iCloud security and personal responsibility

iCloud may not have been hacked but iCloud accounts are hackable. So are other online accounts. Why? Security is at constant war with convenience. Absolute security makes our data inaccessible to everyone, including us. Absolute convenience makes our data easily available to everyone, including those who would use it to harm us. The key to a workable system is balance, where a range of options are afforded and we choose and use them in a way that's best for us. That includes Apple giving us the options we need and making them as understandable as possible, and it includes us taking the time to understand them and implement them as best as we can. So what can we all do better?

Following celebrity photo data theft, Apple's CEO, Tim Cook, has outlined several steps they will be taking to bolster security for iCloud. These include more notifications when backups are restored and devices are first added, broader implementation of 2-step verification, and an increased effort to educate customers about the security and privacy tools that are available to them.

Those are good steps. Necessary steps. Apple needs to do them and do more of them.

But we need to take responsibility for our own security as well.

This isn't about blaming victims. Perpetrators are the only ones who get blamed. This is about empowering people. This is about planning smart and fighting back hard. This is about making it so that even if you are one day victimized, you are never a victim.

Use strong passwords

Apple has minimal requirements for passwords. You need to have at least one uppercase letter, one lowercase letter, and one number, and it has to be at least 8 characters long, for example.

You want something way, way stronger than that. Length is important. The longer a password is the longer it takes to crack it. However, lack of predictability is also important. The length doesn't matter as much if it's predictable (if it's composed of common dictionary words, for example).

So, ideally, you'd want to use 32 pseudo-random characters for your iCloud password and store it in a password manager. Unfortunately, you'll likely have to type it in, especially on mobile devices, more often than would make that practical.

So, treat it like a master password. Make it as long and as unpredictable as you can, but keep it so that you can enter it on an iPhone or iPad when you have to. (The iOS 8 Touch ID API will mitigate this, but there will still be times you'll have to type it.)

The best advice I've some across on choosing a strong master password is from AgileBits, makers of 1Password:

This is the single most important thing you can do for your security. It's the lock on your car or your house. Make it as good as it can possibly be.

Use a password manager

In a perfect world security would be impregnable and effortless to use. Sadly, this world isn't perfect. Passwords are too complex for the mainstream and while technologies like Touch ID can help, biometrics isn't a complete solution yet, nor is anything else.

You need passwords. You need strong, unique passwords. That means you need a password manager. You have several really good options on the iPhone, iPad, and Mac. Choose one and use it.

Avoid security questions when you can, fill them with passwords when you can't

Security questions are designed to make it easier for people to recover forgotten passwords. Sadly they also make it easier for criminals to hack passwords. More often than not, they replace the security of a strong password with the guess-ability of several weak ones.

I avoid providing security questions whenever I can. When I can't, I fill them with strings of pseudo-random gunk and store them in my password manager.

If I use my first pet's name, someone can find that out. If I lie about the pet's name, I could forget the lie I used. No one can find out about kc+y7^QD66tCmuqfQG/wQ43QF>d=d#2W, by way of example, and if it's in my password manager, I can't forget it when and if I ever need it.

Sign out of websites when you're done

Some websites, including iCloud.com, store a security token to make it easier for you to access them repeatedly during the same session. It's a convenience so you don't have to re-enter your password every time. It's also security hole if someone gains access to your computer.

Sure, someone gaining access to your computer is terrible in so very many ways. Your computer has your photo library, your email account, and many, many other things. If your family members or workmates are out to get you, the threat level is significantly higher and you'll need to take many more precautions (and likely have other issues urgently in need of addressing.)

However, logging out still prevents someone whose sole and only purpose is to get that token so they can steal your online data later. It closes one more hole, especially if you've logged into someone else's computer or a public terminal.

The easiest way to get something from someone is often just to ask them. If your password is too long and unpredictable to easily crack, if your security questions are nonsensical blobs, another way for criminals to try and get your login is just to ask you for it — via a fake email.

They'll send you something that looks like it comes from Apple, Google, etc. along with an urgent message designed to scare you into clicking on a malicious link they provide and getting you to log in to their server so they can record what you type and use it to break into your account.

It's called phishing and it's been going on for years.

To avoid it, never click on a link in an email. Instead, if you get something that says it's from Apple or Google or Dropbox or anyone else, open a browser window yourself, type in iCloud.com or Gmail.com or Dropbox.com yourself, log in to your account, and then see if there are any real situations that require your attention.

