Apple Begins Reminding Two-Factor Authentication Users About App-Specific Passwords

[fortysomegeek]

It doesn’t matter what questions they ask you. It matters what answers you give. If they ask where I had my honeymoon I could say OnCloud9 for example.

I was answering this specific quote:

The issue is Apple only requires answering a few questions to reset the password without any actual verification of the user (unlike Google and Yahoo).

Gmail, you can unlock an account w/out verification by only answering security questions. The same as Apple iCloud's system. That was the purpose of my link and quote. It was a rebuttal to that quote.

As to your answer, yes, you can give a bogus question to the street address where you live could be "Fantasy Island", your first employer could be "Dr.Evil" , your childhood best friend could be "Mork from Mork and Mindy". That doesn't change the fact that a password can be reset by answering security questions regardless of how obtuse you want to make it out to be.

And for passwords like:

3S1#5!9^s$yAz

That could easily be hacked as well. And most people use numbers in replacement for vowels and letters like 3 for E and @ for A and ! for 1.
Try Kali Linux, you can crack those passwords.

You need to do a 1024 character string like an RSA key if you want to be secure.

 

[AlecZ]

I was answering this specific quote:



Gmail, you can unlock an account w/out verification by only answering security questions. The same as Apple iCloud's system. That was the purpose of my link and quote.

Yes, but doing that is essentially the same as guessing another password. It's not easy. If you use real answers, it is potentially easy. The big problem here is that Google and Apple tell you to put real information as the answers, so lots of people do.

 

[fortysomegeek]

This two-step authentication thing is meant for people who use weak passwords or companies who use weak password reset systems.

I totally disagree. We sniff internet traffic and I've found keyloggers installed on machines. You can have a 50 string password like :

%#1ZdaW975x2%#2,:~245xYrhzSePa(eo

And it will still get hacked. I can go to Peets Coffee and run a scanner all day long and pick up passwords. I only used authenticated keys and if I need passwords, I store it in an encrypted container where I need a another key to unlock it. Unfortunately, using public keys is not really feasible with websites and webmail.

Someone could have gone to the Academy Awards and set-up a sniffer Wi-fi hotspot and captured Celebrity passwords with just ethereal and wireshark.

2-Factor ensures if someone else does have your password, they can't get in.
They need a trusted pin from a trusted device and that pin auto-expires and you get notified.

if someone sets up a SSID that matches your Wifi router at your home and sets up a a fake gmail/icloud portal page to capture your password. If he masqueraded himeself as your Wi-Fi Router, he will get your password, regardless of how long and complicated it is with a proxy page. Look up Kali Linux. You can do some serious damage with a bootable linux USB distro. This is far easier than guessing someone's security questions.
2-factor eliminates that risks.

 

[fortysomegeek]

i dont get it???

so i have to remember a different password for each app?

my family doesnt even understand security questions. "how does it know my favorite book?" they will never understand this lol

When you do 2-factor

Apple sends you a temporary pin like 7761.
Each time you log into iCloud, you get a notification of a pin and you enter it in so you can continue to log in.
If you don't have that temp pin, you can't get in.

For a web browser, you can tell it to trust it. It stores this trust in a cookie. So the next time you log in, you don't need a new pin.

You will need a pin every time you do anything serious like checking your account/modifying it. This is an extra security measure.
So if you change your password, you need a newpin to continue.

Thats how 2-factor works.

Because applications do not have a prompt, they can't use 2-factor.
When you set-up mail on Outlook, once you enter in your password, there is no confirmation. There is no pop-up screen from Outlook that says, "hey you need a pin # to continue!"
So here, 2-factor will not allow Outlook to connect to iCloud mail server.
This is true for both Google Gmail or any other services that use 2-factor.

This is why Apple and Google use "App-specific passwords"
They are passwords designed JUST for apps (and not logging into the web or access your accounts).

You can't use those passwords to log into Google Drive. You can't use those to log into iPhoto.
You can't make purchases with them. They're usually unique for email and calendar.
And if you are using email/calendar app, you only enter it ONCE. If you forget, you revoke it and generate a new App password.

If you are only using the web to access iCloud email or Gmail, you don't need App Password. You use the regular 2-factor.

I hope this help clarifies.

