How to minimize the chance of your iTunes account being hacked

Given the iTunes account hacks last week, and again yesterday, we figured it was a good time to go over the basic ways you can reduce the chances of having your own iTunes -- or any other -- account hacked.

Sure, many of you regular readers already know all this, but take it as an opportunity to forward the link on to friends, family, and co-workers who might not.

Note, we're not security experts, these are just the tips and tricks we use to make our own accounts more secure, and some of the things we've learned -- sometimes the hard ware -- to avoid.

Weak passwords

A weak password is one that's easy to guess, never mind actually spend time and effort hacking. Avoid them at all costs.


  1. Don't use the word password as your password
  2. Don't use your username as your password or your email address or name. You want your username and password to be as different from each other as possible
  3. Don't use words as you password. Simple, short, really easy to remember also means really easy to guess.
  4. Don't use the same password for every site. If they guess it for one, they guess it for all your logins.


  1. Use a mix of lower case and upper case, numbers, letters, and symbols
  2. Make it as long as you can. 10 characters should be enough if you're not guarding James Bond-level secrets.
  3. Make it a phrase so it's easy to remember but still hard to guess. Here are some examples: TheiPh0neBl0g!, iP@d-L1ve-?
  4. Add some variation for each major site. If you're worried about remembering it, keep it relative. For example, you could add the first 2 characters of the domain name to the beginning or or end of your password. (TiMyP@ssw0rd, MyL0g1n_Am, etc.)

Using a short phrase gives you a good length of characters but is easier to remember than a random string. Capitalizing the words lets you vary the case, putting dashes or underscores between words and/or replacing some letters with similar looking numbers or symbols gives it a lot of strength without making it much harder to remember. Adding a little variation means if they somehow still get one, they don't get them all.

Phishing/Social engineering (i.e. the con)

The easiest way to get anyone's password is to ask them for it. Get in the habit of never, ever, answering. No reputable company will ever ask you for your password, even for their site. Apple will never, ever ask you for your iTunes password.

They won't ask you to tell them your password. They won't send you an email with a link telling you to click it and login to your account, verify your account, or change your password. (And if they do, they shouldn't -- ignore it anyway). And iTunes accounts are managed in the iTunes application, not on webpages. Don't ever enter your iTunes password on a web page (it's most likely fake).


  1. Give anyone your password, ever. If you wouldn't give them the keys to your house or your wallet, don't give them the password connected to your credit card and personal information.
  2. Click a link in an email that takes you to a web page that wants you to put in your password. Even if it says it's about an order or purchase you made, even it looks 100% legitimate, it could easily be a fake.
  3. Tell anyone your password if they call you on the phone, even if they say they work for iTunes or an internet site you use.


  1. Go to websites directly in your browser by typing in the name yourself. Google is probably fine, actually typing in is even better.
  2. If you get an email telling you to verify your account or order, close the email, launch your browser, type in the name of the website yourself, then go to your account or order status and see if it's true.
  3. If you get a phone call about an internet site you use, hang up, go to the internet site, find their contact information, and call them back. It's a hassle but at least you'll know who you're talking to.

Malware (Viruses, Spyware, etc.)

The above is all good, general purpose advise that will prevent most of the common ways your iTunes -- or any other account -- could be hacked. The nastier stuff involves viruses that infect your computer and spyware that tries to steal your information.

If you're running Windows, make sure you're also running Windows Update religiously, have a good anti-virus and anti-malware program installed (Microsoft's free internet security suite is great), and keep following the advice above (especially the advice about not clicking links in emails).

Here's where we apologize for scaring you slightly -- there's all sorts of nasty stuff out on the internet. If you visit sketchy websites, get your music, movies, and software from less than legitimate online sources, etc. you probably know the dangers already, but bad guys can infect even good sites so it pays to always be careful. DNS cache poisoning, keystroke loggers, man-in-the-middle attacks, and similar dangers are out there just waiting to try to separate you from your credit card information.