Play safe

These are just a few of the most common ways criminals try to hack iCloud accounts. There are and no doubt will be others. If you're a high value target, you'll need to treat online security as seriously as you treat real-world security. If not, while you should take reasonable precautions, there's no need to panic.

Play safe and play smart. Be conscientious of your data and where and how you store it.

Apple doesn't let Touch ID fingerprint data out of the secure enclave on the iPhone, and it sounds like they won't be letting mobile payment data out of there either. That means it never gets anywhere near the cloud. Likewise Apple has said they'll reject any app that tries to store health and fitness data from HealthKit on the cloud, and has put in strict privacy guards to keep even local apps from getting anything more than you want to share.

This won't be the last time we hear about data theft, sadly. But if you never thought about online security before, you can start thinking about it now.

Apple absolutely has to improve the security and the awareness of the security around iCloud. And just as absolutely we have to take responsibility for our own security. After all, we're in this together.

Rene Ritchie
Contributor

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

20 Comments
  • "Personal RESPONSIBILITY!?"
    Really?
    This country is a NANNY state of people any longer.
    No body is RESPONSIBLE for anything.
    "It's not my fault!?"
    "I didn't know!?"
    "What do you mean, I was...!?" Kind of like that South Park episode where Kyle didn't read the "Apple Terms" when updating his software." People assume that "The software, or the Company" will take care of them. Sheeple are sheeple and they do as little as they can... Yet, they are the first to BITCH, MOAN, WHINE, AND CRY!!!!
  • Ritalin is your friend.
  • You spend $500+ on a device. Comes with 1000s of features, cool. Default state of the features that make the device cool, are at risk, especially to those who don't understand how they are secured. Not cool. Apple is not liable because the terms of conditions which have more wording the the constitution has warned you adequately - and conveniently the only time you can review these terms is when you are setting up your phone in a quick and easy setup wizard. Less cool Apple disregards this as an issue. Much less cool Celebrities who supported your product (free advertising) completely left out in the cold because they are "average users" are blamed for their lack of understanding how to secure the default state of the features they liked.... Fail
  • are you for real? This is the attitude that frustrates me as someone who works in IT. Users don't have the time or effort to learn about the technology or services they use. Then it's this attitude of ignorance is bliss that makes them come crying to me in a panic because their email or Apple account was hacked. It's called responsibility. I don't leave my keys in the front door of my house and then blame the lock manufacturer when I'm robbed. Sent from the iMore App
  • It's called corporate responsibility. I'll show you a quick example: "iCloud lets you access your music, photos, documents and more from whatever device you’re on. It’s easy to set up and use. And with features that give you peace of mind and make sharing simple, iCloud is also great with just one Apple device. " Apple as a company lets you "easily" implement iCloud wherever it is offered under the guise that it's super secure - without explanation on how it leaves your keys in the door, there is only "click here to turn it on" and no warning, or information regarding, simply that it is "secure". And now the public is learning that "iCloud" being secure is a load of crap because there is no proper password policy, no explanation of potential insecure communication points and no safety precautions on key files stored locally. As well, I work in IT too, and my clients don't frustrate me because I care to inform them on best practice when it comes to security and use of any of the software i provide, because, that is responsible. Apple, was not - and because of their one click giant agreements, they are legally clear of any wrong doing.
  • Guns don't kill people, people do!
  • I cannot blame Apple for the lax security a percentage of its user base has adopted and employed. I can and will blame a percentage of its user base that feels more secure than it ought to when it comes to what is and is not accessible through the cloud. People should honestly take an hour this weekend and perform an audit of their online accounts. From there, weed out the weak passwords and recovery questions and replace them with more secure data. Your first dog's name shouldn't be your first dog's name in some cases. In some cases, it should be a mother's maiden name or the name of your favorite movie. Mix it up a bit. Don't be afraid of long passwords. Don't be afraid of making passwords too short. Just remember that your password's level of security will depreciate over time and you should look at changing it on a regular basis. Every 30-45 days is feasible, but maybe 90 days is more forgiving but still affords you a higher sense of security. (Provided the passwords are strong and difficult to crack) Two-factor authentication is a must. Why are we leaving things to chance anymore? If someone is determined to get your password and has the time, tools, and know-how they will do it. If you have two-factor, it won't matter if they have your password, you still have the missing piece of the puzzle. Just don't go around authorizing devices to bypass this layer of security out of the sake of convenience. That's the biggie. Folks, you can download and install every security tool known to man but if you do not use them wisely and follow directions it's going to be an exercise in fail.
