My Email to Developer Programs regarding mandatory Apple ID password change

Every three months I’m forced to change my Apple ID password. This means remembering to update every single iCloud-capable device I own (currently six and growing); if I don’t, my shared info like calendars gets out of sync and I, being the forgetful person I am, miss events and information.

On top of that, the Dev Programs login forms all have a ridiculous onpaste attribute set so you can’t paste the passwords into the form. This means that on iOS I have to swap between 1Password and Safari to enter my password to log in.

I’m fed up with this stupidity. I just sent Dev Programs this nice little email:

When attempting to log in to the Developer Forums this morning, I was greeted with the all-to-common demand that I change my Apple ID password yet again. I find this demand infuriating, because I use a piece of software called 1Password to generate truly pseudorandom passwords. Every time I am forced to update my password, I have to then go around to every Apple device I own and update that password in all my iCloud account settings. If I forget a device, my calendars silently fail to synchronize and I miss important events. This is unacceptable.

But one of the other things 1Password does is allow me to copy and paste my cryptographically-secure passwords from the 1Password app into form fields. This makes generating and applying new passwords less painful. Alas, someone has made the decision that Apple’s developer login pages should prohibit pasting into the password field. This decision is not only the antithesis of Apple’s product ethos of setting up something correctly once and not having to modify it again, but actually decreases the security of the system. It discourages me from generating truly random passwords–instead, I must generate shorter, pronounceable passwords so I can remember them as I retype them. On the desktop, the 1Password Safari extension can modify the contents of the password field directly, but on iOS I have no recourse except to memorize and retype the password into the form.

This scheme is beyond user-hostile. It betrays extreme incompetence in that it actively encourages users to decrease the security of the system by encouraging the use of less cryptographically-secure passwords.

Again, so my message is crystal clear: forcing users to change passwords DECREASES the security of the system. Prohibiting users from pasting passwords into the login form DECREASES the security of the system.

Somehow, nobody else at my company is required to change their password on a regular basis. I am only aware of a few other developers that suffer the same counterproductive requirement to actively participate in harming the security of the ADC program. Not only do I want this ludicrous restriction lifted from my Apple ID, I want it lifted for EVERY other member of the Developer program.


UPDATE: Apple replied pretty darned quickly:

Thank you for contacting Apple Developer Support regarding Password requirements and restrictions. I am unable to change the password requirements and restrictions for your Developer Account.

We appreciate that you have taken the time to send us your feedback. Please be assured that all of your comments have been forwarded to the appropriate Apple team.

4 Comments

  1. Ryan

    Thanks for bringing this up. I too am fed up with this mess, and having to change my password every 3 months (with increasing ridiculous password security questions and restrictions)

    Also, it’s ridiculous that There’s a single place in iOS 5 to put your Twitter credentials, but every app that uses your apple id (iMessage, Facetime, App Store, iCloud, Find My friends, many other apple apps) require the password put in manually. I’m hoping iOS6 centralises the Apple ID.

    Also, my AIrport Extreme has my Apple ID Credentials in the firmware to allow Back to My Mac to function, and that is the thing i’m most likely to forget to update and will just silently fail.

  2. Scott

    This has been driving me crazy as well which led me here from a search to find out whatever I can – my current password generated within 1password is just hard enough that I can’t remember it when having to put in for things like app updates within iOS so I can to go to 1password and copy/paste it.

    Is everyone having to do this password change every X number of months? Seems like it isn’t the case. At one point I was under the impression that it was because of a password policy on an old apple program I was part of such as the old Apple Sales Web or certifications.

  3. Joe B

    I have had the same problem with Apple ID except more extreme. Example: When selecting and App for my iPhone I am naturally promoted for my Apple ID. It say not recognized. Then I have to create a new one at which time I enter it and receive my new App. Within one week I can repeat this process. I am a SME for IT. I have a password saver on my PDA for a whole host of passwords and related data. I am sick of this event!! It just happen to me this morning so I googled this phenomenon and found this post.

  4. Dan

    Worse – no one, really NO ONE believes me when I tell them I have to change my password every three months. They make fun of me and tell me they are still using the original one they put in 5 years ago (or more)!

Comments are closed.