apple DOES NOT USE a human approach to protect my information

[aicul]

Hello All,

I honestly have to raise this question I have raised already in the past. It's not a rant, its making the statement; "this is not security" its forcing people to do exactly what they should not - write passwords down.

It is unreal for humans to remember complex passwords and to continuously have to "improve" them at Apple's whim.

I fully understand that there are hackers out there, but the purpose here is to outline that I'm not yet senile and yet I still have to write them down because;

- I am asked too often to change them
- The rules imposed are too obtuse
- I have at least 10 I have to remember

Frankly, I love touch-id and this sillyness of emails saying "someone connected to your account" sent to my email, when I connected to that email is absolutely nonsense.

I am sure Apples endless "license agreement" says I am bla bla, but honestly who reads them ?

So rather than putting forwards these absurdities, lets please have something humane.

Migrating to Yosemite has only re-raised this issue.

 

[bmac89]

I'm not quite sure what this directly has to do with Yosemite or Apple? Sorry if I'm missing something but isn't this an issue with passwords in general.

No doubt touch/fingerprint or eye detection will become an alternative to passwords in the future, when this technology becomes more readily available.

I always thought using the trackpad to draw a pattern could be an optional alternative to passwords for users to log into the mac - a bit like smart phones. Obviously not as secure as a password but would meet the requirements of many home mac users. I actually posted a thread on the forum recently regarding this.

I notice the Windows 10 Preview has an option to click/draw on a picture or use a pin instead of password.

However none of these features actually resolve the issue of multiple passwords.

 

[aicul]

I posted this on Yosemite because I was "innocently" hoping that upgrading would not require re-entry of passwords already set in Mavericks.

This was not the case, all passwords had to be re-entered, and some for mail, calendar, address book, iMessage and FT.

So its all well and fine having a modern OS, but if half the features don't work because this "modern" OS cannot use the existing keychain I think there is a problem.

Presently, family is locked out of 2 iCloud accounts for 8 hours as - of course - the "question/answers were not good. But again here, Apple forces Questions that make no sense to us. First car ? I don't have one. Or school friend ? well not everyone went to school here (but thankfully we make enough $ to pay for a Mac). At least let us humans "pick" questions that are realistic.

So Yosemite with its mega-galactic features is shutting people out on basics that have been thought out by blind-sided un-human individuals.

Anyway, the idea of a picture has some value worth digging further.

 

[Fzang]

At least the developers of 1Password and the likes thrive

 

[aicul]

Indeed, but it does come down to "writing down passwords"

 

[Apple_Robert]

Use a password manager like 1Password and internet life is much easier, especially when creating and changing passwords for numerous accounts on a regular basis. Problem solved.

 

[petsounds]

I posted this on Yosemite because I was "innocently" hoping that upgrading would not require re-entry of passwords already set in Mavericks.

This was not the case, all passwords had to be re-entered, and some for mail, calendar, address book, iMessage and FT.

I don't understand. There is one password for all iCloud services such as iMessage, FaceTime, etc. and that is the password for your Apple ID.

For other passwords, what I do is store them in the Keychain Access app that comes with OS X. This keychain is tied to your OS X account and you use your login password to access other passwords. So I have different passwords for everything, yet I only need to know my login password to access all of them. It's not as slick as 1Password, but it's free and works well enough for me.

 

[aicul]

I don't understand. There is one password for all iCloud services such as iMessage, FaceTime, etc. and that is the password for your Apple ID.

For other passwords, what I do is store them in the Keychain Access app that comes with OS X.

Fully agree to both statement. And I don't understand either why Yosemite asked for the iCloud password before logging into any account. And once logged-on actually asked for the iCloud password again once for every (calendar, dress, mail) as I opened each App.

Hence my thread.

 

[bankshot]

The one that annoys me the most is having to re-enter the password just to download a free app on iOS or OS X. I DO want the password as a gate to purchasing content (to avoid accidental purchase clicks), but give me a preference to turn this off for free stuff!

Related, I have family sharing setup; prior to this, my wife and I used a shared Apple ID to purchase apps. Now the old shared account is part of the family setup. In theory, we should be able to download/update all previously purchased content using only our own personal Apple IDs. But in practice, OS X and iOS devices always want the password for whichever account originally purchased the content! Kind of defeats the purpose, huh?

On the security questions, common advice is don't bother answering the actual question; they don't care if your answer is truthful. Instead, use a common, unrelated answer that you'll always remember.

• First car? Darth Vader
• City you were born in? Darth Vader
• Favorite sports team? Darth Vader
• Mother's maiden name? Darth Vader

 

[DeltaMac]

...
On the security questions, common advice is don't bother answering the actual question; they don't care if your answer is truthful. Instead, use a common, unrelated answer that you'll always remember.
...

I have done the same for years. You don't have to provide a "correct", or "truthful" answer. The security questions can be hints for answers that may not be related to the question at all. The important idea is to have a response that you can remember, and one that no one except you will know.

