Apple toughens up phone password reset system
Following the highly publicised breach of former Gizmodo journalist Mat Honan, Apple has suspended the ability for AppleID passwords to be reset over the phone, while it hardens up its security.
"We're asking customers who need to reset their password to continue to use our online iForgot system."
According to Apple, the system resets password either by having a unique reset link sent to an alternative email address that was already on record, or by asking the customer to answer security questions, also previously on record.
Apple's password requirements specify that they must be at least 8 characters in length and contain a minimum of one letter, one capital letter, one number and not more than three consecutive characters. Passwords must also not be the same as the account name or have been used in the past year.
Although it doesn't state the maximum length, Apple accepts passwords up to 32 characters in length.At the moment, the iForgot system provides users with options to recover their AppleID password, but attempting to recover a username still takes the user through the same password recovery process first. The username is eventually emailed when the account password is reset, however.
In the meantime, the incident has, at least, raised the issue to the foreground, possibly paving the way for other companies to harden their security. Apple appears to be changing its password reset mechanism and/or policies, stating that when the ability for reset passwords over the phone resumes, customers will be required to "provide even stronger identify verification to reset their password".