Other Would it be a bad idea to use my Apple ID password (complicated keychain generated) as my iPhone’s alphanumeric passcode?

[subjonas]

As title says: Would it be a bad idea to use my Apple ID password (complicated keychain generated) as my iPhone’s alphanumeric passcode?

The reason I’m considering it is mainly so that I’m forced to occasionally enter it in to unlock my phone and therefore I’d be forced to memorize it, as it’s good to memorize one’s Apple ID password in case one needs to sign into their iCloud account somewhere and they don’t have any of their devices handy to look up their password which is especially necessary if it’s a strong password (eg. I forgot my phone going to work, or my phone gets stolen and I want to remotely erase it using someone else’s computer).
Additionally reasons are:
- it’s a much stronger password than a numeric code, safer against anyone trying to hack or observe me putting in in public (if I ever have to)
- I have one less passcode to remember (although by now my passcode is already pretty engrained in my brain)

Obviously it will take several times of entering it in to memorize it.

The one big danger I see is if anyone ever does somehow observe me putting in my password into my phone (maybe video recorded), they’d also pretty much have access to my iCloud account. So I guess I’d have to be extra paranoid and never enter it in while in public.

Other thoughts?

And while we’re at at, what about using my Apple ID password for my Mac password? 🤔

 

[maflynn]

sharing passwords tends to be a bad idea. So if a person got your passcode to the phone, he'd have access to all of the data stored by apple, because you use the same password. Seems like a bad idea to me

 

[Isamilis]

Very bad idea. Apple ID password is your 2nd line of defense when the phone was stolen (and the thief knew your phone’s PIN).
Anyway, you shouldn’t need Apple ID password frequently. You can also assign using Face ID to buy from App Store.

 

[subjonas]

sharing passwords tends to be a bad idea. So if a person got your passcode to the phone, he'd have access to all of the data stored by apple, because you use the same password. Seems like a bad idea to me

Very bad idea. Apple ID password is your 2nd line of defense when the phone was stolen (and the thief knew your phone’s PIN).
Anyway, you shouldn’t need Apple ID password frequently. You can also assign using Face ID to buy from App Store.

But how could someone get my device password if I never put it in in public?

Don’t need Apple ID frequently, but there are a couple possible scenarios I foresee that would be very inconvenient or bad to not have it memorized (mentioned in my original post).

 

[maflynn]

But how could someone get my device password if I never put it in in public?

So what you're saying is, that you never, ever take your phone outside? That seems odd.

Its your phone, your account, you certainly can do what you want. All I'm saying is that generally speaking. using the same passwords has always been considered a bad idea.

Using the same password for your phone and apple id is a very bad idea but if you want to do it, no one is going to stop you.

You started the thread asking if its a bad idea. Two people have already said it is. I suspect 99% of the will say its bad

Don’t need Apple ID frequently,

I'm sure a Thief will.

 

[subjonas]

So what you're saying is, that you never, ever take your phone outside? That seems odd.

Its your phone, your account, you certainly can do what you want. All I'm saying is that generally speaking. using the same passwords has always been considered a bad idea.

Using the same password for your phone and apple id is a very bad idea but if you want to do it, no one is going to stop you.

You started the thread asking if its a bad idea. Two people have already said it is. I suspect 99% of the will say its bad


I'm sure a Thief will.

Sorry if I offended you in some way. Just wanted to see if I missed something.

 

[maflynn]

Sorry if I offended you in some way. Just wanted to see if I missed something.

I'm not the one offended. You asked, I gave you my response. I truely do not care how you decide to secure your account and devices.

It doesn't matter how many or how few people think its a bad idea. If you want to do it, then do it, but you're the one who asked and while you didn't get the answer you wanted, it still boils down to your decision

 

[doobydoooby]

Bad idea. If someone manages to get your password - who knows how but let's say its possible - you've just lost your first and second line of defence simultaneously.

 

[okkibs]

There is a much better way of doing it, make the AppleID password a random one that you won't ever need to remember and use a password manager. You'll only ever need to remember one password, in addition to your phone's PIN code.

