the forgotten password problem

[aicul]

Hi all,

I could write this thread on a more generic forum, but I am putting it here because I would think Apple does a better job of this on its iCloud service.

It is the eternal password complexity problem.
It is not about whether a password is useful or not.

Passwords are useful and should be secret, and a user should be able to remember them easily, and passwords should be set differently for each account, and changed every so often.

I, like, most people have a routine to establish a personal, secret, easy to remember and dedicated password for my multiple accounts.

Recently, I changed all my passwords as a good routine. Only here I discovered that iCloud had instigated a set of new rules that passwords need to match to be accepted.

Conclusion, I had to enter a password outside of my routine.

And you can guess it, I have pressed the iForgot Password button nearly every day since. Makes me regret my changing the password as a good security measure.

So I can either write down the password (it is no longer secret), change my routine (lose the easy to remember), or use a password that I use elsewhere (no differentiation). Definitely once I successfully memorize this password, I will not change the password again,.

I thought Apple cared about "normal" users and shunned imposing on them the complexities of IT. This applies to passwords as well.

 

[marc11]

Hi all,

I could write this thread on a more generic forum, but I am putting it here because I would think Apple does a better job of this on its iCloud service.

It is the eternal password complexity problem.
It is not about whether a password is useful or not.

Passwords are useful and should be secret, and a user should be able to remember them easily, and passwords should be set differently for each account, and changed every so often.

I, like, most people have a routine to establish a personal, secret, easy to remember and dedicated password for my multiple accounts.

Recently, I changed all my passwords as a good routine. Only here I discovered that iCloud had instigated a set of new rules that passwords need to match to be accepted.

Conclusion, I had to enter a password outside of my routine.

And you can guess it, I have pressed the iForgot Password button nearly every day since. Makes me regret my changing the password as a good security measure.

So I can either write down the password (it is no longer secret), change my routine (lose the easy to remember), or use a password that I use elsewhere (no differentiation). Definitely once I successfully memorize this password, I will not change the password again,.

I thought Apple cared about "normal" users and shunned imposing on them the complexities of IT. This applies to passwords as well.

Actually this is not unique to Apple, many companies are now insisting on strong passwords and it is a smart practice that all people should do. If you came up with your passwords, and they are something you can easily remember, then someone can easily crack them...your best bet, use a password app like 1Password to generate, store (encrypted) and access all your passwords under a single password key. Then you need only remember the single password, which will access your password files. This will solve your issue of generating strong passwords and remembering them.

 

[richard13]

Yea, establishing and remembering strong passwords is rough but this really has nothing to do with Apple. As someone else has already pointed out you could use a password manager like 1Password. If you'd rather not spend the money for one and don't mind a little inconvenience you could also use Keychain Access that comes with OS X.

 

[aicul]

Actually this is not unique to Apple

I know that, my concern is that Apple - who normal goes the extra mile - did not. They limited themselves to a flat out "its complicated" so users just face it.

If you came up with your passwords, and they are something you can easily remember, then someone can easily crack them.

This a little rhetorical isn't it?

The core point on passwords is that people should be able to behave in a normal manner with respect to them, not act like monkeys. It goes back to the old saying : "too much security kills security".

And increasing secuirty unilaterally, using the same old techniques is just killing security, definitely not raising security.

best bet, use a password app like 1Password to generate, store (encrypted) and access all your passwords under a single password key. Then you need only remember the single password, which will access your password files. This will solve your issue of generating strong passwords and remembering them.

Thanks for this input, but the devils advocate would say that is equivalent to 1. writing them down, 2. per your own words, if I can remember the password to the APP, then the password can be cracked giving access to all the stored passwords.

So if the idea is interesting it does not really add much more than some tool complication.


Intrinsically security is my issue, not that of someone else. So If I set my own level of security and assume it in a responsible manner. Why does Apple (or any other system) have the aggravating arrogance of saying it knows better than me.

My recent experience with Apple, and (now) other systems is that passwords such as "g3tb0ok" will not pass (less than 8 chars, no uppercase) whilst "Toto123." will (8 chars uper/lowercase, digit, special char). A simple visualization shows which one is easier to guess, particularly if you blend in knowledge that the person hates passwords.

