By now, you’ve likely heard about how a hacker leaked revealing photos of celebrities onto the Internet, supposedly though Apple’s iCloud service. Apple now says that the leak did not result from a security vulnerability in iCloud, as was widely reported, but that the accounts “were compromised by a very targeted attack on user names, passwords and security questions.”
Many companies now offer two-factor authentication, which adds an extra layer of protection to your online accounts: After you enter your password, you’ll receive a verification code, usually via text message to your smartphone. Enter this code when prompted, and you’ll be able to log on. It’s a relatively easy way to bolster the security of your online accounts. While Apple offers two-factor authentication protection for Apple ID accounts, its system has some notable limitations.
According to a support document on Apple’s website, Apple offers two-factor authentication—which it calls “two-step verification”—to help keep others from changing your Apple ID password or account details, or from making purchases through the iTunes, iBooks, and App Stores from new devices. It can also help Apple verify your identity if you request Apple ID-related support from the company.
The threat of someone resetting your Apple ID password and gaining access to your data is very real. In fact, Wired’s Mat Honan—who was the victim of a password-reset hack—speculated on Twitter that this might be how someone got into the compromised accounts. Sometimes, all it can take is one weak security question for someone to ultimately find their way in. Apple’s two-step verification system is intended to help prevent this exact sort of scenario, so if you have an Apple ID, you should be using two-step verification.
Two-step verification does not, however, apply to your iCloud data, so even if you use Apple’s two-step verification feature, a stranger equipped only with your password can still log on to iCloud.com and get at your iCloud email, view your Photo Stream, look at any documents you have stored in iCloud, and so on.
With that in mind, you need to use two-step verification and have a strong password.
To start, visit appleid.apple.com and press the button labelled “Manage your Apple ID,” then log in with your username and password.
Once you log in, select Password and Security from the lest along the left-hand side. Apple will ask you a couple security questions: Provide your answers, then press Continue. Once on the Password and Security settings page, look for the Two-Step Verification section, and select “Get started…” link.
On the next screen, Apple will give you an overview of how two-step verification words. Read it, then press Continue: Apple will then guide you through the steps required to set up two-step verification.
You’ll need to provide Apple with at least one cell phone number that can receive SMS messages; once you do, you’ll receive a test code, which you’ll then enter when prompted to make sure everything is working properly. You will also be able to “verify” any of your other iOS devices: Once you do, you’ll be able to receive login verification codes on those devices as well.
Apple will also supply you with a recovery key—an alphanumeric code that you can use to access your account should you forget your password or lose your phone or verified iOS devices. Print or write this down, and keep it in a safe place.
The next time you try to change your Apple ID account settings or buy something from the iTunes, iBooks, or iTunes Stores from a new device, you’ll need to enter a four-digit code provided to you before you can access your account.
There’s no getting around it: You need to use a strong, unique password for your iCloud/Apple ID account—or any online account, really. Don’t rely solely on words from the dictionary—include other characters such as numbers and symbols (and no, replacing the letter E with a 3 doesn’t count). Use a mix of lower-case and capital letters. Don’t use the same password for multiple online accounts. And never, ever share your password with anyone.
For more ideas, check out this story on building stronger passwords that my former colleague Alex Wawro and I put together for PCWorld a few years back: The idea here is that you’re looking to build not just a password, but a passphrase that you can use as a basis for countless unique passwords.
And realize that while nothing can keep your data completely safe, taking these steps can save you a lot of trouble later on.