Illogical Apple ID Password Rules

Beeblebrox - if that would the 2 rules, then that wouldn't actually be safer. Not if the hacker knows the rules.

Since 2 spaces are required, users would choose 3 random words. As a result, the most effective brute force strategy would be randomly guess 3 dictionary word sentences.

Foreknowledge about the rules doesn't really help when we're talking about long passphrases that include at least 2 padding symbols. The hacker doesn't know what the padding character is or the length of the passphrase. The key is not to make a more complex needle (such as doing symbol substitutions for letters) but make the haystack bigger.

The normal assumptions about "dictionary" words don't apply if we're talking multiple words in a long passphrase. Each additional character adds huge complexity. My understanding of the argument for long pronounceable paraphrases is that the combination of symbols and letters and a requirement for something like 15 or 20 characters makes it infinitely more complext to crack than coming up with a password like Un1vers@l. Any competent dictionary attack is going to include commonly used substitution symbols.

In the end the successful password will 1.) be at least 16 letters and symbols and 2.) something you don't ever have to write down.

HI,

Currently this can be restricted by the need for some Apple IDs (@mac.com and @me.com) needing to be kept to 16 Characters that work with the AIM Servers for Logins with iChat and Messages

10:00 PM Saturday; August 4, 2012

Please, if posting Logs, do not post any Log info after the line "Binary Images for iChat"

 iMac 2.5Ghz 5i 2011 (Lion 10.7.2)
 G4/1GhzDual MDD (Leopard 10.5.8)
 MacBookPro 2Gb (Snow Leopard 10.6.8)
 Mac OS X (10.6.8),
"Limit the Logs to the Bits above Binary Images."  No, Seriously

John Galt wrote:

the problem is that nobody can memorise 100 different passwords.

So, what do we do ?

Post-it® Notes stuck to the monitor.

I'm only being half facetious. When password requirements become so arcane this (or something like it) becomes common.

As dumb as they are, Apple's new password rules hardly the worst I have encountered. One such site requires twelve characters that must include both upper and lower case alpha, at least two non-consecutive numbers, at least two non-alphanumeric characters, and none of them consecutive or repeated. It cannot repeat any of the characters in the same position as the previous password, and must be changed every 30 days. Oh it cannot be one of the past 24 passwords used either.

Good luck.

Having to write it down obviously reduces a password's security, but it also absolves the agency of any blame for allowing trivial passwords. Write it down and it's your fault. The irony is surely lost on the idiots who require such things.

100% !!!

The world of internet security is becoming complex to stupidity... It's not just Apple - many websites require ridiculously complex passwords, even those, that really don't need it, but Apple are the worst. So of course I write them down - some of the important ones I encrypt in my own way to remember, but most of those I don't care, I just write down normally, cause there is no way I can encrypt Apple password in any way I can understand!!!

Perhaps its time to approach the problem from a different direction. What if the camera lens was adapted so that a thumb or finger print could be read?

Hi,

It really does not matter how much people go on about this.

For a long time those "in the know" have said that we need more secure Passwords.

There are obviously many ways of doing this,

Apple have picked one method to "educate' people about this.

They are unlikely to change this in the near future.

Move on.

8:54 PM Monday; August 6, 2012

Please, if posting Logs, do not post any Log info after the line "Binary Images for iChat"

 iMac 2.5Ghz 5i 2011 (Lion 10.7.2)
 G4/1GhzDual MDD (Leopard 10.5.8)
 MacBookPro 2Gb (Snow Leopard 10.6.8)
 Mac OS X (10.6.8),
"Limit the Logs to the Bits above Binary Images."  No, Seriously

Guys i cannot enter my face time and imessage apple id and password.

its says "the user name or password for (your apple id) was incorrect. Try again.

Please help...

HI,

https://iforgot.apple.com/iForgot/iForgot.html

9:01 PM Monday; December 31, 2012

Please, if posting Logs, do not post any Log info after the line "Binary Images for iChat"

 iMac 2.5Ghz 5i 2011 (Mountain Lion 10.8.2)
 G4/1GhzDual MDD (Leopard 10.5.8)
 MacBookPro 2Gb (Snow Leopard 10.6.8)
 Mac OS X (10.6.8),
 Couple of iPhones and an iPad
"Limit the Logs to the Bits above Binary Images."  No, Seriously

Does Apple ID allow either 2-factor authentication or OpenID?

I agree...back in 1967 I had a 21-character password that I had to be able to remember and verbally give over a radio in enemy territory in Viet Nam in case I was shot-down, injured, at night (no lights), and scared. This password was to "guarantee" a pick-up chopper coming into the last mile that he was not coming into an ambush.

We all had to develop a password and have it "passed" by a commitee of Intel Officers only after we explained to them the significance of the password to our personal lives - to prove it was "deep in our DNA and always remembered". Mine was 17-letters and 4-numbers.

Most of my crew-buddies had their first and second passwords rejected as too simple or for other reasons such as birthday or Mom's name - all things that could be ferreted out by enemy Intel. When I showed mine to the Intel Officer and explained it to him he could hardly stop laughing - but he "passed" it immediately.

Truly Secure Passwords are long and meaningful only to a specific person - so meanigful that they reach into the indelible memory yet can not be rooted out by even the most exhaustive human research, let alone a machine.

Every company and the websites they create has sunken to the default position of requiring passwords so complex and arcane as to be useful to no one Jellytoes. It disappoints me that Apple has joined them in this race to the bottom, though as I pointed out in my post from March 11 they are far from the worst offender.

If I were to be shot down and in extremis the last thing I would remember is any of the 150+ passwords that I need for the various services I use. Clearly these password requirements are not intended for my benefit.

Eventually, someone will have to realize this requirement benefits no one other than lazy IT managers, and propose something better. That someone should be Apple. Until then we just have to play this stupid game.

I could not agree more. I am a very busy person and could not be bothered with the more and more inflationary militant securitism of Apple. It should definitely be left to the costumer to decide what degree of security they want.

Besides, the opposite effect can easily happen. I just got my iPhone stolen, and had no tracking system installed. This inflationary password security made the use of the Apple ID impractical, and I stopped using it.

PS: I will now buy a Samsung product.

You mean one of those devices with the alledged Apple Patents in them ? 😝

Yes, exactly one of those.