Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Also do a search for 2FA hardware keys and Yubikeys here in the forum.
Lots of good and bad experiences for you to decide.
But using them on the most important sites 2FA hardware is the only way to go.
Authenticator apps would be second best i guess.
There is other cheaper hardware keys out there as well.
I chose Yubico as they seem to keep up with all security aspect of 2FA.
Most of the options for the yubikeys you will not use much of them so not to put you off on learning that.
Hope this helps some out this is tough but if you ever been computer hacked or identity stolen you think very differently
and security is the number one thing.
12345678 and Password is not enough Login security anymore. ha ha.

Oh shame on me.. I dont work for Yubico or am a sponsor of yubico just a user..lol :) Good product for me so far.
 
  • Like
Reactions: reinem85
I'm going to be "that guy" and point out that Apple no longer calls it your "iCloud password", but your "Apple ID password".
 
  • Like
Reactions: cyanite
OP, if you want to get a better sense of what percentage of people here memorize their iCloud pw, then this should really be a poll. The people more likely to comment are probably the people who memorize their pw.

I don’t have mine memorized, but I should—only because of one scenario (that I can think of), which is: I’m far from home with only my iPhone and I lose it and need to replace it immediately. If I don’t have the pw memorized then I wouldn’t be able to sign into iCloud on the new iPhone and sync my Keychain and all my other iCloud data. I’d have to wait until I get home to my other Apple devices/keychain before I can sign in, which may be too late if I need some information urgently.

One situation that still concerns me though is if in the same scenario I’m unable to replace my iPhone but I need access to my Keychain. Keychain is not accessible via the web (as it probably shouldn’t be) so I’ll be stuck until I can get back home to one of my other Apple devices, which may be too late. I know there are third party password managers that can be accessed via the web, but I’m wary of that. Need to look into it more, but for now I guess I’ll just have to always bring a second Apple device with me whenever I go far from home🫤
 
There are absolutely tons of ways to get locked out of your iCloud account.

For one thing, you could fall victim to that shoulder-surfing PIN attack. Or maybe something like what happened to this guy. Or maybe this hack.

Or there's stuff like this: last year, I (and untold thousands of others) got booted out of iCloud on every device I own and had to reset my password. I got lucky and recovered within an hour, but some people commenting on these very forums were locked out for a week or more. Apple never acknowledged this at all, so for all we know it could happen tomorrow. I'm not keen on the idea of losing access to all my passwords for a day, much less a week, or forever, are you?

So, I keep all my passwords in 1Password, AND I back up all those passwords to a heavily encrypted disk image I keep on my Mac, all backups of my Mac, and which is uploaded to a couple cloud service. Paranoid? Maybe! But I'd rather spend 10 minutes a month knowing I have a plan B for all this stuff.
FYI with iOS 17.3, I believe Apple added Stolen Device Protection, a security measure that requires authentication for certain actions so that a spying thief can’t reset your iCloud password with passcode. Not sure if the feature is on by default.

I understand your point about not keeping your passwords locked to one password manager without backup, but I don’t understand how using a third party manager instead of Apple’s Keychain is safer. Are third parties not susceptible to hacks and bugs too? Is it because 1Password lets you backup passwords? Can’t you export passwords from Keychain on Mac for backup?
 
  • Like
Reactions: reinem85
I think you need to disable Find My before any repair can take place. You need the iCloud password for that.
You don’t need to remember or however, whenever I had service I was able to turn it off/unlock Passwords with Face ID.
But yes, I do know my password, it’s rather easy to remember. I also know my little sisters.
 
I changed mine to a randomly generated one years ago, then memorized that. my Mac password and iPhone passcodes are also randomly generated and memorized strings
 
I do, and my Google password. I don't keep them saved in my regular password manager (Apple's) since it can be unlocked with just a faceID or screen password. If anyone got ahold of my phone, they wouldn't be able to change or access my two main accounts.

I do keep them in an offline manager, keepassxc. It doesn't sync and it's only on my laptop.
 
there are only a few passwords i know by heart and they are for:

1. my password manager

2. my work PC

3. my home PC/macbook air

i make a monthly back up of my password manager. so there is a back up on my PCs SSD, my external HDD, and in the cloud. even if someone got hold of the file they'd need my password, 2fa code, and then a passphrase to decrypt it.

my password manager password is only in two places. my head and a piece of paper in a lockbox. i also have printed out back up codes and my 2FA key to access my manager. only i have the keys and know where they are.
 
Last edited:
The one that caught them by surprise was "motherof3gr8kids":
That is such a terrible password, and anyone who is somewhat knowledgable of password security would not be surprised. Some of the most common passwords have to do with pets, kids, dates, and names. using 3 for e, 3 for three, $ for s, 8 for “ate” sounding things does very little to make your account safer when it comes to brute force attacks when hackers have access to hashed passwords, which they do have access to because of the billions of accounts that have been compromised. A phrase like “mother of three great kids” is going to get transformed into hundreds of variations using substitutions, including the one in this example. And since parents are parents, there are certainly millions and millions of passwords out there that are a variation on this example. if someone else is using the same password as you and it has been cracked, it will already be in a ruleset somewhere making your password even worse.
 
