PSA: Useful iPhone stuff to do

(PSA == Public Service Announcement)

Came across this WSJ article in my news feed the other day. That’s behind a Paywall, so best to check out this YouTube video by the authors.

The long and short of it is that your iPhone passcode is the most important thing when it comes to Apple stuff. With your passcode anyone can reset your iCloud password, and worse they can set a recovery key on your Apple account such that you can’t even get back into your own account. Essentially you are screwed.

The implications of something like that for a heavy Apple user like me are enormous, because if for instance my Apple ID is reset and I am locked out of my account it means I lose access to all my photos for instance (because most of them are on the cloud, and even if I have any on my iPhone or Macs they are usually the lower resolution copy). Most of my stuff is in iCloud, with again only some copies present offline, so I lose my data. I won’t get locked out or anything – I think – but I suppose the attacker could just wipe my other phones and devices if they want?

It’s much worse than say an Instagram hack, at least for a person like me. I knew my iPhone passcode was important, and yes I have it set to a different set of numbers than my other PINs or passcodes, but I didn’t realize it can be used to reset my account and lock me out. That’s HUGE, especially for a device that’s in my pocket and can easily be stolen or lost.

So here’s a few things you got to do (and which I did).

  1. Watch that video obviously. :) I don’t want to take credit away from that.
  2. Change your passcode to be an alphanumeric one – so no more 4 or 6 digit numbers only thing, make it a password basically.
  3. Of course, don’t reuse the same password as any other services. And don’t choose something simple like your name. You know, make sure it has special characters and numbers and all that jazz.
  4. If you are every entering that password in public, take care. Face ID or Touch ID works everywhere, but there are some instances (and especially recently for me atleast, where in the device just wants the passcode anyways) where you have to enter the password into the device.
  5. Use screen time (who’d have thought!) to set a block on changing the passcode and account settings on your iPhone. Since you have a separate passcode for screen time, which you’d never usually need to enter anyways, this is basically an added layer of protection.
  6. On your Mac set it to download all your photos in the original format.
  7. On your Mac set iCloud too to download everything. (Of course these two steps assume you have a Mac with enough storage – which isn’t usually the case. At least with the photos I think you can move the photo library to a different drive. But be careful, it is easy to wipe your existing photos very easily).
  8. Set up Time Machine on this Mac so you have backups of these downloaded files. Coz what’s the point of an offline download if an attacker deletes files or photos and your Mac too deletes them anyway. So keep a backup.

I suppose the last 3 points are kind of common sense and I am embarrassed and not already doing that. I used to in the past, but somewhere along the line I stopped doing. Idiot me.

Update (25th April 2023): A post from TidBITS.