APR 16

I recently changed my password on apple.com using their "My Apple ID" web site. The site allows you to change your password, which is great. But there are two major issues.

First, Apple's URL naming system is horrible. This is the URL for logging in to My Apple ID: https://appleid.apple.com/cgi-bin/WebObjects/MyAppleId.woa/

More seriously, Apple has a feature where the perceived strength of your proposed password is shown to you as you type it. Unfortunately, their algorithm is busted. I tried a password "welcome-wildlife-fuji-ski" and was told that it was considered a "weak" password. I can guarantee you that "welcome-wildlife-fuji-ski" is completely unhackable by brute force attempts.

Meanwhile, "Aaa123!!" was given the password score of "strong" even though it is a substantially weaker password than "welcome-wildlife-fuji-ski".

Apple should fix these two issues by adopting a user-friendly URL, such as https://apple.com/appleid" and updating their password strength recommendation engine beyond the simplistic one-letter-one-symbol-one-number algorithm that is all too prevalent these days.

permalink | comments | technorati
blog comments powered by Disqus