Security THREAT? Why does setup ask for previous device password?

[Marcin Dabrowsky]

I sold my previous iPhone and went with a Windows Phone for a while. After I sold my iPhone (well actually before the sale) I made sure to erase all content and remove the device from my icloud account.

Today I bought a brand new iPhone 7 Plus and started setting it up... I tried to restore from backup to find out I didn't have any backups saved. Anyway, I set it up as a new phone. Somehow during the initial setup I entered an alphanumeric code wrong twice and proceeded with setup. When I went in to add a fingerprint, it asked me for the password and I could not put in the correct one. I tried until the phone locked me out. I had to erase remotely using icloud and re-start the setup process from a fresh start again.

I managed to get it to reset through icloud find phone feature and upon turning it on, it asked me for my credentials since it was erased remotely. I entered my icloud information and password, then proceeded to set up "as new iphone"...

Here is my problem and question...

At this point, the setup process asked me to enter one of my previous passwords from a list of devices that should have been long gone (removed from icloud account, sold, given away, etc).

I thought Apple does NOT store any phone passwords on any outside servers. Luckily I remembered a password (which was like 14 characters) from a previous device, and upon putting that in, the setup allowed me to continue.

Obviously that old password was stored somewhere online and checked against what I put in when it asked me to.

What's the deal here? Does or doesn't Apple store the phone master password (the main one that encrypts the phone) somewhere online? If that's the case, the entire argument for never storing passwords online and "not being able to reveal to anyone for any reason" is false.

Any light shed on this would be great,
Thanks!

 

[doogald]

Was it a device password or an iCloud account password? Those are two different things. An iOS device with "Find my iPhone" turned on - which it is by default on setup, I believe - will not allow you to activate the phone without the previous iCloud password.

 

[Marcin Dabrowsky]

Device Password. Not icloud password. My icloud password is not that long. I do not store anything on icloud. My previous device password was almost 20 characters long. That is the one I had to put in to continue.

 

[Just_Me_D]

I sold my previous iPhone and went with a Windows Phone for a while. After I sold my iPhone (well actually before the sale) I made sure to erase all content and remove the device from my icloud account.

Today I bought a brand new iPhone 7 Plus and started setting it up... I tried to restore from backup to find out I didn't have any backups saved. Anyway, I set it up as a new phone. Somehow during the initial setup I entered an alphanumeric code wrong twice and proceeded with setup. When I went in to add a fingerprint, it asked me for the password and I could not put in the correct one. I tried until the phone locked me out. I had to erase remotely using icloud and re-start the setup process from a fresh start again.

I managed to get it to reset through icloud find phone feature and upon turning it on, it asked me for my credentials since it was erased remotely. I entered my icloud information and password, then proceeded to set up "as new iphone"...

Here is my problem and question...

At this point, the setup process asked me to enter one of my previous passwords from a list of devices that should have been long gone (removed from icloud account, sold, given away, etc).

I thought Apple does NOT store any phone passwords on any outside servers. Luckily I remembered a password (which was like 14 characters) from a previous device, and upon putting that in, the setup allowed me to continue.

Obviously that old password was stored somewhere online and checked against what I put in when it asked me to.

What's the deal here? Does or doesn't Apple store the phone master password (the main one that encrypts the phone) somewhere online? If that's the case, the entire argument for never storing passwords online and "not being able to reveal to anyone for any reason" is false.

Any light shed on this would be great,
Thanks!

Unless I misread your post, your initial mistake - at least from what I gather- is that when you setup TouchID, you mistook the lock screen passcode for something else.

As for Apple storing your iCloud passcode, it has to in order to assist people who may have forgotten it. It is also needed to prevent thieves or people who knowingly or unknowingly purchase iPhones from thieves, etc., from being able to use the phone, unless they can provide the correct passcode.

 

[Marcin Dabrowsky]

Unless I misread your post, your initial mistake - at least from what I gather- is that when you setup TouchID, you mistook the lock screen passcode for something else.

As for Apple storing your iCloud passcode, it has to in order to assist people who may have forgotten it. It is also needed to prevent thieves or people who knowingly or unknowingly purchase iPhones from thieves, etc., from being able to use the phone, unless they can provide the correct passcode.

I understand what you're saying. It was NOT the icloud password.

1. I reset the phone using find my phone.
2. I entered my icloud passcode information to access the initial setup screen (since phone was erased remotely)
3. I proceeded with new setup.
4. Entered iCloud password
5. Asked to create a new alphanumeric password for the physical phone.
6. ASKED TO CHOOSE 1 OF 5 DEVICES LONG GONE FROM MY ACCOUNT AND ENTER THEIR PHYSICAL PASSWORD.
7. Entered a password for a device sold months ago (thank god for my memory).
8. Proceeded with setup.

I am guessing this was part of the 2 factor authorization.

