Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
iOS 17 Gives You 72 Hours to Undo an iPhone Passcode Change
- Thread starter MacRumors
- Start date
- Sort by reaction score
OK... so they show that can have two passcodes active. What prevents them from adding a third as a backdoor for FBI or Chinese Government?
I think the main thing is, the PIN you use to open your phone (if biometrics fails) should not by default give you a skeleton key to open Keychain, change iCloud settings, etc. That right there is a huge glaring security hole, and while I feel bad for people who've been victimized this way, hopefully all the bad press about it will prompt Apple to lock things down a little better.
Screen Time is a good second line of defense... IF you know how to set it up and are actually going to take the time to do that. Most people don't know about this stuff, and frankly they shouldn't have to.
HW security keys - FIDO as far as I know in iOS 16 were not used at all to prevent passcode change sadly :/ just to authenticate new devices but if thief reset passcode he can also remove HW keys and so on…
So change from topic is good but still there are holes in this but it’s going good direction I hope…
The same that stopped them from adding a second one before?
The old passcode can't be used to unlock the device, but can be used to reset the new one within 72 hours, or never. The choice is yours. Yes, you have choice. Amazing, eh?
And Screen Time might only buy you a few minutes before the thief just turns it off.
The Screen Time setting may not fix the vulnerability, as discussed in the comments to this article on TidBITS (I haven’t tested the scenario myself but I regard TidBITS’ staff as both knowledgeable and experienced ):
How a Passcode Thief Can Lock You Out of Your iCloud Account, Possibly Permanently - TidBITS
A follow-up to the Wall Street Journal’s investigation into Apple’s problematic iPhone security design reveals that victims are being locked out of their iCloud accounts.
tidbits.com
—————
- OK, I just spent a bunch of time testing this carefully, and while it may be better, it’s not fixed.
Let’s assuming the thief has your iPhone and your passcode, but you’ve turned on a Screen Time passcode and locked account changes but not set a recovery key. The thief can find your email address and phone number from email and Settings > Phone.
Then, if they work through the steps to turn off the Screen Time passcode, saying Forgot Passcode when prompted, entering your email address when prompted, and then tapping Forgot Apple ID or Password, they’ll be able to reset the Apple ID password using just the passcode and turn off the Screen Time password in the same step.
The confusion, I think, is that there’s a branch in the logic at one point, and if they follow the other branch, they’ll be prompted for your trusted phone number or recovery key. The problem occurs at the Screen Time Passcode Recovery screen:- If they enter your email address in the Apple ID field here, tap OK, and then get the password field, they can then tap Forgot Apple ID or Password and continue with the passcode to reset the password. In other words, the most obvious approach is the least secure.
- If, instead of entering your email address right away, they tap Forgot Apple ID or Password first, and then enter the email address, they’ll go into the more secure password reset flow that tells them to continue on your other Apple devices. If they say they can’t get to them, they’ll be asked for your trusted phone number, which they can find out easily. But that doesn’t end up working out, at least in my testing.
- When I entered that, I was prompted for the passcode again, but entering it threw me to the Don’t Know Your Passcode screen that was warning my account would be locked for several days. At that point, I bailed—who knows what would happen if I locked my account like this. But I very much got the sense that a thief wouldn’t be able to change the password that way.
I’m being a little waffly here because I only tested a few times—I was just too leery of locking my account or messing something else up entirely. But I’ll report this to Apple and see if anything comes back.
All that said, if you both turn on the Screen Time passcode and set a recovery key, you’re safe. There’s no way to turn off the Screen Time passcode without having access to the recovery key.
-
Doug Miller
24 April 2023
Adam Engst:
That seems incorrect in my case. I have both a recovery key set and a screen time passcode and I can still go through and change the Apple ID password with the procedure you listed. (I just, in fact, actually changed it - and very shortly afterward realized that this meant that my Sonos stopped playing music because I had to reauthorize my Apple Music account.)
Having a screen time passcode with account changes disallowed makes it harder to find the Apple ID address on the device, but not impossible. - Adam Engst
24 April 2023
Darn it, I think you’re right. That was my starting condition, and when I assumed it worked, it was before I discovered that there was a difference with when you enter the email address in the Screen Time Passcode Recovery screen. I have screenshots showing that the recovery key is required, but I’m pretty sure that’s in the branch where you enter the email address AFTER tapping Forgot Apple ID or Password.