That is much simpler than trying "lifehacks" to memorize the complicated AppleID password, and the passwords for all your other services.

Use unique passwords for literally every single login, and make sure you have the password manager ready on all devices where you might need to access any one of the services. Store a copy safely somewhere like a banking deposit box for emergencies if you can.

Even a 4 digit phone pincode that isn't 1234 or 1123 is safe on an iPhone as long as nobody watches you type it in (limit to 10 tries anyways, and adds wait times between tries, so between 10k combinations it's effectively impossible to guess it right).

To improve security with a password manager, I use two different ones on my desktop and mobile devices, and I only add what I really need on the mobile devices. If I am robbed at knifepoint and the criminal were to ask me to unlock the password manager on the phone, they wouldn't automatically have access to all my passwords. Not that this is a very common scenario, usually a thief won't necessarily know what a password manager even is.

Since you rarely need to update passwords anymore when you use a manager, it's not inconvenient to manage two different managers. When you sign up to a new service you just have to manually enter it on both managers.

 

[Thoradin]

Reusing any password for anything is always a bad idea.
Having the 2 main passwords for access to your Apple ID matching is a very bad idea, even if it’s randomly generated and hard to guess/remember.

 

[smoking monkey]

This is the best OP on MR I've seen in yonks!
You obviously want to do it considering your replies so I say go for it!

Or

You could just make a mnemonic that applies to only your lived life experience and use that as your Apple ID.

Good to have choices!

 

[BugeyeSTI]

Bad idea IMO..

 

[Mr_Brightside_@]

Change your Apple Account password - Apple Support (CA)

Follow these steps to change your Apple Account password.

support.apple.com

While still not optimal, no one here is addressing the fact that you can change the Apple ID password with the device passcode, which is most likely what a thief would try anyway as it's now in the news

 

[Wando64]

Don’t need Apple ID frequently, but there are a couple possible scenarios I foresee that would be very inconvenient or bad to not have it memorized (mentioned in my original post).

Why don’t you store the password in your keychain?
That’s what it is for.

 

[macfacts]

If you are scared of forgetting your apple id password, out it on a piece of paper and put that in your shoe under the shoe insole.

 

[Vref]

Or could just make a password convention you use that’s easy to remember and have a different PW for everything

 

[BenGoren]

I have a couple passphrases that I use for a very few Very Important Accounts. They're about 30 characters, and something that you’d instantly recognize and have no trouble remembering if I told you, the way that, for example, “We have nothing to fear but fear itself,” would be. I have a couple minor variations on the phrases, with very simple h4x0r-style substitutions.

If anybody with malicious intent got access to one of these accounts, I’d be screwed enough that cascading fallout would be the least of my worries … if a bank robber cleans out the cash in the teller’s drawers, how much worse is it if the robber also cleans out the safe deposit boxes?

The passphrase for my phone is therefore quite similar to the one for my AppleID.

I would advise against using an impossible-to-remember password for your AppleID. You’ll need it more than you realize — for example, to log in to the App Store to download something after a reboot. How much do you want to bet that that’ll be the app to get through the turnstiles at the airport subway terminal of the city you’re visiting for the first time? Wouldn’t you much rather go stand against a wall (so nobody can look over your shoulder) to enter that than to wish you had remembered to get the printed version out of your safe deposit box on the other side of the planet?

b&

 

[JonaM]

As mentioned you can reset your Apple ID password from your device using the device PIN so there's no loss of security here as they are essentially the same already given you can reset one with the other

 

[subjonas]

I'm not the one offended. You asked, I gave you my response. I truely do not care how you decide to secure your account and devices.

It doesn't matter how many or how few people think its a bad idea. If you want to do it, then do it, but you're the one who asked and while you didn't get the answer you wanted, it still boils down to your decision

Ok glad you aren't offended, but you're apparently showing some irritation. I was somewhat surprised by this as I was honestly looking for information that I might have missed. I have not made up my mind as you seem to think. But I also don't immediately follow advice if I have questions. But I do appreciate your good intent.

There is a much better way of doing it, make the AppleID password a random one that you won't ever need to remember and use a password manager. You'll only ever need to remember one password, in addition to your phone's PIN code.

