43 Folders

Back to Work

Merlin’s weekly podcast with Dan Benjamin. We talk about creativity, independence, and making things you love.

Join us via RSS, iTunes, or at 5by5.tv.

”What’s 43 Folders?”
43Folders.com is Merlin Mann’s website about finding the time and attention to do your best creative work.

Apple Device Security: Big Temptation to Dumb-Down

Chairman Gruber recently discovered (via his sharp-eyed reader, Earl Misquitta), that the aforementioned iPhone Remote application can also be used as a virtual keyboard for entering search text, login information, and what have you on your AppleTV. Seeing the typed characters appear on the TV screen as you type them is simply magical. So, if, like me, you’re in the amazingly tiny sliver of the Venn diagram for people who own both these products, this is hugely convenient, and what a welcome trick it is.

As I’ve alluded to before, the AppleTV’s torturous keyboard entry (via the hardware Apple Remote’s 4-way joystick) is abysmal. In 21 uninterrupted years of using Apple products, it’s probably the most consistently frustrating and poorly-designed interface I’ve encountered. I literally hate using it.

The ability to enter text via the superior (but far from perfect) iPhone keyboard is wonderful but it doesn’t and can’t address a deeper problem with the keyboard-challenged devices Apple are focused on vending right now: assy and annoying text entry encourages the use of crap passwords. This is bad, and here’s why.

Sliding backward

We’ve all heard the lectures about not using your ferret’s name as The Single Password™ for everything you do, and my sense is that, over the years, a lot of us have tried to get better about password hygiene — especially as more of our stuff moves into an online cloud.

But my entirely anecdotal opinion is that the iPhone, the iPod Touch, and the AppleTV each tempts their users to slide back to dumbing-down their passwords in exchange for better ease-of-use. The most annoying device in your chain ends up driving the passwords you use for everything. Right now, it’s such a pain to enter a secure password on a device like the iPhone or the AppleTV, that I’m betting a few of you have already fallen back on your ferret. Or “pencil.” Or your ATM PIN.

This is an unbelievably bad idea, but what are the options if this is a device you need to use a lot?

A real-world problem

I’m a fervent 1Password user and (unpaid) evangelist, so I don’t suffer from this conundrum quite as badly when using Safari on the iPhone. 1Password generates and remembers secure passwords for me, then lets me enter them on my phone in a few seconds via a password-protected bookmarklet. Imperfect, but a big step up over nothing.

Of course, I’m still SOL when the iTunes App Store wants me to (again again again) manually re-enter my password in order to download apps on my iPhone. I’m not made of stone. This sucks. I’ll even be the first to admit — solely on the basis of how vexing the AppleTV (and non-Safari on iPhone) password entry is — that I’ve been sorely tempted to move to a more trivial password. But I’ve held out.

If you’re using MobileMe, or Google’s apps like Gmail, or any of the other myriad cloud functionalities that store a lot of personal information, it’s just not worth assuming the risk in return for a bit of convenience.

”Four digits? What a pain.”

To make this nuttiness even more frustrating, every day I watch friends entering 4 or 5 character passwords over an iPhone that they don’t even bother to auto-lock (“Meh, I use it too much. It’d be a pain.”). Understand: this is a portable device on which all their email, contact information, and logged-in web accounts live. They’re one drunken taxi ride away from a potentially significant privacy crisis.

While leaving a phone unlocked in public does blow my mind, I think I understand how we got here. For 30 years now, banking customers have tolerated four-digit ATM PINs because a) they’re convenient, and b) our bank assumes some of the risk associated with replenishing a generic pile of money whenever anything goes wrong. After all, it’s not your money that gets stolen; it’s the bank’s electronic representation of your money. And that’s easy enough to replenish.

But is four digits (or a trivial password) enough to protect your irreplaceable private data? Are you willing to assume that risk? It’s unbelievable that the question even needs to be asked. But, I’m going to say, no. But, that’s where we are right now. In a place where ease-of-use is trumping the good sense we’ve developed to take this shit seriously.

Help a brother out, Apple

I think it’s time for Apple and its users to start treating a device such as the iPhone like the powerful little computer that it really is. That means having to risk introducing some inconvenience and complexity by looking at things like:

  • Default automatic iPhone locking - make the default an auto-lock of 15 minutes
  • Make iPhone unlocking easier - consider adding a complex gesture or other “secret knock”
  • Integrated password management - 1Password is great (I’d say it’s even essential), but Apple should step up to help with the heavy lifting from the moment a device is activated. They made the Keychain; they can make it easier to use on an iPhone
  • Look into novel text entry - Is QWERTY keyboard entry the only option people will understand? Are those alphabetical monstrosities on the AppleTV really the best they can come up with? Can the boffins in R&D not scare up some less soul-crushing options?
  • Empowering power users - Even if Apple’s devices ship with the current features exposed in the current default state, I’d love to see Advanced options that can be flipped on by nuts like me. I have to imagine that UNIX nerds, security gurus, and enterprise paranoiacs would welcome the introduction of tougher security. The best and easiest start would be the ability to allow an entirely user-configurable passcode for unlocking. Quick win.

How to Auto-Lock your iPhone

If you’re out and about right now consider doing this on your iPhone:

  • Go Home, then hit Settings > General
  • Hit Password Lock and Enter a memorable 4-digit code (then re-enter)
  • On the Passcode Lock screen set Require Password to After 5 Minutes (or whatever suits you)
  • Back in General hit Auto-Lock and set it to 5 Minutes (or, again, whatever you prefer)
  • You’re done; your phone will now lock itself automatically

At least now your screen door is latched. Go, moblog, and prosper with at least a bit more security in your life.

The Question to You

Has iPhone or AppleTV changed your practices around passwords? Any features you’d like to see to make your Apple device more secure?

About Merlin

Merlin's picture


Merlin Mann is an independent writer, speaker, and broadcaster. He’s best known for being the guy who created the website you’re reading right now. He lives in San Francisco, does lots of public speaking, and helps make cool things like You Look Nice Today, Back to Work, and Kung Fu Grippe. Also? He’s writing this book, he lives with this face, he suffers from this hair, he answers these questions, and he’s had this life. So far.

Merlin’s favorite thing he’s written in the past few years is an essay entitled, “Cranking.”




An Oblique Strategy:
Honor thy error as a hidden intention


Subscribe with Google Reader

Subscribe on Netvibes

Add to Technorati Favorites

Subscribe on Pageflakes

Add RSS feed

The Podcast Feed


Merlin used to crank. He’s not cranking any more.

This is an essay about family, priorities, and Shakey’s Pizza, and it’s probably the best thing he’s written. »

Scared Shitless

Merlin’s scared. You’re scared. Everybody is scared.

This is the video of Merlin’s keynote at Webstock 2011. The one where he cried. You should watch it. »