Hey Apple, That’s Not Security – That’s Insanity
I’m an IT professional. That means, I don’t ever backup my own data files, but I keep my systems secure. I know not to click on links in unsolicited emails. I know that there’s no way to find out who has been viewing my Facebook profile. I realize that I’m not the 1,000,000th visitor today and I did not win an XBox.
I do many practical things to safeguard my online security. I have strong passwords that are more than six characters long and include a mix of upper and lowercase letters with numbers and special characters. I have two step authentication enabled for my social media and email accounts, meaning that even if you knew the password for my Facebook account, when you tried to hack into it, you would also have to gain access to my phone so that you could read the one-time security code that Microsoft texts me each time I log in.
I protect my hardware as well. If you were to steal my phone, you would need a passcode to turn it on. Try guessing too many times and the phone will wipe it’s memory. (Something, I’m very aware of after the second fat-fingered mistyping of my passcode.) My laptop has the harddrive encrypted with BitLocker. When, I boot it up, I have to type in a code.
I’m also aware of how much I just compromised my security by telling you all the ways I stay secure. My point is that, I get it. I understand why security is important, and I understand how to keep my systems and devices secure. That’s why the message I got on my iPad this morning was so annoying.
THE PASSCODE ON YOUR iPAD HAS EXPIRED. PLEASE RESET YOUR PASSCODE
This is one of the worst abuses in the name of “security,” I’ve seen in a long, long time. Apple is not making me more secure. They are making me less secure. The fact that they are telling me it’s for my own good is maddening.
Resetting your password is a good idea. My work account resets on a pretty short schedule. (No, I’m not going to tell you what the schedule is. Because, you know. . .security!) I have a plan in place for how to ensure my work password is secure and also so that I can remember it as I change it on a regular basis.
My bank makes me change my passcode on a regular basis. Most of my social media accounts and email accounts do too. And I’m fine with that. It’s a security best practice. I might grumble at the extra 2 minutes it takes me to update my devices with a new email password, but I understand it’s value. Changing the passwords on a regular basis makes the system more secure.
Changing my passcode is different.
Changing my passcode doesn’t make me more secure. It makes me less secure. Let’s talk about how it weakens security. I have committed my passcode to memory, of course. When I open my iPad, I enter it almost without consciously thinking about it. Changing it means that I now have to think I about it. I have to try to remember it. I might even be tempted to write it down. Logging in goes from being a natural act to an unnatural one. It breaks the routine.
Think about when you were in Junior High School. The first week of class, everyone carried around little slips of paper with their locker combination on it. You had to pull that out of your pocket every time you stopped between classes and carefully go through the sequence. . .twice, because you forgot that you have to go all the way around on the second number. But, eventually you memorized it. You could get your locker opened, switch books and still have enough time to run to the hall where the cute girl would be walking by.
You were never asked half way through the school year to change your locker combination. Should you have been? Wouldn’t it make it more secure if we changed up everyone’s combination on a regular basis? Of course not. In fact, it would weaken security. You’d have everyone walking around with those little slips of paper again.
The passcode on the iPad is like that. Passwords need to be changed on a regular basis because they are vulnerable to hacking. If someone can compromise a system that you have an account on, they can get access to your password, and therefore to your account. And since hackers do not always announce when they have compromised a system, it’s a good idea to regularly force users to change their passwords.
However, your Junior High locker combination wasn’t stored in a vulnerable location. You had a copy and somewhere the office had some master list with serial numbers matched to combinations. But, unless you shared it with someone, it was secure. Now think about your iPad. That passcode is stored locally. It’s not sent to Apple. It’s not in some master database somewhere online that is succeptible to hacking.
No one can hack their way into finding out your passcode. It’s like your locker combination. It exists in one place. It’s not a password. Changing it no more secures your iPad than switching combination locks would make your locker more secure. I wish the Apple engineers would figure that out.
Of course, being a professional IT person, I realized that I can change my passcode back. Not immediately. Apple keeps track of your last passcode and won’t let you reset the passcode to the one you used previously. However, if you change it enough times, you can eventually get back to the point you can reset your locker to the original combination. How many previous passcodes does it save? I’m not going to say. Because, you know. . .security.
Rodney M Bliss is an author, columnist and IT Consultant. His blog updates every weekday at 7:00 AM Mountain Time. He lives in Pleasant Grove, UT with his lovely wife, thirteen children and grandchildren.
(c) 2016 Rodney M Bliss, all rights reserved