Apple toughens up phone password reset system

Apple toughens up phone password reset system

Summary: Apple is hardening up the security around its phone password reset service, but in the mean time, it's taking no risks by taking the service down for now.

TOPICS: Apple, Security

Following the highly publicised breach of former Gizmodo journalist Mat Honan, Apple has suspended the ability for AppleID passwords to be reset over the phone, while it hardens up its security.

"We're asking customers who need to reset their password to continue to use our online iForgot system."

According to Apple, the system resets password either by having a unique reset link sent to an alternative email address that was already on record, or by asking the customer to answer security questions, also previously on record.

Apple's password reset form.
(Screenshot by Michael Lee/ZDNet)

Apple's password requirements specify that they must be at least 8 characters in length and contain a minimum of one letter, one capital letter, one number and not more than three consecutive characters. Passwords must also not be the same as the account name or have been used in the past year.

Although it doesn't state the maximum length, Apple accepts passwords up to 32 characters in length.

At the moment, the iForgot system provides users with options to recover their AppleID password, but attempting to recover a username still takes the user through the same password recovery process first. The username is eventually emailed when the account password is reset, however.

In the meantime, the incident has, at least, raised the issue to the foreground, possibly paving the way for other companies to harden their security. Apple appears to be changing its password reset mechanism and/or policies, stating that when the ability for reset passwords over the phone resumes, customers will be required to "provide even stronger identify verification to reset their password".

Topics: Apple, Security

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Apple toughens up phone password reset system

    Kudos Apple.
  • password to enter Amazon and/or Apple

    Why don't they add a voice strip to the file of a user - in this way nobody, but nobody, can hack the account. When a user approach the service dept., they should ask for his voice and compare.
    • Centrelink in Australia does this

      When you register over the phone, you need to repeat some numbers, and provide voice answers to a number of questions (which you can choose).

      When you ring up to use the service, you need to repeat some random numbers, and then answer a random selection of the questions. It works quite well, but if you have a cold, you may need to speak more clearly to have your voice recognised.
  • Maximum password length

    "Although it doesn't state the maximum length, Apple accepts passwords up to 32 characters in length."

    This is something that annoys me to no end. Why don't sites state the maximum length of passwords in the password requirements? Since I use LastPass and don't have to remember the password, I would prefer to make the password as long as possible. But very few sites actually state the maximum password length.
    Pyrrho of Elis
    • Agreed

      I'm not defending Apple here, but it is worth noting it could be worse. I've personally been frustrated by many other sites that silently clip passwords to the first x characters. It's a terrible user experience trying to guess where your password really ends (especially if there's a limit to how many times you are allowed to attempt a log in).
      Michael Lee (Mukimu)
  • But we were promised that Apple was blameless

    Huh. I guess the Apple fanbois lied to us.

    PS The spotlight burns brighter when you are at the top. This is something for the Apple fanbois to keep in mind. Not that they are at the top. They aren't. Apple is at the top. Apple makes many billions of dollars which takes a lot of the sting off. Apple fanbois? They suffer the most.
    • Don't know how i suffer

      Never got hit with a trojan..
      It just works.. same with my linux desktop.
      I tell the OS when to do the updates, if i don't do the update this month.. I don't feel insecure.. I know some people may get hit with a java exploit or funny yet MS word exploit.. But it haven't happened to me.
      what suffering are you referring to ? ?
      Anthony E
      • You don't really know Windows do you?

        "I tell the OS when to do the updates, if i don't do the update this month."

        Windows does give you that choice, we run a Windows Vista Pro for out POS software server and it doesn't reboot once a month. I have it set up to download but only install when I want it too.
        All this childish point scoring MS V Apple V Linux is rubbish and takes away from the genuine posts.
        There's plenty of room for all to share.
        • If you don't run the updates

          You leave yourself vulnerable. But as for a POS that don't go online much i understand..
          I would agree. but i wish to counter the normal MS employee trolls..
          Anthony E
      • *yawn*

        "Never got hit with a trojan"

        Same here. Big that put you in the 5% pool of alleged intelligent users. (I use the word "alleged" VERY loosely, given the ineptitude of your post)

        "It just works.. same with my linux desktop." Funny. My desktop "just works" since it was built 4-5 years ago.

        "I tell the OS when to do the updates, if i don't do the update this month.. I don't feel insecure.."

