Given the iTunes account hacks last week, and again yesterday, we figured it was a good time to go over the basic ways you can reduce the chances of having your own iTunes -- or any other -- account hacked.

Sure, many of you regular readers already know all this, but take it as an opportunity to forward the link on to friends, family, and co-workers who might not.

Note, we're not security experts, these are just the tips and tricks we use to make our own accounts more secure, and some of the things we've learned -- sometimes the hard ware -- to avoid.

Weak passwords

A weak password is one that's easy to guess, never mind actually spend time and effort hacking. Avoid them at all costs.


  1. Don't use the word password as your password
  2. Don't use your username as your password or your email address or name. You want your username and password to be as different from each other as possible
  3. Don't use words as you password. Simple, short, really easy to remember also means really easy to guess.
  4. Don't use the same password for every site. If they guess it for one, they guess it for all your logins.


  1. Use a mix of lower case and upper case, numbers, letters, and symbols
  2. Make it as long as you can. 10 characters should be enough if you're not guarding James Bond-level secrets.
  3. Make it a phrase so it's easy to remember but still hard to guess. Here are some examples: TheiPh0neBl0g!, iP@d-L1ve-?
  4. Add some variation for each major site. If you're worried about remembering it, keep it relative. For example, you could add the first 2 characters of the domain name to the beginning or or end of your password. (TiMyP@ssw0rd, MyL0g1n_Am, etc.)

Using a short phrase gives you a good length of characters but is easier to remember than a random string. Capitalizing the words lets you vary the case, putting dashes or underscores between words and/or replacing some letters with similar looking numbers or symbols gives it a lot of strength without making it much harder to remember. Adding a little variation means if they somehow still get one, they don't get them all.

Phishing/Social engineering (i.e. the con)

The easiest way to get anyone's password is to ask them for it. Get in the habit of never, ever, answering. No reputable company will ever ask you for your password, even for their site. Apple will never, ever ask you for your iTunes password.

They won't ask you to tell them your password. They won't send you an email with a link telling you to click it and login to your account, verify your account, or change your password. (And if they do, they shouldn't -- ignore it anyway). And iTunes accounts are managed in the iTunes application, not on webpages. Don't ever enter your iTunes password on a web page (it's most likely fake).


  1. Give anyone your password, ever. If you wouldn't give them the keys to your house or your wallet, don't give them the password connected to your credit card and personal information.
  2. Click a link in an email that takes you to a web page that wants you to put in your password. Even if it says it's about an order or purchase you made, even it looks 100% legitimate, it could easily be a fake.
  3. Tell anyone your password if they call you on the phone, even if they say they work for iTunes or an internet site you use.


  1. Go to websites directly in your browser by typing in the name yourself. Google is probably fine, actually typing in is even better.
  2. If you get an email telling you to verify your account or order, close the email, launch your browser, type in the name of the website yourself, then go to your account or order status and see if it's true.
  3. If you get a phone call about an internet site you use, hang up, go to the internet site, find their contact information, and call them back. It's a hassle but at least you'll know who you're talking to.

Malware (Viruses, Spyware, etc.)

The above is all good, general purpose advise that will prevent most of the common ways your iTunes -- or any other account -- could be hacked. The nastier stuff involves viruses that infect your computer and spyware that tries to steal your information.

If you're running Windows, make sure you're also running Windows Update religiously, have a good anti-virus and anti-malware program installed (Microsoft's free internet security suite is great), and keep following the advice above (especially the advice about not clicking links in emails).

Here's where we apologize for scaring you slightly -- there's all sorts of nasty stuff out on the internet. If you visit sketchy websites, get your music, movies, and software from less than legitimate online sources, etc. you probably know the dangers already, but bad guys can infect even good sites so it pays to always be careful. DNS cache poisoning, keystroke loggers, man-in-the-middle attacks, and similar dangers are out there just waiting to try to separate you from your credit card information.


  1. Fall behind in your Windows updates. They'll patch exploits and remove malicious software.
  2. Go to sketchy websites. Nothing is truly for free in this world. If they're offering you free music, movies, software, products, and yes, even porn, chances are they want something in return -- and that something could be to infect your PC.
  3. There has even been malware inserted into cracked Mac software -- don't assume an Apple logo on your PC makes you bullet proof.


  1. Set Windows Update to run automatically.
  2. Make sure your firewall is up, you're running anti-virus and anti-spyware (again, Microsoft's free stuff is great), and you're behind a router (like your Wi-Fi router).
  3. Know where you download your files and software from. If you don't explicitly trust the source, don't download it.

If you think you've been infected, if you haven't been doing your updates or you have been visiting sketchy websites, if you system is running slower than it ought to be, if things popup randomly or start and stop working all the time without explanation, do yourself a favor -- find the smartest, tech savvy-est family member, friend, or co-worker you can and have them take a look at your PC.

Worst case scenario, if you're infected, they can help you back up your data, re-format clean, and re-install your system. Then lock it down with automatic updates and that anti-virus and anti-malware software we mentioned above, and help you reset your passwords.

Use your iPhone and/or iPad

Hey, since we're an iPhone and iPad site, we'll just mention that -- so far -- you're safer doing your internet browsing and shopping on an iPhone or iPad than you are a Windows PC.

It absolutely won't protect you from weak passwords or phishing scams but as of this writing there isn't the malware -- virus and spyware -- problem on iOS that there is on Windows. And while iPhone and iPad can't do everything a computer can do, they can do a good portion of the most common things.

There are also a lot of dedicated apps you can use instead of the internet, including the iTunes and App Store apps. Those are currently harder to fake.


This is our best advice, to the best of our current knowledge. We can be wrong and things can change fast. Luckily a lot of smart people read TiPb and there's a good chance they'll correct, expand, and update what's written here in the comments below. We'll agree to weed out anything off-topic if you'll agree to give them a quick glance for important new information, deal?