My Email to Developer Programs regarding mandatory Apple ID password change

Every three months I’m forced to change my Apple ID password. This means remembering to update every single iCloud-capable device I own (currently six and growing); if I don’t, my shared info like calendars gets out of sync and I, being the forgetful person I am, miss events and information.

On top of that, the Dev Programs login forms all have a ridiculous onpaste attribute set so you can’t paste the passwords into the form. This means that on iOS I have to swap between 1Password and Safari to enter my password to log in.

I’m fed up with this stupidity. I just sent Dev Programs this nice little email:

When attempting to log in to the Developer Forums this morning, I was greeted with the all-to-common demand that I change my Apple ID password yet again. I find this demand infuriating, because I use a piece of software called 1Password to generate truly pseudorandom passwords. Every time I am forced to update my password, I have to then go around to every Apple device I own and update that password in all my iCloud account settings. If I forget a device, my calendars silently fail to synchronize and I miss important events. This is unacceptable.

But one of the other things 1Password does is allow me to copy and paste my cryptographically-secure passwords from the 1Password app into form fields. This makes generating and applying new passwords less painful. Alas, someone has made the decision that Apple’s developer login pages should prohibit pasting into the password field. This decision is not only the antithesis of Apple’s product ethos of setting up something correctly once and not having to modify it again, but actually decreases the security of the system. It discourages me from generating truly random passwords–instead, I must generate shorter, pronounceable passwords so I can remember them as I retype them. On the desktop, the 1Password Safari extension can modify the contents of the password field directly, but on iOS I have no recourse except to memorize and retype the password into the form.

This scheme is beyond user-hostile. It betrays extreme incompetence in that it actively encourages users to decrease the security of the system by encouraging the use of less cryptographically-secure passwords.

Again, so my message is crystal clear: forcing users to change passwords DECREASES the security of the system. Prohibiting users from pasting passwords into the login form DECREASES the security of the system.

Somehow, nobody else at my company is required to change their password on a regular basis. I am only aware of a few other developers that suffer the same counterproductive requirement to actively participate in harming the security of the ADC program. Not only do I want this ludicrous restriction lifted from my Apple ID, I want it lifted for EVERY other member of the Developer program.

UPDATE: Apple replied pretty darned quickly:

Thank you for contacting Apple Developer Support regarding Password requirements and restrictions. I am unable to change the password requirements and restrictions for your Developer Account.

We appreciate that you have taken the time to send us your feedback. Please be assured that all of your comments have been forwarded to the appropriate Apple team.