        Wow. You are truly the master of your digital domain. I bow before your supposed leetsawce awesomeness on putting said O/S in it's place by telling it when to do updates. I'm sure no one else knows how to do that. Oh... wait.
    • Who said that?

      After reading article after article no one said Apple didn't drop the ball on their end... nice try with the FUD. Apple certainly had their part to play as did Amazon and Honan - you seem to have gotten your knickers in a wad over the fact that Apple is not wholly to blame here.
    • Crap spouts more crap!

      Yea, I said it!
    • It's kind of interesting...

      That Apple is getting 99% of the blame for this, when it all started with some pretty weak customer service practices at Amazon. I don't say that to deflect all blame from Apple, as they certainly contributed, but it was the domino effect, and Amazon was the first one to get pushed.

      And, it's certainly not like Amazon isn't at the top in their own right. Where's the spotlight on them? In most of the stories I've read on this, Apple's name has been in the headline and Amazon's been a sidebar.

      I said it before, but it's worth repeating. This hack is valuable in user education. This wasn't somebody's grandma that got hacked, it's a supposed tech guy who is more aware of the risks than most. User's may not have control or even insight into the security practices of the companies they deal with, but they can keep their own house in order to limit the scope if they do fall victim to hackers because of a shortcoming by Apple, Google, Amazon, Twitter, etc. Backup devices, use the best security measures that these companies give you (e.g. 2 factor authentication), don't daisy chain all accounts (or use the same password for all accounts, kind of analog daisy chaining), etc.
    • @toddbottom3

      I AM at the top.
      It just works. I don't know what magic it uses, but I never have any problems.
  • troll

    Toddbottom is simply an Android troll anyways. Kind of funny how he comments on every Apple story when he "hates" Apple products so much as his rants show. Maybe you have epeen envy of Apple stuff and can't afford to buy what you really want??

    They were to fault for having really nice customer service that tried to help him out. It was that editor's fault for being a moron, tying ALL his emails together, NOT having dual-authentication and when in the hell should ANY company provide a credit card number without some real bio information on the people who are calling. It's Amazon's fault as much as Apple's. Both screwed up in a minor way that allowed his accounts to be jacked. HE screwed up the most. He didn't even back up his files on his laptop. really??? And didn't use dual-auth? Again, not totally surprised. You shouldn't tie all your emails together and use the same credit card with all your accounts. Basic security.
    • I am a terrified Apple owner

      I own both an iPad and an iPhone. Apple's weak security terrifies me. Thankfully I wasn't stupid enough to settle with OS X. I do enough Real Work (tm) that I need Windows.
  • my first thought...

    was who would 'call' for a password reset, but i guess i may have done it in the past with the bank because they won't do it online. they usually reset it with a temporary password that i had to immediately change. i suppose that may be what the hacker did with Honan's account.

    the real problem i think most of us have is too many passwords. i've come up with a personal system that works for me, but still i have problems remembering sometimes. Keychain in Mac OS is a godsend but sometimes you can't use it with certain websites that won't let you save a password.

    i know Apple just bought the company who has fingerprint recognition that can be incorporated into either a computer or as a hardware device. perhaps that would be the best solution.
    J Michael Ireland
  • Companies don't try hard enough to ID callers

    I just received a spam email which is addressed to me personally (first name and surname), and quotes my date of birth and suburb [1]. From that, a phone book lookup could get my actual address.

    This worries me, because several companies that I've rung only ask for address and date of birth as proof of ID. So, someone now has enough to impersonate me at; my electricity company, one of the banks that I've used, and one of my telecommunications providers [2].

    My point is that ALL companies who provide ANY over-the-phone service need to be much more strict in determining the ID of the person that they are talking to. Typical "proof" of ID such as name, address, phone number, (parts of) credit card, mother's maiden name, etc., are just not secure, as that information is much to easy for others to harvest.

    I think that having user-selectable security questions (not mother's maiden name, brand of car or favourite colour) may be a good choice, especially if voice-print compared (see my previous post re Centrelink).

    [1] I have no idea where the spammer got this info. I don't have a Facebook account, or any other online presence where I've published my date of birth. I'm presuming that some service that I've used has sold my details (or has been hacked).

    [2] The other provider also asks for a 6-digit PIN