Latest in App store

Image credit:

Security oversight reduces complexity of Apple ID passwords


One of our readers pointed out a hiccup on Apple's security settings for Apple ID passwords. While Apple ID passwords usually require a mix of capital and lowercase letters, this issue removes that condition.

Earlier this year Apple changed the password requirements for Apple ID, the credential for logging into the iTunes Store, MobileMe accounts, etc. Apple ID passwords already had to include both numbers and letters, but then Apple added the requirement of at least one capital/uppercase letter in the password.

Existing users who had Apple IDs and passwords already set up were not required to change their passwords, but any new user creating an Apple ID through the iTunes Store was required to use a mixed-case password, as a gesture towards increased security. Passwords with mixed numbers/letters and mixed case are presumably harder to crack than case-insensitive passwords with just numbers and letters.

Passwords like that are also harder to remember -- which may reduce their effectiveness, as xkcd pointed out. Capitalizing a single letter also doesn't dramatically increase password entropy, while the simple xkcd scheme actually does & thereby makes your password much tougher for a computer (if not a human) to guess by brute force.

While one could argue whether or not Apple's change really helps password security that much, there's no question that it does make things more tricky for data entry: alphanumeric mixed-case passwords are somewhat of a pain in the butt to enter if you forget which letters are capitalized and which are lowercase. Also, entering intercapped passwords on an iOS device is even more of a pain because the extra tap required for the Shift modifier key slows down typing; Apple requires users to re-enter their Apple ID passwords every so ofter after a set amount of time has passed when shopping at the App Store, iBookstore, or iTunes Store on an iOS device, so the password entry dance will be frequent.

However, despite Apple's initiative on making an Apple ID harder to crack, its very own password reset tool, iForgot, represents a security oversight. It allows a user to bypass the mixed-case password requirement. Apple ID holders can simply navigate to and start the password reset process: you enter your Apple ID and an email will be sent to your address on file which contains a link that allows you to reset your password. The oversight here is that an Apple ID password created through iForgot doesn't require a capital letter.

Now, whether you use iForgot to get rid of mixed case in your password is up to you. iTunes accounts are frequent hacking targets, and the more security the better. However, if those capital letters in your Apple ID really bug you, you now know how to change them.

I'd do it fast however. Apple is sure to close this loophole once it's made public. Also keep in mind that if you do change it, you'll need to abandon your current password. Apple doesn't allow you to reset your password (mixed-case or not) to one that was used in the past year.

Thanks to reader Phillip for the heads up.

From around the web

ear iconeye icontext filevr