  1. Fall behind in your Windows updates. They'll patch exploits and remove malicious software.
  2. Go to sketchy websites. Nothing is truly for free in this world. If they're offering you free music, movies, software, products, and yes, even porn, chances are they want something in return -- and that something could be to infect your PC.
  3. There has even been malware inserted into cracked Mac software -- don't assume an Apple logo on your PC makes you bullet proof.


  1. Set Windows Update to run automatically.
  2. Make sure your firewall is up, you're running anti-virus and anti-spyware (again, Microsoft's free stuff is great), and you're behind a router (like your Wi-Fi router).
  3. Know where you download your files and software from. If you don't explicitly trust the source, don't download it.

If you think you've been infected, if you haven't been doing your updates or you have been visiting sketchy websites, if you system is running slower than it ought to be, if things popup randomly or start and stop working all the time without explanation, do yourself a favor -- find the smartest, tech savvy-est family member, friend, or co-worker you can and have them take a look at your PC.

Worst case scenario, if you're infected, they can help you back up your data, re-format clean, and re-install your system. Then lock it down with automatic updates and that anti-virus and anti-malware software we mentioned above, and help you reset your passwords.

Use your iPhone and/or iPad

Hey, since we're an iPhone and iPad site, we'll just mention that -- so far -- you're safer doing your internet browsing and shopping on an iPhone or iPad than you are a Windows PC.

It absolutely won't protect you from weak passwords or phishing scams but as of this writing there isn't the malware -- virus and spyware -- problem on iOS that there is on Windows. And while iPhone and iPad can't do everything a computer can do, they can do a good portion of the most common things.

There are also a lot of dedicated apps you can use instead of the internet, including the iTunes and App Store apps. Those are currently harder to fake.


This is our best advice, to the best of our current knowledge. We can be wrong and things can change fast. Luckily a lot of smart people read TiPb and there's a good chance they'll correct, expand, and update what's written here in the comments below. We'll agree to weed out anything off-topic if you'll agree to give them a quick glance for important new information, deal?

Rene Ritchie

Editor-in-Chief of iMore, co-host of Iterate, Debug, ZEN and TECH, MacBreak Weekly. Cook, grappler, photon wrangler. Follow him on Twitter,, Google+.

More Posts



← Previously

Tweetings for iPhone - App Review and Giveaway!

Next up →

Blogshelf for iPad - app review

There are 18 comments. Add yours.

mv rob says:

Thanks for all the info! Although I am really good about my online activities, my girlfriends mother is a whole different story. She is really clueless when it comes to being online and phishing scams. She is constantly filling wverythin out and asking me about these emails she gets. I forwarded her a link to her just to be helpful. Anyone know a good website that has info on all this stuff so I can direct her to it?

ronr says:

One other tip; don't load a credit card number in iTunes. I was hacked and am now either entering a number every time I want to purchase something it only using iTunes cards to purchase. It's a hassle, but it's secure.

zero credibility says:

I've found lastpass has completely revolutionised my Internet passwords and avoids all phishing attacks by not logging you in if the website is fake. Take a look. Just sharing the love.

CJ says:

And this is why I have 1 Linux machine in my house. It's used to pay bills online and for anything else that requires a "sensitive" login.

Trevor says:

@ Ronr, good advice though most people aren't that patient cause you could run out and NEED to get that killer app on a one-day sale. Ie, stock up. Along those lines, here's something everyone who reads tipb can use - buy iTunes cards at Costco. It's about $5 off $50 & if you're a tipb reader, chances are you'll go through that much eventually. It's the only way I've come across so far to get a discount on iTunes. Further, you can often get multipacks of $15 which make great small gifts, but it works out to $12 for a $15 card. Last, it can keep your app-splurging down if you watch your account money draining down, unlike with credit card. ;-)
There is one catch. You have to have a Costco near you and pony up $100 for a year membership, which is worth it if you shop there. 2

Webvex says:

