WSJ Article re iPhones thefts

I think the key weakness is allowing the AppleID password to be reset just using the device PIN, which is fairly easily discoverable via shoulder surfing. When you can lock someone out of their Apple ID in less than a minute, pretty much all other security measures become useless. You’ll be locked out of find my iPhone etc.

Nope, you can still reset the AppleID and the AppleID password is the fallback to reset the screen time password.

There’s nothing you can really do about this as far as I know, apart from making it harder to learn your passcode (although there’s no way to make it impossible, or even overly difficult).

You can at least set double blind passwords on things like your email accounts so they can’t lock you out of those. And I don’t keep main savings account on my phone at all. You can create a double blind password for Starling or other banks too, but sadly not Monzo.


I just tested it and I cant access my AppleID at the top of the settings page to change the password?
Is there another way to do it?
I mean you can also lock out passcode changes as well in there to stop them changing the pin and faceid.

I know the AppleID password can reset the forgot restriction pin but I thought you didnt have to enable that, you can skip. Although I think you may be able to reset the password if you turn on that option as I see it has a reset appleid password but I am not sure if it works.

There will be a vector through the website if your dense enough to save your icloud password in passwords which to be honest should be blocked if its not already.

I don’t believe Apple has publicly commented on making any changes, only that iOS is a secure platform and it is important to protect your passcode from snooping.

John Gruber suggested on his podcast this week that this is a known vulnerability within Apple, and has been for some time, but that it is somewhat intentional. People forgetting their iCloud passwords and needing a way to reset them with a second factor is more common that this type of crime. That is until it was published everywhere and now your amateur iPhone thief is now going to attempt to snoop the passcode.

That said, iOS could surely be strengthened so it doesn’t default back to passcode when biometrics fail.

1 Like

You need a fallback… masks, or just wierd lighting… can cause failures. Loads of people locked out of their phone to prevent a comparatively rare surfing attack is a support nightmare.

It should try touch before dropping to pin though (although wet fingers, etc. can fail that… it’d catch more cases).


Surely, though, you could require two factor on that with backup codes like google does?

1 Like

Device passcode as a fallback for failed face / touch ID is fine. But allowing reset of apple account password with only device passcode is the issue. Could do with more protection here. Perhaps there needs to be some kind of time delay on the change if you are trying to reset a ‘forgotten’ password without approval on a second device.

This is certainly not the default on Android. I ran through this flow with a friend on Monday, the only difference to the iOS flow was that Google required the old account password, which was stored in the passwords app.

I don’t have the answers, but making people’s security setup more complicated is only going to lock more people out of their phones and accounts.


I don’t follow. What if youre not using the passwords app? How would someone then reset a forgotten Google password?

I thought Android had exactly the same issue as iOS (i.e. only device passcode needed).

Fun fact if anyone’s interested. The whole device passcode reset thing came about because far too many people were winding up at genius bars locked out of their account for help to get back in.

I am curious, what are double blind passwords? Thank you :smiling_face:


Turns out I’ve been using double blind passwords and never knew it :upside_down_face:

1 Like

Each to their own but my takeaway from reading that is an actual WTF. The same as logging into bank accounts with a selfie and pic of your passport.

What a faff.

Maybe it will all go wrong but I’m fine using my long unique password and secret key to log in to 1Padsword and leave the actual password to their random generator.

All security is only a deterrent and it’s always a risk / reward trade off.

1 Like

the article maybe over complicates it. I just add a single special character to some of my saved passwords that I want to keep particularly secure (as in, if someone had my phone and the passcode). Same character for every password that uses it (which isn’t many). It’s not particularly onerous, and it serves a purpose but it could definitely be said to be over cautious anyway.

1 Like


1 Like

It’s a good idea (never considered it) but at least with iOS stored passwords it also “Enters” when you use the password so it would be a pain to get an “incorrect password” each time I use it.

I can see case uses but I don’t worry as much as some about being hacked it seems.


:flushed:Brilliant idea :v::+1:

I’ve had a scroll through this thread, and although the article in question isn’t posted in here, it has been discussed and I’m sure shared in another thread elsewhere.

So to pre-empt the inevitable @revels treatment, because I’m sure there’s a more appropriate thread where the Apple ID stuff was discussed in more detail, as much as I’ve tried, I can’t find it.

The article in question is this:

And whilst some folks were hopeful it’s a vulnerability they’d see patched in one of the iOS 16 betas, it never was. I was dubious we’d even see anything by iOS 17, and indeed it wasn’t addressed there either.

and I’ve just found the actual thread so will copy/paste this to a new reply over there, and link it here in banking and security. Just saved you a job Revels!

Craig Federighi has now publicly addressed this issue for the first time. The TL;DR is it was designed this way on purpose, but they’re aware of the problem and are actively working to address it.

The relevant section starts at 1:51:40.

The shortcuts community have been up to something recently as well, that some folks might be interested in. It doesn’t prevent this sort of attack, but it’s still a pretty cool automation nonetheless, for keeping your device secure.

The Twitter thread starts here:

1 Like

So is there an email programme which will send and receive from my Gmail account (with my personalised domain) and which is locked with a separate code/biometrics?

So this shortcut is an interesting solution, and presumably would act as a booby trap for anyone who takes your phone and tries to put it into airplane mode. But what if they know the passcode?

I’m hoping Apple come up with something before iOS 17 releases, until then I’m using Screen Time