 

[daveham]

Thanks for this input, but the devils advocate would say that is equivalent to 1. writing them down, 2. per your own words, if I can remember the password to the APP, then the password can be cracked giving access to all the stored passwords.

So if the idea is interesting it does not really add much more than some tool complication.

I've started looking into password managers myself because my passwords are getting too complicated to remember. But I don't think it's possible for someone to guess your password and gain access to all your passwords, if that's what you're saying. I believe there's two factor authentication at work here.

I checked out 1Password, but I feel a little duped paying that much for a password manager. Plus I use a Mac at home and a PC at work, so I want something universal. Someone recommended Dashlane to me. Has anyone tried it?

They have a free version so I might go for it and see. Although I'd really hate to have to transport all that data...

 

[richard13]

I checked out 1Password, but I feel a little duped paying that much for a password manager. Plus I use a Mac at home and a PC at work, so I want something universal. Someone recommended Dashlane to me. Has anyone tried it?

I hear you on the cost factor but I just wanted to point out that there are OS X/iOS/Windows versions of 1Password so you could go cross platform and even keep them in sync if you added DropBox to the mix. Disclaimer: I have not actually used 1Password so I'm not advocating it. However, I am going to try it and I think they have a 30 day return policy.

But no, I've never even heard of Dashlane. Maybe this is something else I should look into.

 

[marc11]

Thanks for this input, but the devils advocate would say that is equivalent to 1. writing them down, 2. per your own words, if I can remember the password to the APP, then the password can be cracked giving access to all the stored passwords.

No not really. It is far easier to remember ONE strong password than it is to remember 10 or 20. And by strong I mean nothing related to your personal life, random numbers, letters, upper, lower case, etc. And that is the point, if your computer is password protected when locked AND you have a strong password on your password manager you have two layers of security. I forget the actual numbers but at a certain length and mix passwords are almost impossible to crack except by the best of the best having tools and skills 99% of theives do not have. The average person looking to steal your data doesn't have such skills and if they do, it doesn't matter if you have one or twenty passwords, they are going to crack them.

With that, you can set each site with a super long super strong password and never worry about remembering them again and never storing them in your browser as an auto login.

With this method, if someone steals your computer and its login password password, they still need to crack your password manager strong password; a much more difficult task. With your method, once someone catches on to your pattern, they can crack your easy passwords pretty quickly. The password manager is much stronger security, even if it is just one password to remember.

 

[aicul]

... It is far easier to remember ONE strong password ... if your computer is password protected when locked AND you have a strong password on your password manager you have two layers of security.

Point taken, except that we truly have 2 passwords But I fully agree with you all.

One cannot avoid noting that these are "work arounds". They are crying out loud that we do not like what is out there, but agree that we need some form of security.

So please bare with the example, not the details in the following text;

Where is the problem with me setting the password as to my needs ?

• If I want crappy security; let me use 1 character;
• If I want super security let me set 100 characters.

Security is my decision, not someone elses.

A site should only indicate how complex my password is, and suggest improvements, but not blindly force me to add some gimick complexity.

Again I put forwards the example of "Toto123." and "g3tbo0k". The second is considered worst to the first based on gimmick rules.

So I do understand Apple faciliated the hack of a journalists iCloud account. But i also understand that increasing password length had nothing to do with the fact that the hack was mainly social engineering.

And on the front of social engineering, Apple is forcing me to write down my password because it forces something I cannot remember.

Lets be honest, Apple did not go the extra-mile here, it copied everyone else.

 

[wackymacky]

I currently use a password storing program because all my passwords are something like h-@nf2nNfaw4kb.z(F4d unless there is a silly rule like exactly 8 characters or no special characters.

----------

.......

Security is my decision, not someone elses.

A site should only indicate how complex my password is, and suggest improvements, but not blindly force me to add some gimick complexity.

Again I put forwards the example of "Toto123." and "g3tbo0k". The second is considered worst to the first based on gimmick rules.

.....

I disagree with you a bit here because

1. ) If someone hacks your email or social network account it can be used to spam or interfere with others. The owners of such sites want to prevent too much abuse to maintain the quality of their brand.

2.) Financial organizations (e.g. banks) normally have a limit on the liability of loss customers suffer from "online" fraud. This is to encourage customers to use these services. If your baking password is money then you can not expect the bank to be kind to you if your account is hacked and money lost.