encrypted passwords in iTunes for backup of iPhone

Jack Stephens wrote:

But what is not clearly stated is that you make a backup and when it asks for a password for that backup, that is also the password for all future backups forever.

If you do remember the encrypted backup password, this is incorrect.

The above is from: About encrypted backups in iTunes - Apple Support

So the moral of the story: If you encrypt, do not forget that password.

There are a number of comments here along the lines of pointing out that if you don't have the backup password, you cannot access the backup and that is a good thing, because that is what makes it secure. I agree. And for the others who commented on various ways to relocate old passwords that perhaps you might have reused in other contexts and therefore might be the one used for the backup, that is not on point. The issue here is where there is no knowledge of the backup password (and reusing passwords is insecure, so that is great that people with lowered security standards have a chance).

The real problem here is that it is only apparent after the fact what the password is used for. I presume very few people with this problem are thinking "I made a backup with a password, forgot the password and now I can't get at the backup and I should be able to." They are prepared to abandon those encrypted backups. It's the future backups that are the issue. It's the cases where a phone is handled by an organization and/or is handed down be someone who remembered their backup password for the lifetime of the backup and no longer. Clearly people are aware that when they make an encrypted backup, the password goes with that encrypted backup, so they'll remember it as long as they might need that backup. But what is not clearly stated is that you make a backup and when it asks for a password for that backup, that is also the password for all future backups forever.

A different design would be to ask the user for a backup password at the time of making a backup and that secures the backup from being read. In a separate interaction, such as in the phone's settings screens, allow the user to check a box for "nobody is allowed to make backups, encrypted or otherwise, of this phone at any time without this password" and request the password from the user at that time. It can be the password used to unlock the phone, the Apple ID password, or some third password. That would make it clearer what the password is protecting (the ability to ever make a backup in the future, as opposed to the ability to read the present backup being made).

Agreed. If you remember the encryption password, you can change the encryption password. And as for the moral of the story, if you encrypt data XYZ with a password, don't forget that password or else you will have lost all access to XYZ. My point is that the user is asked for a password to encrypt XYZ and that password is (to many people, including my users) unexpectedly then used as the password that locks and secures function FGH.

A backup blocking password is useful security for the threat model where someone has temporary unauthorized access to an unlocked device and uses that opportunity to make a backup of that device. That is a useful security function, because that threat model is feasible. This is a distinct threat model from someone having unauthorized access to a previously made backup. A backup encryption password is a useful security function for that threat model.

This subtlety is also apparent in the statement "If you do remember the encrypted backup password..." Technically, it is not an "encrypted backup" password, but a "locking the ability to make readable backups" password. An "encrypted backup password" would be a password that encrypts the backup, which I believe everyone here clearly understands and they do not have issues with. (If someone does have an issue with not having a way to read a backup because they don't have the password used to encrypt that backup, well, I feel for you, but that's how it goes.) What surprises people (unnecessarily so, since those are distinct authentication functions) is that what people are calling the encrypted backup password is actually the backup blocking password.

I am not arguing with your position, as you are making decent points, and thank you for that.

There is no way to recover the password.

You were warned of this when you turned on encryption.

If you lost the password, the backups are gone and cannot be used.

As this article says:

"If you forgot your password, the only way to turn off backup encryption on your device is to erase the device and set up as new."

About encrypted backups in iTunes - Apple Support

However, the "ton of apps" you paid for will be able to be re-downloaded from iTunes to your newly set up iPhone.

Granted I now understand that there is no way to recover one's encryption backup password if its lost or forgotten. But why should it be that way? Every other password has a path to retrieve it if lost or forgotten. Multiple security questions, etc. Why not do that in this circumstance? Apple has let this slip through the cracks. I expect more for what its worth.

dbeesr6 wrote:

... why should it be that way? Every other password has a path to retrieve it if lost or forgotten. Multiple security questions, etc. Why not do that in this circumstance? Apple has let this slip through the cracks. I expect more for what its worth.

Security protections are supposed to be strong -- otherwise why bother setting them up? Should they simply be a puzzle for the hackers to solve? No, if you forget a password, the onus is (and should be) on you to take the consequences.

Apple in my opinion has not let anything slip through the cracks here - they have done a completely responsible job of protecting what the person who set the password expected to be protected.

Very good points. You have broadened my thinking about this. Doesn't your argument ring true for all the other password protocols that enable the "puzzle" to be solved? B/C your point of password protection applies to all of the data etc that people protect via a password. There should be no exceptions? Right?

The logic should apply. Any exceptions are, by definition, not secure.

It seems to me that some of a person's (or corporation's) data is much more sensitive than other.

Consider, for example, the person who has an Apple Watch and stores activity data, which includes active calories expended, number of hours stood in a day, and exercise time. Compare the sensitivity of that to, say, your banking or credit card data.

Should some passwords be easier to retrieve than others? I think so.

The ability to recover something with the security questions refers to the Apple ID password, I'm guessing? That is because that information resides on the Apple servers. The iPhone passcode, that 4-digit passcode to enter the phone can only be defeated if you restore the device as new, deleting all content on the device, because it only resides on the phone. The passcode for your Restrictions can only be removed the same way, and for that one, even the backup can no longer be used because the passcode resides in the backup and the passcode on resides on the phone. Finally, the encrypted backup resides only on the phone, so there is no way for you to enter any security questions, etc. to recover it. No one else has access to it for you to get it from.

ChrisJ4203 wrote:

Finally, the encrypted backup resides only on the phone, so there is no way for you to enter any security questions, etc. to recover it. No one else has access to it for you to get it from.

The encrypted backup file is on one's computer (if backing up locally) and Apple has no way to reset the backup password since it does not have access to this file. This is the explanation to "If I can reset my bank account password, why can't I reset my iPhone backup password?" Most encryption schemes do have a provision to reset a password if forgotten, but that is because the password is stored in such a way that it can be administratively reset. But an iOS backup on a computer provides no way for Apple to "reset" the password for you, and IMO that is a good thing. The caveat is, remember your dang password!

Note that an iCloud backup is encrypted, but it can be recovered if you forgot your password since the only password is your Apple ID password, and you can reset that with the proper security hurdles being crossed.

True, I was trying to show the biggest issue here is that an outside entity cannot access the file to reset the password. Again, offering a back door approach just invites a path for hacking. Thank you for pointing that out for the OP.

Is it possible to delete the old encrypted backups and begin backing up un-encrypted?

You can delete your backup, but then you'd have to either (a) change your backup routine to use iCloud rather than your computer, or (b) restore your iPhone as new (i.e. don't try to load the encrypted backup -- which means starting over on all settings, losing call and message history, etc.) and then initiate a new backup based on your "fresh" iPhone.

Another possibility, and I haven't tried this:

1- Change your device to backup only to iCloud (which is always encrypted and only requires your iCloud ID password to use)

2- Delete the local backup on your computer.

3- Change your device to backup to your computer once again

4- Initiate a fresh backup (which may allow you to choose not to use encryption).

I don't know if that would work or not, seems like it shouldn't but maybe worth a try.