Glenn Fleishman Interrogates the Past

Apple’s Weak Passcode Protection for Apple ID

I’ve often written the following sentiment: “The Apple ID is the pivot point around which Apple’s services and systems rotate.” Apple created a single, unified ID—with an unfortunate amount of legacy baggage from previous systems—to identify you uniquely across your devices and services, provide authentication, and manage delivery of data, including via iCloud.

Apple offers layers of protection for your ID. At one point, you could protect it with a password. For several years, however, Apple has more or less required all accounts to use two-factor authentication (2FA), where a code is sent to a device registered to the same Apple ID account or a phone number verified for that account to ensure that a login is really you. In January, Apple upgraded Apple ID security to allow the use of hardware security keys, another significant improvement. (You can read about how to use these keys

Books

Three Major Ebook Updates

I’ve been a very busy bee, writing two new books and updating five more just since early August. The latest three are out today from Take Control Books, a trio that relate to the iOS 14/iPadOS 14 update several days ago and the upcoming macOS 11 Big Sur release that Apple hasn’t yet scheduled.

Upgrades are available to all buyers of any previous edition. If you’re a new purchaser, you can add all three to your shopping card and get 30% off—Take Control’s standard discount for 3 or more books!

Take Control of iOS & iPadOS Privacy and Security (254 pages, $14.99). I’ve been revising and expanding this book across a decade now (and across six names!). For the last five editions, I published it myself, and now it’s back at the Take Control mothership.

The book covers all the ins

Security

Secure Yourself in iOS 12

Update, Sept. 17: iOS 12 is out today!

Apple hasn’t released iOS 12, the latest update for the iPhone and iPad, but I’m ready—and you can be, too! I’ve updated my book A Practical Guide to Networking, Privacy, & Security to cover iOS 12 based on the latest public beta releases, which are close to the final version. You’ll receive free updates to this edition if anything changes after release or for any future changes to iOS 12.

The book offers background information, explanations, and illustrated, step-by-step instructions across a wide range of topics, from connecting securely to Wi-Fi networks to setting privacy preferences for Siri and Safari to blocking unwanted calls and Web trackers to finding your phone or tablet when it’s lost.

The 186-page is long, but not daunting. I wrote it so that you can easily find a topic you want,

Bookselling

Protect, Secure, and Network Yourself with My New Book

I’ve just released A Practical Guide to Networking, Privacy, and Security in iOS 11, the latest version of a book about those three topics that I’ve been updating for about seven years in a couple of different versions.

My intent is to give you everything you need to manage networking—Wi-Fi, Bluetooth, cellular, Personal Hotspot, AirPlay, AirDrop, and more—as well as all the ins and outs of what Apple does with your private data and how it controls and restricts access by third-party apps and Web sites to you while you use an iPhone or iPad. I also explain how to pick good passwords, turn on two-factor authentication, use passcodes and Touch ID, and find your missing iPhone or iPad.

It's a reference work—you probably won't want to read it end to end! But whenever you have a question about any of these topics, it’s

Security

Sites Lie To You about What Makes a Good Password

Bad password advice from the 1990s continues to be repeated ad nauseam, even though it has been widely disproven and groups ranging from security firms to academic researchers to the National Institute of Standards and Technology (NIST) specifically advise against most of those principles. Below, I take this apart and offer you actual good advice. (My friend Joe Kissell covers this topic in depth in his excellent "Take Control of Your Passwords.")

You might also wonder why encrypted passwords stolen from breached sites can still be cracked and used against you. I can explain that, too.

Everything you’ve been told is wrong

P@ssw0rd1 could be cracked in a billionth the time it takes for you to recognize that the first P in this sentence is a letter.

You know the drill. You’re often told, when setting up an account or changing a password, that a good password

Security

What I’d Like to Hear Tim Cook Start with

At the start of the keynote tomorrow, I'd like to hear Tim Cook say this:

You've seen all the coverage about hacked accounts and stolen private images and data. We at Apple are appalled about this and as soon as we were alerted, began days of auditing, and immediately fixed problems that abetted the password cracking related to iCloud that led to some of these breaches.

You trust us with your most personal details, and we take this seriously. The possession and disclosure of private data is a crime. Make no mistake: This isn't funny and the victims should not be blamed for trusting us and others. No one should be sniggering, shaming, or pointing figures. Criminals stole people's information and then released it. We will do everything in our power to assist law enforcement to track them down for prosecution.

We have already taken some steps, and in the

Security

Certifying Certificates in the Post-Snowden Age

The news that the NSA used various methods to weaken cryptographic algorithms and protocols has caused more of a shock than I would have thought. It's been widely believed that the NSA had already broken some methods of encryption (whether a specific kind or in the right circumstances) through discovering flaws, new math, or computation power. But I suppose the intentional insertion of weakness as well as working with some companies to install backdoors or flaws is what stuns. By making supposedly secure methods weaker, the NSA endangers us all, including America's personal, corporate, and government interests. But there's one thing you can do about secure Web connections.

Bruce Schneier, who has seen the Snowden-provided documents on which the ProPublica/Guardian/New York Times report was based, has a set of recommendations for what security methods to employ. He skips one nascent effort, though, that's easy for non-technical users to