Using leet numbers (1 for I, 3 for E, @ for A, etc.) doesn't buy you much. Everyone, especially the bad guys, knows them. Ditto for capitalization. The most important aspect of a strong password is randomization. Either use a truly random password or a long phrase--which is a pain and makes typos more frequent. At any rate, strong passwords only help with dictionary attacks and any reputable site already prevents those.
One huge tip you forgot is to not use those "forgot my password" questions. If it's required, either just enter garbage or enter a secondary (strong, random) password. Those back-doors and social engineering are the worst attack vectors today.

iPheuria says:

Great info just want to add a link to a post of mine that goes a little more in-depth about making secure passwords

ghostface147 says:

This boils down to common sense. My password is in an extinct native american language. Good luck.

Webvex says:

Basically, your passwords just have to be unguessable. Random and short (eight chars) is fine. You don't need some ridiculous twenty character GUID-like thing with symbols and everything. You'll just end up locking yourself out with typos.
Again, the biggest problem isn't someone guessing your password--although you certainly want to avoid that. Brute force dictionary attacks arent very common or possible anymore. It's the social engineering, malware, hacked servers, etc. that you need to watch for.
You should have a strategy that minimizes damage if your account is compromised, which is increasingly outside our control. Different passwords for every account is the best approach, but it isn't practical for most people. BTW, password managers can be hacked too, or get corrupted/lost, and then you have all your eggs in one basket.

CJ says:

You can have the most complicated password in the world but if your machine happens to get infect with some kind of key logger, your password is as good as Mudd.

fastlane says:

I'll continue using my short, easy-to-remember passwords that I've been able to quickly enter for the past 14 years... thanks anyway.

Glenn#IM says:

I have said this before, but any mobile device may not get directly infected, but could be a carrier to your pc the next time you sync via USB. Safe site searching is always best. Always clear you catch, and history. No mater what spyware software you use, if you do not at least once a week update definations, you will have problems. Before downloading some super virus software your buddy told you about, research it first. You will be amazed the bad junk out there that claims to be the best. One big DO NOT MESS WITH is your registry. If you do not know what you are doing, never mess with it. Leave it to the experts. If you have dsl, cable, or wifi. Do not leave it on 24/7 turn that modem off. Disconnect the cable, or phone line. It may be a pain to hook up every time you turn on, but hard to attack you if you are logged out, and disconnected.

Havok says:

I simply removed all my payment information from my iTunes account. I can simply get free apps but not the ones that costs money. I don't buy apps anymore anyways.

Darren says:

The iTunes password suggestion is BRILLIANT!! Except for the small problem of, have you ever tried to type those passwords on the pathetic excuse for a keyboard that comes with the iPhone? Sure I can type words all day long easily, but typing a random mixture of mixed case letters/symbols/numbers isn't just aggravating, but for many including me, it comes down to the fact that when you get to the next letter you've forgotten where you are in the password key. And remember that whenever you get an App even for FREE, you have to type in your iTunes password on your iPhone. Reference the Dilbert cartoon for Mordac where the login procedure has been modified to include staring directly at the sun. I suppose if the iPhone had some useful feature where it required some smaller simpler security pin to use a cached iTunes password rather than having to put in the full password that you need for acceptable internet security that would be more acceptable, but until then, you are simply suggesting that people make the device unusable as that is thereby the most secure system.

OrionAntares#CB says:

You forgot a VERY important tip especially when using your iDevices. NEVER submit passwords, CC info, or other sensitive info over unsecured or weakly secured WiFi connections.

robot multifonction says:

Worthless for the brobdingnagian review, but I'm truly lovesome the new Zune, and this, as intimately as the superior reviews any opposite change holographic, give ameliorate you adjudicate if it's the deciding for you.

orlando engagement ring says:

Hi, Neat post. There's an issue along with your site in web explorer, may test this? IE still is the market chief and a big component of people will leave out your wonderful writing due to this problem.