That is much simpler than trying "lifehacks" to memorize the complicated AppleID password, and the passwords for all your other services.

Use unique passwords for literally every single login, and make sure you have the password manager ready on all devices where you might need to access any one of the services. Store a copy safely somewhere like a banking deposit box for emergencies if you can.

Even a 4 digit phone pincode that isn't 1234 or 1123 is safe on an iPhone as long as nobody watches you type it in (limit to 10 tries anyways, and adds wait times between tries, so between 10k combinations it's effectively impossible to guess it right).

To improve security with a password manager, I use two different ones on my desktop and mobile devices, and I only add what I really need on the mobile devices. If I am robbed at knifepoint and the criminal were to ask me to unlock the password manager on the phone, they wouldn't automatically have access to all my passwords. Not that this is a very common scenario, usually a thief won't necessarily know what a password manager even is.

Since you rarely need to update passwords anymore when you use a manager, it's not inconvenient to manage two different managers. When you sign up to a new service you just have to manually enter it on both managers.

Why don’t you store the password in your keychain?
That’s what it is for.

I do use iCloud Keychain as my password manager. Since my Apple ID password is the password to get into it and all my other passwords, I would like it to be as secure as possible, which is why I had Keychain generate a random password for it. But it's possible that a more memorizable password may be a better way to go. And as I mentioned in my original post, the scenario I'm trying to avoid is being locked out of my Apple ID if I can't remember my complicated password, and I'm without any of my devices around (eg. on a trip and I lose phone).
I'd have to think about using two password managers. That is more secure but might be a bit further than I'm willing to go.

This is the best OP on MR I've seen in yonks!
You obviously want to do it considering your replies so I say go for it!

Or

You could just make a mnemonic that applies to only your lived life experience and use that as your Apple ID.

Good to have choices!

I think people here may be jumping to conclusions. Sure, this is an idea that I think might have merit. But I asked for feedback for a reason, not just looking for confirmation. I want to explore things thoroughly. Asking questions about the advice given doesn't mean I have my mind made up. People seem to get short when they are questioned, especially when they are trying to help. I've been on both sides of this, and while sometimes it's headstrong or oversensitive people, I can say many times it's just assumptions and breakdown of communication.
I like the idea of a truly randomized Apple ID password, but a more memorizable one could possibly be the best way to go.

If you are scared of forgetting your apple id password, out it on a piece of paper and put that in your shoe under the shoe insole.

I laughed out loud. I hope it was a joke. If not, uh I'll keep that in mind...

Or could just make a password convention you use that’s easy to remember and have a different PW for everything

I have a couple passphrases that I use for a very few Very Important Accounts. They're about 30 characters, and something that you’d instantly recognize and have no trouble remembering if I told you, the way that, for example, “We have nothing to fear but fear itself,” would be. I have a couple minor variations on the phrases, with very simple h4x0r-style substitutions.

If anybody with malicious intent got access to one of these accounts, I’d be screwed enough that cascading fallout would be the least of my worries … if a bank robber cleans out the cash in the teller’s drawers, how much worse is it if the robber also cleans out the safe deposit boxes?

The passphrase for my phone is therefore quite similar to the one for my AppleID.

I would advise against using an impossible-to-remember password for your AppleID. You’ll need it more than you realize — for example, to log in to the App Store to download something after a reboot. How much do you want to bet that that’ll be the app to get through the turnstiles at the airport subway terminal of the city you’re visiting for the first time? Wouldn’t you much rather go stand against a wall (so nobody can look over your shoulder) to enter that than to wish you had remembered to get the printed version out of your safe deposit box on the other side of the planet?

b&

Yeah a more easily memorizable password might be the best way to go. I'm just hesitant because it's the password that holds all my other passwords so I want it to be as strong as possible. But also I was thinking of changing my phone passcode to a complicated alphanumeric anyway, which would be another thing to memorize.