 

[CB1234]

It doesn’t matter what questions they ask you. It matters what answers you give. If they ask where I had my honeymoon I could say OnCloud9 for example.

This is a very good point you make...

A lot of the people haven't worked this out yet... They believe that they have to give TRUTHFUL HONEST answers to security questions.... They assume if they answer wrong, then they won't be able to get into their accounts...

I too always give wrong answers to security questions... All my answers are fictitious and I store them in my 'Vault'.

Anyone trying to answer my security questions, will never be able to guess the answers. They would try to answer them truthfully, and it won't get them anywhere.


There are some basic common sense solutions/workarounds available to protect yourself better........ unless of course you are a dumb-wit celebrity taking nude pictures of yourself and saving them on your phones, iPads, etc.......

 

[Tech198]

i sure hope Apple got their security right this time, that's all i can say.

What happens when/if this becomes a disaster and suddenly not only is their two factor gone, but also users complain they an no use their app no more ?

It probably won't happen, but we never expected iCloud to be hacked either..

Yes, and for god sake, don't answer the secret questions with real answers ?

I can't even remember mine, and not even used anywhere at all or jotted down in LP. and that's because the only things in their would be email, not likely to get at.

It locks me out of updating, but it also locks ut others too... To me, that's the best u can hope for. Thus, managing security yourself, because if one goes belly up, your hosed....

I take my own security in my own hands... thanks always

 

[johnnyturbouk]

Dear Apple - for a company that prides itself on simplicity and customer experience, this solution sounds messy: a royal PIA.

Why not use a combination of email verification + code, out touch ID from another device ie iphone

 

[AlecZ]

if someone sets up a SSID that matches your Wifi router at your home and sets up a a fake gmail/icloud portal page to capture your password. If he masqueraded himeself as your Wi-Fi Router, he will get your password, regardless of how long and complicated it is with a proxy page. Look up Kali Linux. You can do some serious damage with a bootable linux USB distro. This is far easier than guessing someone's security questions.
2-factor eliminates that risks.

HTTPS prevents packet sniffing from being any problem. Keyloggers of course work if I can be infected with one, but at that point, my iCloud account is not what I'm concerned about.

 

[JLL]

A ridiculous bandaid fix for their apparently weak password reset system. Three security questions, and anyone gets in without a verification email.

Not if two factor verification is enabled.

----------

Dear Apple - for a company that prides itself on simplicity and customer experience, this solution sounds messy: a royal PIA.

Why not use a combination of email verification + code, out touch ID from another device ie iphone

For creating a code for eg. Outlook use?

 

[gnasher729]

It's just very unclear who would use app-specific passwords and who wouldn't, how they would be used, and how they would benefit the user.

 

[rdlink]

A ridiculous bandaid fix for their apparently weak password reset system. Three security questions, and anyone gets in without a verification email. So you have to bother with this annoying double authentication system to avoid that... or provide bogus security answers. I might as well just make my security answers random codes themselves rather than dealing with this. My first pet was Aahs8y238899_!!3.

I remember Gmail randomly rejecting authentication from third-party mail clients after they messed with their authentication system like this. I was too lazy- er, I mean optimized to try and fix it and switched to iCloud email as my "anonymous/internet" account instead.

OMG what a ridiculous rant. It's about 2FA. If you're not using 2FA everywhere you can, and screaming at the places you can't then you're playing Russian roulette with your online security. Google does the same thing, and I applaud them and Apple for offering it.

 

[JLL]

It's just very unclear who would use app-specific passwords and who wouldn't, how they would be used, and how they would benefit the user.

If you want third party apps to have access to your iCloud account (eg. Outlook), you create a specific password for Outlook to use.

The app does not know your real iCloud password, and you can revoke the app specific password if you want to.

 

[Futurix]

A ridiculous bandaid fix for their apparently weak password reset system.

This is an industry-wide and fairly secure solution, used by the likes of Google, Microsoft, and Yahoo.

 

[rdlink]

It's just very unclear who would use app-specific passwords and who wouldn't, how they would be used, and how they would benefit the user.