I’ve set up to replicate now, and while I don’t actually want to change my Apple ID password again (it invalidates my app-specific passwords and causes all sorts of cascading alerts on different devices), I’m getting the screen to change the Apple ID password without being prompted for the recovery key first.
But the screen time fix could merely buy you minutes-it can be reset. It is no panacea.
I use a scheme to remember. First I create a "common password body" that doesn't change and then insert a character that does change that matches the site I am going to.
For instance, let's say my base is H1mPW ("Here 1s my PassWord"....easy to remember) then if I am going to google the password is H1mgPW. If i'm going to Wachovia bank it's H1mwPW. Etc. etc. This way I only need to remember the base and what site I'm logging in to.
*bold characters for emphasis here
Am I missing something because this sounds like a security risk to me.
Say someone got a hold of my phone and got the password. I'm able to get my phone back from them and I change my passcode. Well, that robber still has 72 hours to try to steal my phone again and use it (since they already know the old passcode).
And the situation doesn't have to be that of a "robber". It could be, for instance, one's child or some family member who wasn't supposed to have access, etc.
Say someone got a hold of my phone and got the password. I'm able to get my phone back from them and I change my passcode. Well, that robber still has 72 hours to try to steal my phone again and use it (since they already know the old passcode).
And the situation doesn't have to be that of a "robber". It could be, for instance, one's child or some family member who wasn't supposed to have access, etc.
Glad to see that they're looking at it. Having a low-entropy passcode as the key to the apple kingdom is a poor design choice.
Not without the Screen Time PIN, from what I understand.
edit: just read @KaliYoni's post above. Seems you're right. I really hope Apple fixes this crap, pronto.
Having a password manager is right at the top of my list of security recommendations (along with keeping stuff patched and getting a security freeze - not credit lock - on your credit reports).
There are good and bad password managers out there. One that allows the vendor to access to any data in your keyring is bad.
You should never use an in-browser/website one on a regular basis - only use the app. If you do have to use the web one (like 1password.com to set it up initially), then do that from a known, good, trusted browser on a machine you control (never, ever, on someone else's machine). From that point forward, only using the app prevents you from ever entering the passphrase in the wrong place. If you choose a good one that's several words long like (puppy shark jumps blue freakin whales) you'll likely never have to change it....it really is 1 password. The only real risk is that you also have to keep their secret key somewhere safe (like a parent or kid's home, or a safe deposit box), because you'll need that to regain access to your account if you lose all your devices at the same time.
Highly highly recommended.
Just a side note: If you have a password for your email account that you can remember, it's likely that it can easily be hacked. And since email reset is the fallback for most sites, that's actually the most important password to make extremely secure. This is why, by the way, that you should never login to your email account from a machine you don't own, and ideally from a browser that you don't use for general browsing (if you use browser based email instead of a real service/client).
Dumb. Most people change their passcode for a reason - like a snooping partner/ex, kid, etc. This would let that person just get back on in there. Who changes their passcode without a reason?
lol, a single passcode that unlocks ANY iPhone? That wouldn’t stay secret for more a couple weeks. There‘s no reason to be anymore concerned about such things than you were previously.
I seriously don’t get how people think that they are more at risk when companies publicly announce features they view as “close” to a possible privacy concern. If a company was to do something sneaky they obviously wouldn’t announce it and thus people would be none the wiser.
So “what prevents them?” Obviously the same thing that has always prevented them—which even if nothing—isn’t any different than before.
It shows in the screenshot that you can cancel the old passcode immediately, without having to wait 72 hours for it to expire.
Can everyone please read the article before criticizing? The article fully explains that you have the option to instantly, fully, cancel your old password (ie - the same behavior as now) if you want to. This is not any less secure than it was.
Have none of you ever changed your password on your laptop/iPhone/etc before and then gone a few days without typing it in - only to be stumped the next time you get a password prompt? I’m not even very old and have had this situation happen. In that case it’s helpful to be able to use the one you were using for the last year that you still remember.
As for “who changes their password without reason”… ummm… everyone that cares at all about security? Regularly changing passwords (even if just every year or so) is one of the simplest suggestions for password security.
That's not necessarily true. If the internal mechanisms regarding how passcodes are handled has changed (I have no idea if that is the case), then this could result in a less secure situation.
