Four and a Half Apple Passwords

Apple Passwords are probably the oldest authentication method. Despite their age, passwords remain the most popular authentication method in today’s digital age. Compared to other authentication mechanisms, they have many tangible benefits. They can be as complex or as easy to remember as needed; they can be easy to use and secure at the same time (if used properly).

The number of passwords an average person has to remember is growing exponentially. Back in 2017, an average home user had to cope with nearly 20 passwords (presumably they would be unique passwords). An average business employee had to cope with 191 passwords. Passwords are everywhere. Even your phone has more than one password. Speaking of Apple iPhone, the thing may require as many as four (and a half) passwords to get you going. To make things even more complicated, the four and a half passwords are seriously related to each other. Let’s list them:

  • Screen lock password (this is your iPhone passcode)
  • iCloud password (this is your Apple Account password)
  • iTunes backup password (protects backups made on your computer)
  • Screen Time password (secures your device and account, can protect changes to above passwords)
  • One-time codes (the “half-password” if your account uses Two-Factor Authentication)

In this article, we will provide an overview on how these passwords are used and how they are related to each other; what are the default settings and how they affect your privacy and security. We’ll tell you how to use one password to reset another. We will also cover the password policies and describe what happens if you attempt to brute force the forgotten password.

Screen Lock Passcode

This is the most important and most profound password (or, rather, a passcode). This is the password most (if not all) users set when they set up their new iPhone. By default, the length of the screen lock passcode is 6 digits. If you try hard, you can still opt to use the “old style” 4-digit PIN, or select a custom alphanumeric password if you believe you have something to hide. While you can technically set up your device without a password, making this choice will limit your ability to access some of the iPhone features such as Apple Pay. Without a screen lock password, you won’t be able to sync your Web site passwords, messages and Health data to iCloud.

Apple Passwords

We had a comprehensive review of iPhone passwords in Protecting Your Data and Apple Account If They Know Your iPhone Passcode, and a follow-up (which also includes some info on biometric usage) in Passcode vs. Biometrics: Forensic Implications of Touch ID and Face ID in iOS 12.

If you forget your screen lock passcode

If you are an ordinary user, you won’t be able to unlock your iPhone, period. You can, however, reset the iPhone, thus getting rid of the passcode and all of your data. (Make sure you have backups in iCloud and/or on your computer.) Once you have successfully reset your iPhone, your iCloud password will be absolutely required to set it up. (See? There you are, the first relationship.)

  • You can wipe the device to reset the screen lock passcode. However, you will require your iCloud password to re-activate the device afterwards.
  • You may be able to attack the screen lock password if you work for the law enforcement, have access to some very restricted software or services and the device is compatible. Even then, there could be multiple issues, and many, if not most devices may not be unlocked in reasonable time.

If you know the screen lock passcode

If you know the screen lock passcode, you can do all of the following:

  • Unlock the device even after cold boot
  • Connect to USB accessories (unlocking the device disables USB restrictions)
  • Pair the device with the new computer and make a new local backup
  • Change the iCloud password and trusted phone number (only on 2FA accounts; one-time 2FA password not required)
  • Reset (remove) the iTunes backup password (if Screen Time password is not set)
  • iOS 13: Change or set new iTunes backup password
  • Update iOS
  • Reset the device to factory settings
  • View passwords saved in the keychain
  • Access certain types of data from iCloud (iCloud password and one-time 2FA password required). This includes iCloud keychain, Health data, synced messages, Screen Time data
  • Perform physical analysis. If the device screen lock passcode is known and there are no Screen Time restrictions on installing apps, you may be able to jailbreak the device, extract the file system and decrypt the keychain with iOS Forensic Toolkit. The keychain obtained as a result of physical extraction will contain the Screen Lock password and the iCloud password among other things.

The ifs and buts

  • iCloud password can only be changed if the user did not set a Screen Time restriction on Apple Account changes (this can be turned off if you know the Screen Time password; there, another relationship)
  • If the user has a Screen Time password, you will need it (in addition to the screen lock passcode) in order to reset the iTunes backup password
  • Once you set or change your passcode, the device will attempt to connect to iCloud (Confirm iPhone Passcode). This is required to add the device to the Trusted circle. Failure to do so will disable iCloud Keychain and break sync of protected data categories (Health, Messages, Screen Time).

