack bigger.

The normal assumptions about "dictionary" words don't apply if we're talking multiple words in a long passphrase. Each additional character adds huge complexity. My understanding of the argument for long pronounceable paraphrases is that the combination of symbols and letters and a requirement for something like 15 or 20 characters makes it infinitely more complext to crack than coming up with a password like Un1vers@l. Any competent dictionary attack is going to include commonly used substitution symbols.

In the end the successful password will 1.) be at least 16 letters and symbols and 2.) something you don't ever have to write down.

HI,

Currently this can be restricted by the need for some Apple IDs (@mac.com and @me.com) needing to be kept to 16 Characters that work with the AIM Servers for Logins with iChat and Messages

10:00 PM Saturday; August 4, 2012

Please, if posting Logs, do not post any Log info after the line "Binary Images for iChat"

 iMac 2.5Ghz 5i 2011 (Lion 10.7.2)
 G4/1GhzDual MDD (Leopard 10.5.8)
 MacBookPro 2Gb (Snow Leopard 10.6.8)
 Mac OS X (10.6.8),
"Limit the Logs to the Bits above Binary Images."  No, Seriously

John Galt wrote:

the problem is that nobody can memorise 100 different passwords.

So, what do we do ?

Post-it® Notes stuck to the monitor.

I'm only being half facetious. When password requirements become so arcane this (or something like it) becomes common.

As dumb as they are, Apple's new password rules hardly the worst I have encountered. One such site requires twelve characters that must include both upper and lower case alpha, at least two non-consecutive numbers, at least two non-alphanumeric characters, and none of them consecutive or repeated. It cannot repeat any of the characters in the same position as the previous password, and must be changed every 30 days. Oh it cannot be one of the past 24 passwords used either.

Good luck.

Having to write it down obviously reduces a password's security, but it also absolves the agency of any blame for allowing trivial passwords. Write it down and it's your fault. The irony is surely lost on the idiots who require such things.

100% !!!

The world of internet security is becoming complex to stupidity... It's not just Apple - many websites require ridiculously complex passwords, even those, that really don't need it, but Apple are the worst. So of course I write them down - some of the important ones I encrypt in my own way to remember, but most of those I don't care, I just write down normally, cause there is no way I can encrypt Apple password in any way I can understand!!!