How (and why) to use app-specific passwords with iCloud

Apple’s security systems stole another advantage against rivals today when the company finally enabled app-specific passwords to help improve the level of protection its customers enjoy.

Switched on

Apple yesterday shared this email with iCloud users:

“Thank you for using two-step verification to protect your Apple ID and the data you store with iCloud.

This is a reminder that starting tomorrow, app-specific passwords will be required to access your iCloud data using third party apps such as Microsoft Outlook, Mozilla Thunderbird, or other mail, contacts and calendar apps.

If you are currently signed in to a third party app using your primary Apple ID password, you will be signed out automatically when this change takes effect. You will need to generate an app-specific password and sign in again.”

How it works

“To use iCloud with any third party apps (such as Microsoft Outlook, Mozilla Thunderbird, or BusyCal) you must sign in using an app-specific password,” Apple explains.

This improves the security of your third-party apps and ensures those apps only have access to the data they really need, rather than gaining access to all your iCloud files. Up to 25 app-specific passwords can be used at any given time.

To generate passwords

Go to My Apple ID.

• Select Manage your Apple ID and sign in.
• Select Password and Security.
• Click Generate an App-Specific Password and follow the steps on your screen.

The system does take a little time to implement, but the protection it provides significantly boosts your online security — assuming you use strong passwords to protect your iCloud account/Apple ID. If you don’t and do care about your privacy/bank account/personal identity, then please, please FOLLOW THESE simple security tips here. And enable two-step verification for your iCloud account.

Problem for everyone

As for you people sniggering at the back of the room muttering asshat opinion about iCloud and nude celebrity hacks in a desperate attempt to claim Apple’s platforms aren’t secure, please shut up. The iCloud brute force attack was a password problem, not an Apple problem.

“There’s no good reason to have weak passwords, but they’re like cockroaches: neither security professionals’ admonishments nor nuclear winter has much chance of stamping them out of existence,” writes Sophos security blogger, Lisa Vaas this morning.

Mote in the eye

The Apple hate masses would be making far better use of their energy if they protested the broken security model offered by competing platforms (online and in person). It would be useful to me, too — I need other platforms to be secure so I am not rendered slightly more vulnerable as a by-product of their complacent insecurity.

Apple isn’t complacent, (not entirely) and has introduced several additional protections since its nude celebrity special event, including sending alerts via email and push notifications when someone tries to change account passwords, restore iCloud data to a new device, or when a device logs into an account for the first time.

Ultimately, security is a conversation, like water it flows back and forth. The bad guys find a vulnerability and the good guys fix it. What’s critical is that platforms engage with vulnerabilities as swiftly as they are identified. Doing so sends a message of vigilance that drives criminals elsewhere — such as to almost every device currently available within the Internet of Things.

Stay safe out there.

Google+? If you use social media and happen to be a Google+ user, why not join AppleHolic’s Kool Aid Corner community and join the conversation as we pursue the spirit of the New Model Apple?

Got a story? Drop me a line via Twitter or in comments below and let me know. I’d like it if you chose to follow me on Twitter so I can let you know when fresh items are published here first on Computerworld.