More- Blogs- Microsoft Teams era takes flight inside Microsoft

iCloud password

If you are using iCloud, this password is always set. If you ever downloaded an app from the App Store, you also have this password as your Apple ID password. It is hard to imagine a person who has an iPhone and does not have an Apple ID/iCloud password.

Apple enforces certain minimum requirements on password complexity; all other types of passwords described in this article are usually simpler. In addition to password complexity, users are not allowed to set Apple ID/iCloud passwords matching Apple ID/iCloud passwords they previously used.

The purpose of the Apple ID/iCloud password is protecting access to the user’s online account such as their iCloud data (including iCloud photos and backups), as well as protecting the iPhone against theft. The iCloud password serves as part of an extremely reliable Factory Reset Protection system that makes iPhone theft far less attractive.

This password (and the second authentication factor for 2FA accounts) limits the ability to access iCloud data. Even if you know the Apple ID/iCloud password, this may not be enough to access some types of data. For example, accessing the iCloud Keychain, iCloud Messages, Health and Screen Time data, you will need the device screen lock passcode as well.

Is it possible to access the iCloud without a password? Yes, at least for some data; read Accessing iCloud With and Without a Password in 2019 for more information.

If you forget your iCloud password

What if you forget your iCloud password? Apple has a comprehensive writeup on the subject: If you forgot your Apple ID password. You may be able to reset the iCloud password right from your device (if you know the device screen lock passcode and the account uses two-factor authentication). In addition, you can extract the iCloud password from several sources such as Web browsers with Internet Password Breaker (Windows), macOS keychain with Password Digger, or encrypted device backups (if, in turn, you know the iTunes backup password) with Phone Breaker.

Apple Password1

If you forgot your iCloud password, your options are:

  • Reset from your Apple device (screen lock passcode required, two-factor authentication must be on, but no 2FA code asked)
  • Reset from somebody else’s Apple device (screen lock passcode required, two-factor authentication must be on, one-time 2FA code will be required)
  • Reset via Web browser (different procedures for accounts with or without 2FA; for 2FA accounts, you will be required to enter the one-time 2FA code delivered as a text message to your trusted phone number).

If you know the iCloud password

If you know the iCloud password, you can do all of the following:

  • Regain access to your own device if you forgot its screen lock passcode: reset device via Recovery mode, then enter your iCloud password when prompted during setup
  • Authorize App Store purchases (if biometric identification is not enabled for purchases)
  • Authorize app updates (if prompted, which is seemingly random)
  • Sign in to App Store (for accounts with two-factor authentication accounts, one-time 2FA code required)
  • Extract some types of data from iCloud (accounts without two-factor authentication)
  • Extract some more data from iCloud (two-factor authentication accounts, one-time 2FA code required)
  • Extract even more data from iCloud (such as iCloud Keychain, iCloud Messages, Health and Screen Time) (two-factor authentication accounts, one-time 2FA code required, device screen lock passcode required)
  • Disable iCloud lock, turn off Find my iPhone, perform factory reset
  • Sign in to your Apple Account (for accounts with two-factor authentication accounts, one-time 2FA code required)
  • Remotely locate, lock or erase your devices via Find My (even for 2FA accounts, one-time 2FA codes are NOT required)
  • Change your Apple ID/iCloud password
  • Sign in on Apple devices to make them trusted (for accounts with two-factor authentication accounts, one-time 2FA code required)

The ifs and buts

    • iCloud password can only be changed if the user did not set a Screen Time restriction on Apple Account changes (this can be turned off if you know the Screen Time password)
    • If your Apple account uses two-factor authentication, the iCloud password is almost completely pointless. If you have access to your second authentication factor (trusted iPhone, trusted phone number/SIM card), you can easily change your iCloud password. If, however, you still know your iCloud password but lost access to your second authentication factor, you will be unable to access to your account. There is an extremely lengthy and complex procedure for reinstating your Apple ID, but the result is never guaranteed. In the tests we performed, we had close to a 50-50 chance of success when recovering 2FA accounts without access to the second factor. Maybe this, and not the second factor, should become the one-half Apple password?