 

[F1Mac]

• First car? Darth Vader
• City you were born in? Darth Vader
• Favorite sports team? Darth Vader
• Mother's maiden name? Darth Vader

And as a bonus you can even feel like you're Luke Skywalker when the question is "what is your father's name?"

 

[aicul]

• First car? Darth Vader
• City you were born in? Darth Vader
• Favorite sports team? Darth Vader
• Mother's maiden name? Darth Vader

Actually this does not work, they have to be different.

But why can't I enter the question myself ? Technically this is not black-magic and other sites do it.

I really think Apple has no idea how silly there security setup is. It does not respond to their credo of making things simple for me their user.

So, indeed, I can invent walk-arounds, and commit to remember them, or I can enter my questions that trigger answers from my memory. I prefer the latter as it is more human.

 

[mpfuchs]

I don't understand. There is one password for all iCloud services such as iMessage, FaceTime, etc. and that is the password for your Apple ID.

For other passwords, what I do is store them in the Keychain Access app that comes with OS X. This keychain is tied to your OS X account and you use your login password to access other passwords. So I have different passwords for everything, yet I only need to know my login password to access all of them. It's not as slick as 1Password, but it's free and works well enough for me.

And it works in iOS as well!

 

[aicul]

And it works in iOS as well!

That is what I understand it should. But when I see OS X asking me for the password of the CALDAV calendar of iCloud, I can only conclude that it did not work.

 

[DeltaMac]

Have you tried repairing your keychain (in your Keychain Access utility)?

 

[aicul]

Have you tried repairing your keychain (in your Keychain Access utility)?

Hi, do you mean the "Keychain first aid" in the Keychain APP? If so, I did try and that indicated "no problem found".

 

[simonsi]

Actually this does not work, they have to be different.

For AppleID yes, they do - I found this when enabling two-factor authentication - and a benefit of doing that is no more security questions

 

[aicul]

For AppleID yes, they do - I found this when enabling two-factor authentication - and a benefit of doing that is no more security questions

Hi simonsi, the wording of your post is ambiguous, so not clear whether yes/no.

When I tried entering the same answer, an alert said that the answers had to be different.

 

[simonsi]

Hi simonsi, the wording of your post is ambiguous, so not clear whether yes/no.

When I tried entering the same answer, an alert said that the answers had to be different.

Sorry, yes they do have to be different answers for AppleID (unlike many other sites/services who don't cross-check). as I said I enabled 2-factor auth and now don't have to worry about those answers at all....

Just put 2-factor on Dropbox as well....

 

[mpfuchs]

That is what I understand it should. But when I see OS X asking me for the password of the CALDAV calendar of iCloud, I can only conclude that it did not work.

It's because it only works in Safari seamlessly.
For everything else, you'd have to go in, find you password and add in manually.
Same in iOS, when you try to use the login inside of an app, it won't work. It will only work in Safari.

 

[aicul]

....as I said I enabled 2-factor auth and now don't have to worry about those answers at all....

I don't want to enter the discussion of what is secure, and what is not, and why/when its needed. 2-factor seems excessive for my needs.

However, I do strongly think that when security is imposed (and the questions are) then they must adjust to the fact that "humans" are going to use them.

Presently, what apple "imposes" is not human, its having me play monkey and in reality they can be circumvented: the questions can be reset via apple support and this "only" requires access to the password.

This is not security, and it is not implemented to adapt to "human" behaviour. And I return to the fundamental, the extra $$ spent for Apple products is also to have someone care that I am a "human" (not a monkey, not a robot who both can memorise absurd things at Apple's whim).

 

[simonsi]

the questions can be reset via apple support and this "only" requires access to the password.

Not when I did it recently, way more than the password was required.

 

[aicul]

Not when I did it recently, way more than the password was required.

But you could access all of that with your password.

So your password is the single point of entry required, the rest just requiring time and patience

 

[simonsi]

But you could access all of that with your password.

So your password is the single point of entry required, the rest just requiring time and patience

No not really, you have to login, and request a pin code, then give that to the rep over the phone, that enables them to verify (to some degree) that you are physically located close to any address on file. Pretty sure they asked for DoB too - which isn't listed as far as I can see once you have logged in. They can also no doubt see a history of changes on the account so it would raise suspicions if for instance you changed address, email addresses and then requested security questions were reset in a short space of time as you would need to do to covertly hijack an AppleID by this method.

Of course it isn't perfect (neither is two-factor). Glad to have two-factor in place though...

 

[aicul]

No not really, you have to login, and request a pin code, then give that to the rep over the phone, that enables them to verify (to some degree) that you are physically located close to any address on file. Pretty sure they asked for DoB too - which isn't listed as far as I can see once you have logged in. They can also no doubt see a history of changes on the account so it would raise suspicions if for instance you changed address, email addresses and then requested security questions were reset in a short space of time as you would need to do to covertly hijack an AppleID by this method.

Of course it isn't perfect (neither is two-factor). Glad to have two-factor in place though...

I'm afraid that's a negative.

I did login, I entered on the apple website my own tel number

On the call I was just asked for the PIN

All I needed was the PASSWORD.