Apple, like Google has two factor authentication available (although I wish they'd make it mandatory). I'll explain 2FA a little, even though you may already understand it (Skip over the next paragraph if you already know the concept):

2FA uses a very secure method of authenticating you to a web site or email account. It's the "something you know, something you have" method. You know your password, but it can be cracked/stolen. However, whomever steals your password still wouldn't have the thing you "have," i.e. a randomizer token, or your iPhone. So Apple sends a random, one time token code to your iPhone, and requires you to enter it along with your password. Makes it impossible for someone without your iPhone to log in.

However, sometimes you have a program on your computer, such as Outlook that does not lend itself to 2FA. So, Apple lets you use your 2FA to create a unique password that will only work on that application on that piece of hardware. You enter it into the authentication settings for that program (such as Outlook) and voila! It's authenticated. You can't use the password for any other program or other piece of hardware once it's been set up. If you ever lose the hardware where the app is located you just use 2FA authentication to log into the Apple site, and revoke that password. You can then just create a new one when you either replace the hardware, or find it.

 

[tigres]

This sounds messy as all get out. I cringed when I got this email, more trickery coupled with another set of passwords.

Sounds like this is going to be another family and friend tech support week for me.

 

[barmann]

Oh kid, welcome to life, if there's something that doesn't work at 100% all the time are computers, you are going to have a bad life thinking computers should work (1 - 10^(-9000))*100% of the time.

Welcome to the real world, you can complain all you want, but technology has it flaws..

Computer technology has flaws, agreed .
But there are fixes and workarounds .

Cloud computing is flawed, at least for the masses, and that is something we don't have a fix for .

It's got nothing to do with computers, only with the way Apple and some other companies want to control and benefit from content distribution - in the real world .

Any lower level , user based security works just fine.
On a corporate, profit based level, such as Apple's, not in a million years .

 

[doctor-don]

I think it's a pretty well-founded lack of faith in corporations or governments in matters of respecting personal privacy, that I don't take nudes or hardcore action pics & vids of myself doing career-ruining things and keep them handy on my phone.

Surely you are joking. Is THAT the reason you don't do that?

Nothing about how infantile / narcissistic that behavior is? How young are you?

----------

I was answering this specific quote:



And for passwords like:

3S1#5!9^s$yAz

That could easily be hacked as well. And most people use numbers in replacement for vowels and letters like 3 for E and @ for A and ! for 1.
Try Kali Linux, you can crack those passwords.

You need to do a 1024 character string like an RSA key if you want to be secure.

Good luck with trying to enter those humongous long passwords when you have to enter it on another device, new phone, replacement computer, or periodic request for a password. This is why biometrics may indeed replace passwords soon.

 

[bozzykid]

Gmail (without 2-factor) can be unlocked just by answering multiple series of questions. They do have the option of a recovery email address/text message but you can always do the click I no longer have access to these

Except all the questions are not user generated security questions and if you are in a location you have logged in before your account will be flagged. Google at least attempts to verify who you are. Apple uses 3 security questions and no matter who you really are you are given a new password.

 

[octothorpe8]

i dont get it???

so i have to remember a different password for each app?

my family doesnt even understand security questions. "how does it know my favorite book?" they will never understand this lol

I've been using 2-factor authentication for Google for a few years now. For apps that can do it right, it throws up a user/password screen from Google and you enter that and are then prompted for a security code (which in iCloud's case will just be a number that is pushed to your phone). Then you enter that number and you're set.

For apps that DON'T deal with two-factor auth very well (third-party apps, in Apple's case), you have to open iCloud.com and set up a new single-use password. You enter that into the app, and hopefully the app remembers it from then on and you don't need to deal with it again. In reality, you go through this whenever you get a new phone or whatever.

Short answer: yes, it's going to be a challenge for tech-impaired relatives, but if yours are like mine, pretty much everything is But it's probably worth it for the extra layer of security.

----------

Dear Apple - for a company that prides itself on simplicity and customer experience, this solution sounds messy: a royal PIA.

Please. You want simple, use Apple apps only.

You want to use third-party apps to access iCloud data, you're better off jumping through this very small hoop than giving out your real Apple ID password to whatever random app.

 

[fortysomegeek]

HTTPS prevents packet sniffing from being any problem. Keyloggers of course work if I can be infected with one, but at that point, my iCloud account is not what I'm concerned about.

You'd be surprised to know how many people fall for logging into non-SSL servers.

