Do you keep your Apple ID secret?

As if erasing my operating system this weekend weren't enough. Late last week, Apple also managed to burn two of my passwords for my Apple ID account. Here's the feedback I sent to Apple:

First a brief introduction. I'm a software engineer and director of DevOps at my company. I have a masters degree in computer science with emphasis on secure networks and cryptography.

I recently encountered a fundamental problem with the password policy of Apple IDs. My password was "disabled for security reasons", allegedly due to to many incorrect password attempts, even though I assure you I did not enter the incorrect password even once on any of my devices.

So it seems that someone or something else has triggered the disabling of my account. As a result, I was forced to change my password.

In other words, because someone failed to guess my secure password, you force me to change it to something else. And furthermore, Apple refuses to tell me anything about when or where (physically or virtually) the failed attempts originated.

Do you see the problem with this scenario? Something completely out of my control causes me to have to reset my password (and never use that password again). Every time this happens, as a user, I'm going to be more inclined to choose a less secure password than before, because obviously the security of the password is irrelevant, but if it's going to be changed arbitrarily, I don't want it to choose something hard to remember or mutate.

To make matters worse, I changed my password on Thursday night, but by Friday night, my *new* Apple ID password was no longer recognized.

According to the support representative I talked to today, this issue was my fault because I failed to sign out and sign back in with the new password on each application that uses my AppleID. Let me just briefly list all of the places I've discovered (so far) where I'm supposed to change my password every time my password is arbitrarily disabled and reset:

- App Store (iPhone)
- App Store (iPad)
- iMessage (iPhone)
- iMessage (iPad)
- FaceTime (iPhone)
- FaceTime (iPad)
- iCloud (iPhone)
- iCloud (iPad)
- Game Center (iPhone)
- Game Center (iPad)
- Web Browser (Windows Desktop)
- Web Browser (Windows Laptop)
- Web Browser (Mac Laptop)
- iTunes (Windows Desktop)
- iTunes (Windows Laptop)
- iTunes (Mac Laptop)
- iCloud Control Panel (Windows Desktop) [and it loses the settings when I sign out and sign in]

And there are probably other places I haven't yet remembered. But you see, according to the rep, it's my responsibility to change it in all of the places it exists, or else Apple will disable my account again, and I will be forced to change my password again, and the process starts anew (plus one more burned password).

What makes matters worse is I tried to resolve this situation using online resources, and then e-mail support, and then genius bar, and then phone support, but none of these avenues was able to answer my questions (why did this happen?) or allow me to resolve the situation to my satisfaction (restore my account with the secure password I've used for some time or my new secure password and prevent this situation from happening in the future). In fact, I was told I can expect this to happen again unless I change my Apple ID (and that's the same answer they'd give to Tim Cook). What a terrible experience.

I'm really regretting buying into the whole Apple ID. Please route this message to the appropriate department so these issues can be considered for improvements to the Apple ID password policy.

In the meantime, I'll try to forget the hours of grief Apple has cost me this weekend.

I didn't mention in the letter that I asked what would happen if someone had my Apple ID and was causing my password to get disabled. The representative indicated I would have to get a new Apple ID. That's right folks. Keep your Apple ID secret (the username). Hide your screen when you're prompted to enter your Apple ID password. Because if the wrong people get a hold of that Apple ID, and (ab)use Apple's site to burn your password, you'll be forced to go through the whole mess outlined above.

Which begs the question - does Tim Cook have to deal with this problem if someone gets his Apple ID? I'm not suggesting that anyone should track down Tim Cook's Apple ID and try bogus passwords until his account is locked out, but I suspect if that happened often enough, Apple would probably devise a better solution than what they have now (which is bullsh**).
Written on May 21, 2012