Change your Apple Account password - Apple Support (CA)

Follow these steps to change your Apple Account password.

support.apple.com

While still not optimal, no one here is addressing the fact that you can change the Apple ID password with the device passcode, which is most likely what a thief would try anyway as it's now in the news

As mentioned you can reset your Apple ID password from your device using the device PIN so there's no loss of security here as they are essentially the same already given you can reset one with the other

Oh! Wow that might change things. Do you know if that is by design or will be changed at some point? (the news article is paywalled)
edit- oops I see from the Apple support article, it's by design. Is there talk of changing that?

 

[BenGoren]

Yeah a more easily memorizable password might be the best way to go. I'm just hesitant because it's the password that holds all my other passwords so I want it to be as strong as possible. But also I was thinking of changing my phone passcode to a complicated alphanumeric anyway, which would be another thing to memorize.

You need lots and lots of entropy for a system to be secure … and humans are really, really, really bad at memorizing high-entropy stuff. I would strongly discourage you from trying to memorize a compact password with triple-digit entropy … that would be sixteen characters drawn from uppercase and lowercase characters plus digits plus all the punctuation you can type. You’d need to expand that to 150 characters or so from the same set to get over 1,000 bits of entropy, which might maybe be adequate to protect against brute-force attacks these days? I haven’t kept up with the advances in Moore’s law in that regards.

On the other hand, the “source space” for complete sentences of more than trivial length is effectively limitless. Just as an example, pick any sentence on this here Web page and consider how many ways you could re-write it such that the meaning is preserved but the actual sequence of characters differs.

Similarly, consider how easy it would be to memorize any of these sentences. And: the previous sentence has … well, naïvely, about 200 bits of entropy, but you can’t just throw words at random from a dictionary; still it’ll be well over 100 bits, probably over 150 bits. No matter what, it’s much stronger than that 16-character random line noise password … and something you could actually memorize with almost zero effort.

Sure, it takes a moment to type out a complete sentence. But it’s the only realistic way humans have of remembering something with enough entropy to foil any sort of brute-force attack.

(It’s also worth noting that brute-force attacks are generally very well protected against these days, which is why the world doesn’t come to an end with so many people using their pet’s names plus kid’s birthday as passwords. It’s very difficult to get your hands on the data to brute force; on the phone, for example, you’re rate-limited to only try a few passwords per minute, and it’s really hard to pry open the phone to get at the physical memory location.)

Oh! Wow that might change things. Do you know if that is by design or will be changed at some point? (the news article is paywalled)
edit- oops I see from the Apple support article, it's by design. Is there talk of changing that?

I expect that Apple’s security practices will evolve, but slowly. The next major change would be with the introduction of under-display fingerprint readers, presumably still coupled with FaceID. Considering how the Web token thing is maturing nicely, by that time they might offer an option to use both fingerprint plus FaceID in lieu of a passcode. Presumably, either the one or the other would work alone most of the time the way that they do now; then, after a restart (etc.), it’d require both simultaneously. But that’s pure speculation on my part!

b&

 

[Reggaenald]

sharing passwords tends to be a bad idea. So if a person got your passcode to the phone, he'd have access to all of the data stored by apple, because you use the same password. Seems like a bad idea to me

As the recent NYTimes piece highlighted, your iPhone passcode already basically grants access to your entire Apple ID.

 

[Apple_Robert]

Bad idea, OP.

The last thing you want is to have multiple accounts with the same password.

My Apple ID is 28 mixed characters. I came up with the Diceware type phrase and having to input it every so often helps me remember. I also have multiple password managers with the password inside, in case I need a reminder.



After thinking for 10 seconds, I came with the following, which serves as a good example of what you could create that is secure and easy to remember.

Purple!-eyes-With-Candy-carPet-in-?Freezing-sauna-<

 

[maflynn]

Ok glad you aren't offended, but you're apparently showing some irritation.

You’re totally reading into something that is not there. As I said I couldn’t care less in how you manage your passwords.

 

[Vref]

….

Purple!-eyes-With-Candy-carPet-in-?Freezing-sauna-<

Who hurt you? 😂

 

[Wando64]

I do use iCloud Keychain as my password manager. Since my Apple ID password is the password to get into it…

You get into your keychain by using your phone passcode, NOT your Apple ID.