iCloud security and personal responsibility

iCloud may not have been hacked but iCloud accounts are hackable. So are other online accounts. Why? Security is at constant war with convenience. Absolute security makes our data inaccessible to everyone, including us. Absolute convenience makes our data easily available to everyone, including those who would use it to harm us. The key to a workable system is balance, where a range of options are afforded and we choose and use them in a way that's best for us. That includes Apple giving us the options we need and making them as understandable as possible, and it includes us taking the time to understand them and implement them as best as we can. So what can we all do better?

Following celebrity photo data theft, Apple's CEO, Tim Cook, has outlined several steps they will be taking to bolster security for iCloud. These include more notifications when backups are restored and devices are first added, broader implementation of 2-step verification, and an increased effort to educate customers about the security and privacy tools that are available to them.

Those are good steps. Necessary steps. Apple needs to do them and do more of them.

But we need to take responsibility for our own security as well.

This isn't about blaming victims. Perpetrators are the only ones who get blamed. This is about empowering people. This is about planning smart and fighting back hard. This is about making it so that even if you are one day victimized, you are never a victim.

Use strong passwords

Apple has minimal requirements for passwords. You need to have at least one uppercase letter, one lowercase letter, and one number, and it has to be at least 8 characters long, for example.

You want something way, way stronger than that. Length is important. The longer a password is the longer it takes to crack it. However, lack of predictability is also important. The length doesn't matter as much if it's predictable (if it's composed of common dictionary words, for example).

So, ideally, you'd want to use 32 pseudo-random characters for your iCloud password and store it in a password manager. Unfortunately, you'll likely have to type it in, especially on mobile devices, more often than would make that practical.

So, treat it like a master password. Make it as long and as unpredictable as you can, but keep it so that you can enter it on an iPhone or iPad when you have to. (The iOS 8 Touch ID API will mitigate this, but there will still be times you'll have to type it.)

The best advice I've some across on choosing a strong master password is from AgileBits, makers of 1Password:

This is the single most important thing you can do for your security. It's the lock on your car or your house. Make it as good as it can possibly be.

Use a password manager

In a perfect world security would be impregnable and effortless to use. Sadly, this world isn't perfect. Passwords are too complex for the mainstream and while technologies like Touch ID can help, biometrics isn't a complete solution yet, nor is anything else.

You need passwords. You need strong, unique passwords. That means you need a password manager. You have several really good options on the iPhone, iPad, and Mac. Choose one and use it.

Avoid security questions when you can, fill them with passwords when you can't

Security questions are designed to make it easier for people to recover forgotten passwords. Sadly they also make it easier for criminals to hack passwords. More often than not, they replace the security of a strong password with the guess-ability of several weak ones.

I avoid providing security questions whenever I can. When I can't, I fill them with strings of pseudo-random gunk and store them in my password manager.

If I use my first pet's name, someone can find that out. If I lie about the pet's name, I could forget the lie I used. No one can find out about kc+y7^QD66tCmuqfQG/wQ43QF>d=d#2W, by way of example, and if it's in my password manager, I can't forget it when and if I ever need it.

Sign out of websites when you're done

Some websites, including iCloud.com, store a security token to make it easier for you to access them repeatedly during the same session. It's a convenience so you don't have to re-enter your password every time. It's also security hole if someone gains access to your computer.

Sure, someone gaining access to your computer is terrible in so very many ways. Your computer has your photo library, your email account, and many, many other things. If your family members or workmates are out to get you, the threat level is significantly higher and you'll need to take many more precautions (and likely have other issues urgently in need of addressing.)

However, logging out still prevents someone whose sole and only purpose is to get that token so they can steal your online data later. It closes one more hole, especially if you've logged into someone else's computer or a public terminal.

Don't click on links in emails

The easiest way to get something from someone is often just to ask them. If your password is too long and unpredictable to easily crack, if your security questions are nonsensical blobs, another way for criminals to try and get your login is just to ask you for it — via a fake email.

They'll send you something that looks like it comes from Apple, Google, etc. along with an urgent message designed to scare you into clicking on a malicious link they provide and getting you to log in to their server so they can record what you type and use it to break into your account.

It's called phishing and it's been going on for years.

To avoid it, never click on a link in an email. Instead, if you get something that says it's from Apple or Google or Dropbox or anyone else, open a browser window yourself, type in iCloud.com or Gmail.com or Dropbox.com yourself, log in to your account, and then see if there are any real situations that require your attention.

Play safe

These are just a few of the most common ways criminals try to hack iCloud accounts. There are and no doubt will be others. If you're a high value target, you'll need to treat online security as seriously as you treat real-world security. If not, while you should take reasonable precautions, there's no need to panic.

Play safe and play smart. Be conscientious of your data and where and how you store it.

Apple doesn't let Touch ID fingerprint data out of the secure enclave on the iPhone, and it sounds like they won't be letting mobile payment data out of there either. That means it never gets anywhere near the cloud. Likewise Apple has said they'll reject any app that tries to store health and fitness data from HealthKit on the cloud, and has put in strict privacy guards to keep even local apps from getting anything more than you want to share.

This won't be the last time we hear about data theft, sadly. But if you never thought about online security before, you can start thinking about it now.

Apple absolutely has to improve the security and the awareness of the security around iCloud. And just as absolutely we have to take responsibility for our own security. After all, we're in this together.