Managing a Secure iTunes Password on iOS

This article first appeared in the December Issue of ScreencastsOnline Monthly Magazine.  ScreenCastsOnline monthly magazine is packed with hints, tips, articles and links to streamable versions of ScreenCastsOnline tutorials and delivered monthly via Newsstand on the iPad. You can find out more at

If you're reading this article, chances are you're already very aware of the importance of creating and maintaining good passwords. We all know the rules, we're supposed to generate passwords that have a combination of letters, numbers and symbols, no password should be repeated between sites, passwords should be a certain length to foil "brute force" attacks and we should rotate our passwords regularly. Okay, now how many of us actually practice what we preach all the time? 

Several years ago I became a devotee of 1Password (full disclosure: 1Password is a sponsor of Mac Power Users). This was a major step forward from the Excel spreadsheet I was using (yes, it was named “Passwords.xls” but I did have it stored in a secure disk image - give me some credit!) But to start, I was still just allowing the password manager to store the lousy passwords I created. It wasn't until a few years ago when I gave in and replaced almost all my poor passwords with randomly generated passwords created by the application.  Today, almost all of my passwords are unique, randomly generated, and I rotate my most sensitive passwords at least twice a year. I thought I was in pretty good shape, then this summer we all got a wake-up call with the Mat Honan hacking incident.

For those unaware of what happened to Mat, his article for Wired is required reading.  Mat's Apple ID was compromised by hackers and although incident had nothing to do with a cracked password, his story illustrates how quickly bad things can happen when someone gains access to this single account. For Apple geeks, the Apple ID is the keys to our kingdom, meaning a hacker could also gain access to iCloud data and possibly restore it to their own devices, locate and remotely wipe iOS devices and computers, gain access to contacts and calendars, access to stored credit card information and make purchases, and gain access to email and then use this as a gateway to access to other services. What's worse, is that because our Apple ID is used for so many things and commonly entered on iOS devices with miniature keyboards, the desire to use a simple, easy to enter password is strong.

I admit, until recently, my Apple ID was the one password I kept outside of 1Password and used my own memorable password out of laziness and convenience. However, with some of the changes in iOS 6 which no longer prompt for a password for everyday activities like App updates, I decided it was finally time to close this potential vulnerability.  Changing an Apple ID password is fairly straightforward, but you need to be prepared and make sure you get all of your devices and settings updated to keep your iLife behaving properly.

Changing your Apple ID isn't complicated, Apple has a Knowledge Base article on the topic. If you haven't already, you'll want to setup a recovery email address in the event you get locked out of your account. I suggest recovery email address be well secured and something that is not in any way connected with your Apple ID. Some suggest setting up a unique email account, possibly one using two-factor authentication, specifically for the purpose of using as a recovery email address for this and other services. The idea being if your primary email account is compromised it can't be used to reset other services. You'll need to setup or update your security questions. You'll want to be careful with these as they're prone to social engineering hacks. If you have any kind of online presence it’s not hard for someone to discover your mothers maiden name or your elementary school. One option is to enter random gibberish and use your password manager to store these as well, but this could be awkward if you ever had to repeat them over the phone. 

As soon as you change your Apple ID password your things will start go haywire. Mail will prompt you for your password, iCloud will throw up errors, the light on your Airport will blink orange and your iPhone will freak out. It's okay. But now you have to start the process of going around to each of your devices and entering your new credentials, sometimes in multiple places. This password is used more places than you'd think, here's a preliminary list of places you need to make the change:

  • iCloud System Preferences on each of your Macs
  • iCloud Settings on each iOS device
  • Messages on Mac and iOS
  • iTunes and Mac App Stores
  • Apple TVs
  • Airport Routers
  • Third party apps that connect to iCloud

Now that your password is changed and all your devices updated you'll have to live with the day-to-day inconvenience of having a randomly generated Apple ID password. If you need to enter your password on a Web site, password managers with browser extensions are great. But unfortunately your Apple ID has to be entered in many places where that won't work such as iOS devices or the App stores. For those cases you just have to open up your password manager and copy and paste the password in as needed. It's a little extra hassle from time-to-time, but given the dire consequences of a compromised Apple ID, I'm sleeping a little bit better at night knowing things are locked down and wish I made this change a long time ago.