  • Perfectly stated.
  • You must not have read Christina Warrens Article. Maybe this will change your mind. http://mashable.com/2014/09/04/i-hacked-my-own-icloud-account/ Mind blown!
  • I'd like to see notification that a cloud restore is about to begin, not that one has already occurred. Also, the need to confirm that restore is legitimate via additional PIN/password or linked device. What good does it do me to be told immediately after the fact if the offending party already has the loot? Also, maybe iCloud should not be a default on option. Let people turn it on if they wish to make use of the feature instead of the other way around. Posted via iMore App
  • Used to be security was an afterthought. Something you did later and you had to lock things up because the default was wide open. In most cases, people thought; “what do I have to worry about”… More and more electronics today come with the security turned on but at a basic level, but you still have to check and lock things up. People still think that someone is looking after them and they want to have things be easy and convenient. What does the future hold? Maybe more devices should arrive at our doors with everything locked and “full shields up”. Then we can open one window a little and lock it when we finish (maybe even remind us that we left it open?) or have it automatically lock itself after a specific time limit. Or we can open up what we choose, but we get the warning (and reminder) that this is open for certain people to see. Other considerations (in addition to Rene’s suggestions):
    • Failed attempts – 5 tries and you are locked out for an hour, 5 more tries and you are locked out for 3 hours and 5 more tries later you need to go to the companies “password recovery” site or call to restore your account.
    • Think about what you are storing online! If it is confidential then don’t have it sync to the “Cloud” or if it has to be stored outside of your physical control, password protect the file (yes there is an app for that). I always suggest that people think about what would happen if this picture or document was stolen and posted to a website for all to see? If it scares me, then why am I saving it but if I have to save it, then I will be more careful to lock it!
    • Password protect your phone and have it automatically lock after inactivity. I know people who still do not lock the front door to their life (even after they lose the phone and luckily get it back????).
    • Expire your passwords. Change the passwords every 30 or 60 or 90 days. The more important the information the more often you should change it and don’t use the same password at different sites (hence the password manager).
    • Maybe one other consideration is to make it non-profitable for people to hack into these kinds of pictures. Don’t support websites that post “trash” or glorify people who do this dirty work. If you can identify these thieves, report them to the appropriate authorities. Any other suggestions….
  • I wouldn't be surprised if every celebrity that was hacked used "password" as their password. I always use 2-step authentication whenever possible and all my passwords are a minimum of 30 characters unless a specific website has a lower limit.
  • The problem with finite passwords is you cannot fix stupid. People will still use the workaround of taking the same base password and adding two digits at the end that increase at a set interval. Passw0rd1, Passw0rd2, Passw0rd3, etc... I think a system should be smart enough to recognize you have taken a base portion of a previous password (think the last 4 passwords used if you are forced to change quarterly) and inform the user that this combination cannot be used. Old passwords, or rehashes of old passwords, are just as dangerous as simple passwords that are based on easily obtainable information about a person. So to be clear, 60-90 day mandatory password changes are good. However, the system should be set to prevent like passwords from being generated. Convenience will take a hit, but in the name of security it is a must. Without it you have people using 12345, 123456, 1234567, etc. Apple should also utilize two-factor authentication for everything - not just purchasing information. Basically any use of your Apple ID should require authentication, both in password and a time-based token. Convenience will take a hit, users should be able to given the kitchen sink when it comes to security. And to that point, why don't we have a graduated set of security options that we can choose from, either a la carte or from a preassigned group. Low/Medium/High/Custom Low - not the default, used by the most lax of users. Apple warns of the potential threat and asks for acceptance from users twice prior to proceeding. There are no checks and balances, other than in-app purchases which require reentry of the password or Touch ID. Multiple in-app purchases (three or more within a short time frame) require a password. In general, though, because your security is set lower, you have a longer window of time where you are authorized so more can be done with the phone. Medium - the default option on iPhones. Apple forces you to at least use a password / pin combination to unlock and access your phone. There are checks for making changes to your account on your iDevice such as two-factor authentication (optional) and reentering your password. Your authorization window for multiple purchases is 15 minutes. High - 4-digit pins are not