Also, you can impersonate SSL certificates on the honeypot Wi-Fi hotspot. Set up a fake Gmail portal. If the honeypot does the routing, the DNS, you're screwed. Even if you type in www.google.com, you are not going to google but a honeypot server because the DNS routes it to a fake server and that fake server can have an impersonated SSL certs.

2FA protects you from this. If you happen to give your real password, they can't login UNLESS they physically have your iPhone. And the very first instance, they try with your real password, you get a notification right away.

----------

What happens when/if this becomes a disaster and suddenly not only is their two factor gone, but also users complain they an no use their app no more ?

For App-Password, you regenerate a new password and revoke the last one. It is a click of a button.

You don't lose 2FA by the way you set-it up. It has safeguards in place.

When you set-up 2FA. You are generated a ONE-TIME final security key that you have to keep in a VERY safe place. Print it out and put it in a safe deposit box or safe place. I store mine in a encrypted DMG file that I can put anywhere online - iCloud, DropBox, Google Drive.

That key is your last resort. Throughout the whole process, they make very clear and obvious remarks to the importance of that key. You obviously do not want it stored un-encrypted anywhere or in an email.

Then you set up a trusted device. Most likely your phone.

The only time your entire data/account can be truly lost is if you LOSE both your KEY and your Trusted device. You have the option of setting up 5 trusted devices.. I do my iPad, My Work Phone, my Wife's phone. It goes to my iPhone 1st by default. It only goes to the other back-up if I ever loose my phone.

Those are plenty of safe-guards in place.

Having an actual physical device to get the PIN is a very safe method.

 

[Mums]

Apple passwords and usernames have been so screwed up since the introduction of iCloud as to be nearly unworkable. Before that, usernames were simple and I had the same one for over ten years. Now they're always asking me to reset it, confuse it with my email, change my password all the time, and the Apple password reset / recover page never works properly or at all.

----------

I totally disagree. We sniff internet traffic and I've found keyloggers installed on machines. You can have a 50 string password like :

%#1ZdaW975x2%#2,:~245xYrhzSePa(eo

And it will still get hacked. I can go to Peets Coffee and run a scanner all day long and pick up passwords. I only used authenticated keys and if I need passwords, I store it in an encrypted container where I need a another key to unlock it. Unfortunately, using public keys is not really feasible with websites and webmail.

Someone could have gone to the Academy Awards and set-up a sniffer Wi-fi hotspot and captured Celebrity passwords with just ethereal and wireshark.

2-Factor ensures if someone else does have your password, they can't get in.
They need a trusted pin from a trusted device and that pin auto-expires and you get notified.

if someone sets up a SSID that matches your Wifi router at your home and sets up a a fake gmail/icloud portal page to capture your password. If he masqueraded himeself as your Wi-Fi Router, he will get your password, regardless of how long and complicated it is with a proxy page. Look up Kali Linux. You can do some serious damage with a bootable linux USB distro. This is far easier than guessing someone's security questions.
2-factor eliminates that risks.

That's crazy - and it's even worse that it's actually the big companies more than hackers that are stealing our information!

 

[fortysomegeek]

That's crazy - and it's even worse that it's actually the big companies more than hackers that are stealing our information!

What's crazy is everyone using the same password they use for Gmail, their banks, Macrumors, ebay, social media, and various blogs.

The iCloud Fappening could have happen elsewhere. If someone hacks a big forum site like this. I can guarantee you that a lot of people use the same username/passwords for all their internet accounts.

Russian hackers just compiled a 5 million list. I see Wordpress blog sites getting hit and password/usernames are being compiled. Many of those sites do not even use SSL/HTTPS. They often store passwords in plain text. It doesn't matter how complicated your password is, if somewhere else gets hit, it is game over for most people.

2FA protects you in this situation. If another site like Ebay, AT&T get hacked with the same password/username you used for your iCloud. You would be protected here.

 

[AlliFlowers]

All third party calendar apps should request this 2 step verification, right? Yet none of mine either on my Mac or iOS devices has yet asked for it. And they're all still pulling in my iCloud information.

 

[ThunderSkunk]

Surely you are joking. Is THAT the reason you don't do that?

Nothing about how infantile / narcissistic that behavior is?

I rather thought that was a given. It's what I meant by "even if I were an 18 year old actress..." (for whom infantile & narcissistic behavior isn't unusual, and are in fact the victims of this whole security freakout).