  • Like
Reactions: reinem85
I know all my passwords. iCloud is no different.
If you know all your passwords, that is amazing. Good job!

However, most people cannot, myself included. I have hundreds of accounts (apple, power, bank, credit cards, etc) — they add up quickly. Each account password is unique. Each password is pretty much random garble or a long random phrases that are 30+ characters. It really depends on the site, and what their password requirements are. There are still many stupid websites that enforce policies that they think are secure, but really aren't.

A lot of time when people say they know all their passwords, what they really mean is “i re-use my 3 or 4 simple and easy to remember passwords for all my accounts”. I am not accusing you of falling into that category. I am pointing it out for people to think about and hopefully change their practices if that statement applies to them.

Password managers have their own issues, but are still much better than most peoples brains, spreadsheets, and word processors. MFA should be used when possible. SMS as MFA should be avoided if possible. A really good, difficult, and unique password should be used for your password manager. Many password managers have a recovery key you can print out and store somewhere safe (bank deposit box, safe, gun cabinet, etc) in case you lock yourself out.
 
  • Like
Reactions: MacCheetah3
I had to spend HOURS in an Apple Store doing a complete iPhone reset because I could not remember my password.

Was really, really, really annoying.

Definitely never buying an iPhone in person again.
So it’s the iPhones/Apples fault you didn’t remember your password? I don’t think so.
 
I never understood why them  HIDE our password when typed in?
seems to me they are NOT on our side.

/tho my contacts at Cupertino claimed the password recovery did waste to much, and the most, support time
//but this was last decade as they are all snooty to me now!
 
  • Like
Reactions: goldmac2006
To disable Find My.



It typically requires at least a few moments for me to recall, as I don’t need to often. However, yes, I do.

I use my password manager at least every few days, yet on occasion, I need to think the master password through carefully.

I’ve forgotten 3-digit locker combinations plenty of times. So, I won’t belittle anyone for not easily recalling 16+ characters. Although, ultimately, remembering some passwords is important or even essential nowadays.
Correct y’all have to know your Apple ID password in order to remove find my and activation lock prior to resetting iPhone to factory settings, in case a genius wipes your iPhone during service and/or recovery mode/DFU mode.

You also need it prior to Nugget and jailbreak/non jailbreak modifications.

Ngl I have remembered my Apple account password by heart.

I have photographic memory.

Even for my google account and my school accounts.
 
If you know all your passwords, that is amazing. Good job!

However, most people cannot, myself included. I have hundreds of accounts (apple, power, bank, credit cards, etc) — they add up quickly. Each account password is unique. Each password is pretty much random garble or a long random phrases that are 30+ characters. It really depends on the site, and what their password requirements are. There are still many stupid websites that enforce policies that they think are secure, but really aren't.

A lot of time when people say they know all their passwords, what they really mean is “i re-use my 3 or 4 simple and easy to remember passwords for all my accounts”. I am not accusing you of falling into that category. I am pointing it out for people to think about and hopefully change their practices if that statement applies to them.

Password managers have their own issues, but are still much better than most peoples brains, spreadsheets, and word processors. MFA should be used when possible. SMS as MFA should be avoided if possible. A really good, difficult, and unique password should be used for your password manager. Many password managers have a recovery key you can print out and store somewhere safe (bank deposit box, safe, gun cabinet, etc) in case you lock yourself out.
Or it’s just a good practice I am used for over two decades of working on hardened systems with strong password requirements. Phrases, Primes and so on can give unique passwords, and it’s second nature for me now. I just use the password/keychain that comes with iPhone or mac. But remembering passwords doesn’t mean you have to use 3-4 passwords for everything.
 
  • Like
Reactions: bhirt37 and Parowdy
If I know I am going to an Apple store (because I've scheduled an appointment) I will take care of backing up, turning off FindMy and wiping my iPhone before I ever arrive at the store.

Presenting the 'Genius' with an iDevice that is completely wiped, unlocked (no passcode), removed from iCloud (FindMy turned off) and ready to be set up, completely shortcircuits the whole time consuming affair. And at that point, we move on.

Additionally, no one in the back has any access to any of my info because the device has been completely wiped. Once I get it (or a new device) back, I can go home and restore.

Lastly, if any problems are going to crop up, I can catch them at home rather than wasting my time in store or anyone else's time. This is a process I have repeated enough times since 2012 that it's just become something I do before any Apple store visit.
Aren’t you advised to turn off Find My and bring your passcode and make a backup in advance and all when you book an appointment? I know that always was the case for me.
 
Aren’t you advised to turn off Find My and bring your passcode and make a backup in advance and all when you book an appointment? I know that always was the case for me.
Not turnoff find my iPhone. Back up yes, it’s always good to back up. I always turned off find my at store as needed in front of Apple genius bar employee.
 
Aren’t you advised to turn off Find My and bring your passcode and make a backup in advance and all when you book an appointment? I know that always was the case for me.
I don't know. I stopped paying attention at some point because everything I described is what I do. Even if it's not required. I just feel that handing a genius a device that is exactly the same as one that is ready to be set up as new makes both our lives easier. And nobody has access to anything because there is nothing on the device.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.