SOLVED: Resetting your Apple ID with cut-and-paste enabled



Tuesday, January 24th, 2012 at 12:38 pm | 4,919 views | trackback url

If you’re like me, you have lots of passwords. More than you can keep in your head. So, you use an app like KeePassX to hold and secure them all.

I keep all of my passwords securely stored in Dropbox so they are accessible via my computers and my BlackBerry device (via the FileScout Dropbox plugin), and it works well. I also sync that data into SpiderOak as an additional, very secure backup of my backup.

My passwords tend to be very complex and lengthy, on purpose. Here are some example passwords that are similar to those I use every day (no, these are not my actual passwords, but these are real, valid passwords I would use, generated by KeePassX’s generator):

1.) {>"L-).df_7jGWGeK9fy,agF
2.) UY}\.YX_zG#mP2KSo%nHM-t!
3.) axA-O=Af6nAMW_Og%H2WkC/
4.) -A&Xh0ag^6(uMNlt+WyF_K"S
5.) =C\;NPk4Cz5Hyte-a,_nUhpx
6.) Dn-99kMeNF]jr_#7"<3]#dBY

These are 158-bit (24-character) passwords that KeePassX generated for me for this article. It may look like random keyboard hammering noise, but those are real passwords. And there's no way I'm going to remember those.

My Apple ID contains a similarly complex password, and I recently had to reset it because Apple "forgot" my password, but Apple's site refuses to let me paste those complex passwords into their web form entry dialog because of the heavy-handed JavaScript on the page.

What this does, is encourage people to pick "simpler", less secure passwords. Shame on you Apple, shame on you!

Here's how I figured out how to fix it:

I went to https://iforgot.apple.com/ and was asked for my Apple ID and clicked "Next".

I entered my ID, and was presented with two options:

I initially chose the "Answer Security Quesitons" option, thinking it would be faster (it wasn't). It asked for my birth date as one of the questions (and failed to validate it as correct on at least 2 attempts), and then asked one of my other security questions:

I answered that, and was presented with a dialog that looked like the one below. Here's where the problem starts.

The issue here is that Apple, in their infinite wisdom, decided that permitting cut-and-paste on this page, is not allowed. They deny it, so you have to manually enter the password into this dialog.

As you enter it, a popup shows you whether your password is secure, insecure, or meets the criteria for what they deem to be appropriate, based on these rules:

But you can't paste a password into this dialog, such as one cut from your KeePassX screen or another document or page or your clipboard.

You also can't see what you're typing to make sure you're getting it correct. Was that a SHIFT+A, or just an 'a' typed on the keyboard? I don't know.

And you have to repeat this twice to get it right. No thank you. If I typo it wrong twice (hitting SHIFT+A both times when I meant to just type 'a'), you're screwed, and will set a password that you can't use.

Since they're just validating this with JavaScript, you would normally just have to disable JavaScript, cut and paste into the text fields, re-enable JavaScript and click "Reset Password", but no, not here, that won't work.

They tried to be keen, but failed.

Enter Firefox + PrefBar from Manuel Reimer to the rescue.

What you have to do is this:

  1. When you get to the password reset entry form, put your cursor in the top dialog. It will go from showing the grey words, to blanking out with lighter grey words and your cursor blinking in the left side, as a vertical black bar, like the image below:

  2. Now uncheck "JavaScript" from the PrefBar options bar in your browser:

  3. With JavaScript unchecked, paste your password into the dialog. What is important here is that you do not click anything else after you uncheck the "JavaScript" checkbox in PrefBar.

    If you attempt to put your cursor back into the top entry dialog, it will blank it out, removing the cursor and you won't be able to paste into the box. Just uncheck JavaScript and immediately paste the password you have in your clipboard into the page. It will fill out the top dialog, and look like this:

  4. Now go back up and re-check the "JavaScript" box on PrefBar (enabling JavaScript)

  5. Put your cursor into the second password entry box..

  6. Immediately go back up and disable "JavaScript" again, but do not click anywhere else!

  7. Now immediately paste the same password again into the second entry box. It will look like this when you're done with this step:

  8. At this point, go back up to PrefBar and re-enable JavaScript, then click on "Reset Password". Apple's form will correctly validate your changed password and save it for you.

Problem solved!

Now the bigger problem is trying to teach these companies and industry that encouraging users to lower their security is not the solution. They need to support and encourage stronger encryption, lengthier passwords and more responsible behavior with their private data and user identification.

Apple, what are you doing to address this? Anything at all?

Last Modified: Tuesday, January 24th, 2012 @ 22:52

Leave a Reply

You must be logged in to post a comment.

Bad Behavior has blocked 22339 access attempts in the last 7 days.