Washington Apple Pi

A Community of Apple iPad, iPhone and Mac Users

Change your Apple ID password. Now.

© 2012 Lawrence I. Charters

Washington Apple Pi Journal, reprint information

There is one thing Mac, iPad, iPhone, and iPod users have in common. No, it isn't political beliefs; arch conservatives and the very liberal both use these devices. No, it isn't age, or gender, or income level, or nationality. Instead, it is something that most of them never give much thought to: an Apple ID.

You may not even know you have an Apple ID, but if you have a Mac or iPhone or iPad or iPod, or even a Windows machine, and you also an iTunes account, you have an Apple ID. And that Apple ID is worth money. As shown in Figure 1, your Apple ID can be used to purchase music and applications on the iTunes Store, or hardware or software from Apple's online store. Not shown in the list, but also important, you can purchase and download new software from the Apple App Store, built-in to every copy of Snow Leopard and Lion.

Because virtually everyone with an Apple ID has used it to purchase something from Apple's online services, the Apple ID is usually tied to a credit card. As a result, anyone who ever manages to gain access to your Apple ID credentials has the ability to spend your money, draining your account of any credits you might have from iTunes gift cards or simply running up your credit card bill by purchasing a shiny new computer or a library of music you probably can't stand.

Your Apple ID is in two parts: the Apple ID itself (an E-mail account) and a password. Which is also the root of the problem: because the ID is an E-mail account name, and because you use your E-mail account to communicate with others, your E-mail account name is no secret. Millions of network devices worldwide have passed your E-mail account name through various routers, firewalls, servers and whatnot. Spammers certainly have your E-mail address; you get spam, don't you? Bluntly put, one-half of all the information necessary for some unknown person to spend your money is widely available: your E-mail account name.

Which brings us to the second part of your Apple ID: the password. Over the past couple of years, a great many people have had their accounts on the iTunes store drained of money because they (a) had easily guessable passwords, including the infamously poor password of "password" or (b) used the password on more than one online service. Easily guessable passwords and reused passwords caused more economic grief in 2011 than all the bank robberies in the entire country.

Your Apple ID - Keys to the kingdom.

Your Apple ID — a combination of your name and password — is the key to ordering things on iTunes, on the Mac App store, on the Apple online store, and to your iCloud services. Click on the image to see a full-size version.

These economic losses typically do not come from attacks directed at individual iTunes accounts or anything else so obvious. Instead, hackers attack throw-away services that nobody really cares about, such as contests to get a free iPad, or an on-line petition to keep a company from building a skyscraper bordering on your back yard, or an online service that helps you keep tabs on fellow members of your Civil War reenactor's unit. These less prominent services have no access to your credit card information -- the services are almost always free -- but -- and this needs to be stressed -- if you have a weak password, or you reuse the same password for multiple online services, you essentially are inviting hackers to spend your money.

Armed with a long list of visitor E-mail addresses and passwords used to register for a free set steak knives, hackers can then visit the iTunes Store or the online Apple Store and try to use these same E-mail addresses and passwords to make purchases. The hackers don't need to know your credit card number; all they need to know is your E-mail address (which they got from some other site) and your password (which you used on that site and Apple's site) to spend your money.

This problem isn't unique to Apple. Hackers can spend your money on Amazon, too, or L.L. Bean, or almost any other retailer. Poor passwords are common, and reusing passwords on multiple sites is even more common. Combine these two traits and it is easy to spend your money, without ever knowing your credit card number or anything else about you.

To give you a specific example, see Figure 2. You probably won't be able to read the fine print, but this is a recent message from "The President's Challenge" Web site, hosted by Indiana University. Once upon a time, I was asked to visit the site and evaluate it for a particular purpose. To do that, I needed to create an account consisting of an E-mail address and password. The message states, in part, that "Hackers recently accessed our database, which included personal information such as your username, password, security question and answer, email address, data of birth, city and state, and, if you provided it, your name." The letter then goes on to strongly recommend that I change my password, and gives explicit instructions for how to create a strong password.

Sad letter about hacker breakin

A sad letter about a break-in to "The President's Challenge" Web site. Click on the image to see a full-size version.

This didn't cause me any grief; I don't reuse passwords. Certainly not passwords that are also used for accounts tied with money – but I'm the exception. Each day, millions of dollars are collected from on-line accounts of those less wary.

When it comes to your Apple ID, stopping such theft is easy. Go to:

https://appleid.apple.com

and click on the link that says "Manage your account." You'll be taken to a page where you can change your password, create security questions (to keep others from changing your password for you), and update contact information. If you don't remember your Apple ID password, click on the link that says "Reset your password" and you'll be taken to a page that asks you some security questions or, alternatively, sends you an E-mail with a special link for resetting your password (Figure 3).

Take a good look at Figure 3: Apple doesn't like easily guessable passwords, so you can't get away with "password" or "1234" or something else trivial. You are guided through changing your password, complete with hints on a good password.

What is a good password?

Apple critiques your Apple ID password. If you pick something that isn't secure, the Web page does an on-the-fly analysis and tells you about it. Click on the image to see a full-size version.

What is a good password? Something that is long, and memorable. Is your favorite movie "Fantasia," from 1940? A password of:

Fantasia-1940

not only meets Apple requirements but is also almost impossible for a password-breaking program to solve.

After changing your password comes the all-important Step 2: don't use that password for any other service. Use your Apple ID and password only for your iCloud services, iTunes Store, Mac App Store, online Apple store and other Apple services. Don't use that password for Amazon, Google, the Washington Post, Publisher's Clearing House, your bank, or any other service.

And please don't think you are exempt. This article was prompted by roughly 50 incidents passed on by Pi members over the past year. In each case, the member thought their iTunes or Apple E-mail or some other Apple account was hacked by evil hackers. In each case, they were wrong: a non-Apple site was hacked, but because the Pi member either reused the same password on Apple's sites or the member used some trivial password, it was easy for the hacker to use the member's credentials.

Fight crime on a very personal level: don't reuse passwords.