Apple toughens up phone password reset system
Summary: Apple is hardening up the security around its phone password reset service, but in the mean time, it's taking no risks by taking the service down for now.
Following the highly publicised breach of former Gizmodo journalist Mat Honan, Apple has suspended the ability for AppleID passwords to be reset over the phone, while it hardens up its security.
"We're asking customers who need to reset their password to continue to use our online iForgot system."
According to Apple, the system resets password either by having a unique reset link sent to an alternative email address that was already on record, or by asking the customer to answer security questions, also previously on record.
(Screenshot by Michael Lee/ZDNet)
Apple's password requirements specify that they must be at least 8 characters in length and contain a minimum of one letter, one capital letter, one number and not more than three consecutive characters. Passwords must also not be the same as the account name or have been used in the past year.
Although it doesn't state the maximum length, Apple accepts passwords up to 32 characters in length.At the moment, the iForgot system provides users with options to recover their AppleID password, but attempting to recover a username still takes the user through the same password recovery process first. The username is eventually emailed when the account password is reset, however.
In the meantime, the incident has, at least, raised the issue to the foreground, possibly paving the way for other companies to harden their security. Apple appears to be changing its password reset mechanism and/or policies, stating that when the ability for reset passwords over the phone resumes, customers will be required to "provide even stronger identify verification to reset their password".
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Apple toughens up phone password reset system
password to enter Amazon and/or Apple
Centrelink in Australia does this
When you ring up to use the service, you need to repeat some random numbers, and then answer a random selection of the questions. It works quite well, but if you have a cold, you may need to speak more clearly to have your voice recognised.
Maximum password length
This is something that annoys me to no end. Why don't sites state the maximum length of passwords in the password requirements? Since I use LastPass and don't have to remember the password, I would prefer to make the password as long as possible. But very few sites actually state the maximum password length.
Agreed
But we were promised that Apple was blameless
PS The spotlight burns brighter when you are at the top. This is something for the Apple fanbois to keep in mind. Not that they are at the top. They aren't. Apple is at the top. Apple makes many billions of dollars which takes a lot of the sting off. Apple fanbois? They suffer the most.
Don't know how i suffer
It just works.. same with my linux desktop.
I tell the OS when to do the updates, if i don't do the update this month.. I don't feel insecure.. I know some people may get hit with a java exploit or funny yet MS word exploit.. But it haven't happened to me.
what suffering are you referring to ? ?
You don't really know Windows do you?
Windows does give you that choice, we run a Windows Vista Pro for out POS software server and it doesn't reboot once a month. I have it set up to download but only install when I want it too.
All this childish point scoring MS V Apple V Linux is rubbish and takes away from the genuine posts.
There's plenty of room for all to share.
If you don't run the updates
I would agree. but i wish to counter the normal MS employee trolls..
*yawn*
Same here. Big whoop...so that put you in the 5% pool of alleged intelligent users. (I use the word "alleged" VERY loosely, given the ineptitude of your post)
"It just works.. same with my linux desktop." Funny. My desktop "just works" since it was built 4-5 years ago.
"I tell the OS when to do the updates, if i don't do the update this month.. I don't feel insecure.."
Wow. You are truly the master of your digital domain. I bow before your supposed leetsawce awesomeness on putting said O/S in it's place by telling it when to do updates. I'm sure no one else knows how to do that. Oh... wait.
Who said that?
Crap spouts more crap!
It's kind of interesting...
And, it's certainly not like Amazon isn't at the top in their own right. Where's the spotlight on them? In most of the stories I've read on this, Apple's name has been in the headline and Amazon's been a sidebar.
I said it before, but it's worth repeating. This hack is valuable in user education. This wasn't somebody's grandma that got hacked, it's a supposed tech guy who is more aware of the risks than most. User's may not have control or even insight into the security practices of the companies they deal with, but they can keep their own house in order to limit the scope if they do fall victim to hackers because of a shortcoming by Apple, Google, Amazon, Twitter, etc. Backup devices, use the best security measures that these companies give you (e.g. 2 factor authentication), don't daisy chain all accounts (or use the same password for all accounts, kind of analog daisy chaining), etc.
@toddbottom3
It just works. I don't know what magic it uses, but I never have any problems.
troll
They were to fault for having really nice customer service that tried to help him out. It was that editor's fault for being a moron, tying ALL his emails together, NOT having dual-authentication and when in the hell should ANY company provide a credit card number without some real bio information on the people who are calling. It's Amazon's fault as much as Apple's. Both screwed up in a minor way that allowed his accounts to be jacked. HE screwed up the most. He didn't even back up his files on his laptop. really??? And didn't use dual-auth? Again, not totally surprised. You shouldn't tie all your emails together and use the same credit card with all your accounts. Basic security.
I am a terrified Apple owner
my first thought...
the real problem i think most of us have is too many passwords. i've come up with a personal system that works for me, but still i have problems remembering sometimes. Keychain in Mac OS is a godsend but sometimes you can't use it with certain websites that won't let you save a password.
i know Apple just bought the company who has fingerprint recognition that can be incorporated into either a computer or as a hardware device. perhaps that would be the best solution.
Companies don't try hard enough to ID callers
This worries me, because several companies that I've rung only ask for address and date of birth as proof of ID. So, someone now has enough to impersonate me at; my electricity company, one of the banks that I've used, and one of my telecommunications providers [2].
My point is that ALL companies who provide ANY over-the-phone service need to be much more strict in determining the ID of the person that they are talking to. Typical "proof" of ID such as name, address, phone number, (parts of) credit card, mother's maiden name, etc., are just not secure, as that information is much to easy for others to harvest.
I think that having user-selectable security questions (not mother's maiden name, brand of car or favourite colour) may be a good choice, especially if voice-print compared (see my previous post re Centrelink).
[1] I have no idea where the spammer got this info. I don't have a Facebook account, or any other online presence where I've published my date of birth. I'm presuming that some service that I've used has sold my details (or has been hacked).
[2] The other provider also asks for a 6-digit PIN