allowed on the lock screen and you are required to use a complex password, two factor authentication, and verify changes and purchases every time. The authorization window for additional purchases is gone. You can only purchase one app, game, song, album, etc. at a time. Each item must be approved. With iOS 8 this will mean your fingerprint will be required in addition to your password every third purchase done in succession. Custom - You can enforce mandatory security options for a child or employee, but remove annoyances like reentering passwords or thumbprints for every activity if it is being done within a predefined period of time. Apple would include a graphic on their site and in a user manual explaining the pros and cons of each setup. Users on the Custom setting will be warned if there are incompatible security settings or if a combination of options inadvertently lowers or increases the intended level.
  • It might help if Apple properly secured iCloud backups, worked with security researches (instead of ignoring them) and didn't use PR to issue security statements. Basically treat security with the same respect as they treat profit margins.
  • It is amazing the number of people that will still click on links in e mails. If you do not know the person sending the email, do not click, and even if you know the person, use extreme caution. You can never tell where they got it. I have friends that will forward anything. I usually never open up links.
  • I dont really need the icloud for anything that much. I have my phone and put things on it, but i dont really use icloud that much, and i dont really see the need for it. Welll i guess it would be nice to store things in the icloud, as a backup, but i have my computer for it and i am the only one who uses my computer. I think people should be very cautious of what they put in the icloud. I dont know what stuff the celebrities put in their iclouds and how the hackers got into it. It is just common sense i guess. Being a celebrity, i would be very careful of what things i put on my phone too, not just on my icloud, because you can lose your phone or people can break into it. So for me it is just a common sense thing, if you dont mind people seeing it, then you can put it in, but if it is private, then be careful if you want to put it in icloud or such.
  • Oh and hi to everyone and all, and was wondering if people are thinking of getting the iphone 6, i am still thinking about it and will wait to see how it looks and what other people thinks about it.
  • I have been telling these to my users forever I just wish they would listen. Yesterday I got a call from "Microsoft's emergency service" lol. I was like "Oh Yeah" and as they talked I just hung up the phone. The sad thing is many people fall for these tricks. The real problem is how do you teach people? They don't have the "time" to read the countless posts out there that just require their time and nothing else. If Apple offered free classes about security I honestly believe only a handful of people would ever go. They need to just buy a company like AgileBits and have iPassword natively installed on iOS devices. Sent from the iMore App
  • The biggest problem is that thanks to the term "The Cloud" people regard what is really a centralized storage of data on the internet as some magical and mystical thing that is secure in itself while back in the day before "The Cloud" because a reality rather than the twinkle in the eyes of some engineers at Compaq. When centralized computing and storage was called 'on the web' people thought of it as being less secure and people worried about their pictures stored on that internet space. They stopped and thought twice about what they put in that space. These days they presume that nobody else can see it and that nobody else will be able to see it! This theft of their images is no different though than the infrequent publication of risque or blatantly pornographic images of some Movie Star or Starlet that had been found after someone had raked through the trash outside the home. Equally as much as the 'celebrity' throws their hands up in their air and point the finger elsewhere they still have to accept a share of the blame for them failing to 'shred' that image so that it is not available before they leave it in a place, no matter how secure they think that place is, where it could get into the hands of the public or more importantly that sneaky person that is digging through the trash looking for a tit-bit that he can sell to the media!
  • I'm not a celebrity, I don't click on random links, I don't open emails from those I don't know, I don't download crap from the internet, I don't visit questionable sites, and I'm not an idiot when it comes to keeping my information secure. Yet just last night my iCloud account was hacked. They reset my password, which has letters, numbers, not my dog or my mothers maiden name, includes symbols, doesn't consist of 1234 or 4321, they then changed the email address. It's completely frustrating that it's so simple for someone to hack/access/reset my iCloud account. Let's be honest Apple does make us feel that our info/iCloud is safe and secure. Mind you I'm smart enough to not keep vital information in the iCloud for just this reason, but it doesn't make it ok! Apple/iCloud needs to find a solution to the ease at which someone can so easily lock someone out of their own account. I can't even reset passwords because there's no access to my email accounts, nor can I change any of my settings. This has been going on with ease.. http://mashable.com/2014/09/04/i-hacked-my-own-icloud-account/ Time for a change in encryption and security Apple.