From my point of view I believe I can be trusted to reset my Apple ID quickly. I'm very security conscious which is why unlocking my Apple ID does not unlock 'everything about me'. As I mentioned in a previous reply, I get it now... if you did trust Apple with everything about yourself, you would see the delay as reasonable security.

However, I just don't trust Apple that much because they are at the end of the day a huge corporation that couldn't give a monkey's if my data was compromised. I'm a little guy and Apple isn't going to apologise or make it right if something catastrophic happened. The Fappening is case and point. These celebrities trusted Apple and completely outsourced their security only to find their privacy violated in shocking horror.

So, I understand where you're coming from, but it's a step too far for me.

> The Fappening is case and point. These celebrities trusted Apple and completely outsourced their security only to find their privacy violated in shocking horror.

The fappening happened because people got spearphished into sending others their account passwords. That jump started the 2FA push, but there is not much a company can do if you willingly give your authentication details to someone else. If anything, the fact that apple does not allow passwords to be reset haphazardly and makes you wait 7 days means they go out of their way to prevent regular people from being victims, possibly a result of the fappening.

> From my point of view I believe I can be trusted to reset my Apple ID quickly.

A different, devil’s advocate perspective, might be that if you forgot you Apple ID credentials, you should not be trusted to reset your Apple ID. I have passwords from 15+ years ago in my password safe. I have never needed to reset my Apple ID.

The other thing to consider, is whether you’d be happy for an attacker to reset your Apple ID quickly. Apple lose a lot of credibility when iCloud started raining celebrity nudes to 4chan. They care less about you specifically as a user than they do about whole classes of users who’re much more likely to be phished and social engineered than you believe yourself to be…

As mentioned previously, the last Apple product I purchased was the iPad Gen 1 (2010). However, my security consciousness changed post Snowden (2013) and I devoted time and effort to study and implement strong infosec.

This was about when I stopped using my Apple ID (so I'd estimate it's been about 8 years).

That said, bragging that you haven't changed your passwords from 15+ years ago, even if they are securely stored, makes me question how serious you take your security.

I change my passwords regularly, and it's accepted that this is best practice.

As to your comment about an attacker being able to reset my password quickly, I think I should be given the option to if I wanted, or be allowed to provide KYC like passport or driving licence to fast track it.

If I was a celebrity I might want to opt in to 'slow track' plus KYC verification.

My point is about not having the option because it's Apple's way or the highway.

> it's accepted that this is best practice

It is absolutely not, and hasn't been for several years (source; I'm on the industry panel for many security standards). Every serious security standard (NIST, DoD, GCHQ, etc) say that choosing a strong password is important, but that periodically changing it brings at best no benefit.

The overwhelming consensus in security is that using strong cryptographic secrets is the only really secure way to authenticate. Buy some kind of the tamper evident secret store and get on with your life.

If you allow people to opt-out of security, they will do so and then scream when there's a breach that they made inevitable. Look at the discussion around HSTS for as many examples of this as you please; users cannot be trusted with their own security, they will at best leverage outdated and badly wrong guidance from years ago. More often, they will choose Summer2021 as a password and 000000 as a pin.

> they will choose Summer2021 as a password

A few years ago when we started implementing the revision of NIST 800-63B we started checking user passwords against breach lists by hash.

In a company of just a few hundred people, two unrelated employees had chosen exactly the same compromised password. After forcing a change, we asked them what their old password was.

Summer2018! was chosen independently by two people in a smallish company who had never met.

I did an audit once where security confidently told us that there were no weak passwords given out by the helpdesk. When we actually tested hashes, we determined that there were a ton of the usual suspects. When we chatted up some helpdesk people over lunch, it turned out the problem was that they gave good passwords whenever someone from security asked because otherwise those jerks would scream at you. Everyone else in the company got easy passwords because it lowered call volumes.

They literally were checking group membership as part of their reset script and giving the user the type of password which was most likely to get them to go away.

Your case has a significant difference: trained IT staff choosing weak passwords for convenience is much worse than “normal” users independently choosing weak credentials despite yearly training.

That said, the root cause is the same: humans cannot remember computationally-secure credentials. We need something else. Pushing for “stronger passwords” is folly.

My experience with not regularly changing passwords is that the security of your login credentials decays over time. If you keep track of when you changed your passwords you will know what time period you were compromised if you check a website like https://haveibeenpwned.com.

If not, you'll might have to trust whatever PR says about when the breach occured.

I agree that strong passwords and cryptographic storage is the way to go, but I think you go too far when you say "users cannot be trusted with their own security" because some can. I think it really depends on who your users are.

Why does the time period matter when each credential should have a unique password anyways? Is knowing time of a breach important important when the only way you’ll know is through a website like the one you linked or when your credential is used unauthorized ?

Also I personally think users absolutely cannot be trusted. At all. There should be a minimum viable security model for all users regardless of what their threat models should be. (I.e not allowing easily guessable passwords, enforcing a password over X length , forcing capitalized characters and symbols).

One other thing to keep in mind, a lot of the time users (including me) couldn't give a fuck about the security of your website/webapp/mobileapp.

If you force me to register an account to do what I need to do, and I'm never planning on returning anyway - you'll get my "default shit site password" and if you demand a deliverable email with confirmation, you'll get a throwaway-able email. I have a "spare" gmail account which I'll use with the "plus addressing" thing, so you'll likely get random-looking-string+sitename@gmail.com and the equivalent of Password123! - and I don't use that email for anything else. I'll filter mail with that +sitename to spam if/when it starts getting spam, since spammers know that trick and remove it - eventually I just throw away that gmail account and start a new one.

Occasionally that bites me in the ass. Back when this stupid new "text messaging on the web" site started, you know, the one with the best and the fail whale, I was curious and set up an account (at least as much to squat my username as anything else). A few years later and I'm actually using and socialising there, late one night my account starts sending açai berry spam. Because my shit password was shit. (Luckly, they just send a half a dozen spam tweets, and didn't p0wn the account by changing the password/email on me...)

One nice thing about password managers, at least you can search and find all the services you used a shitpassword on, and do an audit of whether you care enough to upgrade the password or delete that service's account.

That infamous case was the result of poor password use followed by an unguarded login page with no retry limit. This isn’t meant to victim blame, but it’s to also point out Apple too was a victim on this, they have a far stronger commitment to privacy compared to other companies.

Sure, but these celebrities completely outsourced their security to Apple because they trusted Apple.

"Apple knows best"... but clearly not because Apple should have had rate limiting for password login attempts to stop password brute-forcing attacks.

As for the far stronger commitment to privacy, I'm not so sure. Apple seems reluctant at times to patch zero-days which has been covered on the front page of HN.

>... rate limiting for password login attempts...

Good news then I suppose. They did, that's not what happened. People abused password reset, with the canonical example being Paris Hilton using her dog's name as a security question.