My issue is the fact that the long password from that particular physical device which I sold was still stored on Apple's servers.

Now, it was a very strong password and I assume that it would take thousands of years to brute-force but it effectively bypasses the 10 try limit. Someone could take that file and throw a couple of supercomputers at it and go to town. Not that I really care about something like that happening, but it just surprised me that it was able to use an old device's that has been sold off password for the 2F security authorization.

 

[Ledsteplin]

I understand what you're saying. It was NOT the icloud password.

1. I reset the phone using find my phone.
2. I entered my icloud passcode information to access the initial setup screen (since phone was erased remotely)
3. I proceeded with new setup.
4. Entered iCloud password
5. Asked to create a new alphanumeric password for the physical phone.
6. ASKED TO CHOOSE 1 OF 5 DEVICES LONG GONE FROM MY ACCOUNT AND ENTER THEIR PHYSICAL PASSWORD.
7. Entered a password for a device sold months ago (thank god for my memory).
8. Proceeded with setup.

I am guessing this was part of the 2 factor authorization.

My issue is the fact that the long password from that particular physical device which I sold was still stored on Apple's servers.

Now, it was a very strong password and I assume that it would take thousands of years to brute-force but it effectively bypasses the 10 try limit. Someone could take that file and throw a couple of supercomputers at it and go to town. Not that I really care about something like that happening, but it just surprised me that it was able to use an old device's that has been sold off password for the 2F security authorization.

Are you talking about the passcode used to open the phone? Any time I get a new phone, I'm asked if I want to use the old one or set up a new one. Your passcode is safe. Did you enable 2F?

 

[Marcin Dabrowsky]

Yes 2F was enabled. Yes it asked me for an old device password BEFORE I could proceed with setup, even though all my old devices were sold. Where does apple store those old device passwords? I thought they were only stored on the device itself.

 

[Ledsteplin]

Yes 2F was enabled. Yes it asked me for an old device password BEFORE I could proceed with setup, even though all my old devices were sold. Where does apple store those old device passwords? I thought they were only stored on the device itself.

If they were only stored on the device, how would you get it with a new phone. No one can access it but you, just like your Apple ID.

 

[Marcin Dabrowsky]

If they were only stored on the device, how would you get it with a new phone. No one can access it but you, just like your Apple ID.

I guess I assumed it is the same that it is on my Mac. It asks me once I encrypt the machine in case I forget the pw whether I want to store the password on icloud or not (giving me an option to write down the ?hash? recovery password it displays after encryption has completed.

 

[Ledsteplin]

I guess I assumed it is the same that it is on my Mac. It asks me once I encrypt the machine in case I forget the pw whether I want to store the password on icloud or not (giving me an option to write down the ?hash? recovery password it displays after encryption has completed.

That's probably iCloud Keychain. It asked if you wanted the password or passcode stored there. Here's info on Keychain.

https://support.apple.com/en-us/HT204085

https://www.google.com/amp/s/www.imore.com/icloud-keychain?amp

 

[BreakingKayfabe]

Yes 2F was enabled. Yes it asked me for an old device password BEFORE I could proceed with setup, even though all my old devices were sold. Where does apple store those old device passwords? I thought they were only stored on the device itself.

This is a great question. I was recently helping my step mom set up her iCloud to be more secure. While doing some stuff on her 7 Plus after I updated iCloud I kept getting asked this question for a really old 5S that she owned which is now long gone.

 

[doogald]

Yes 2F was enabled. Yes it asked me for an old device password BEFORE I could proceed with setup, even though all my old devices were sold. Where does apple store those old device passwords? I thought they were only stored on the device itself.

Apple would not store old device passwords. They use a one way cryptographic hash function, probably with a "salt". When you enter the passphrase, they apply the same hash function and compare the hash results.

Cryptographic hashes cannot be reversed, so Apple (or anybody who can get access to it) cannot reveal the actual passphrase.

If you go into the iCloud settings on your phone, iPad, or on a web browser, it will list the devices associated with your account, and you can remove devices that you no longer own.

 

[doogald]

In fact, Apple probably uses PBKDF2, which includes multiple iterations of hashing in order to take a lot of time - which makes guessing passwords if you are able to find the hash and salt take so much longer that guessing greatly increases time. See https://en.wikipedia.org/wiki/PBKDF2

 

[BreakingKayfabe]

Apple would not store old device passwords. They use a one way cryptographic hash function, probably with a "salt". When you enter the passphrase, they apply the same hash function and compare the hash results.

Cryptographic hashes cannot be reversed, so Apple (or anybody who can get access to it) cannot reveal the actual passphrase.

If you go into the iCloud settings on your phone, iPad, or on a web browser, it will list the devices associated with your account, and you can remove devices that you no longer own.

I see what you're saying about how the password is actually protected through the method you're explaining, but why would I have been still being asked for that password for a device that she got rid of a long time ago and wasn't on her device list in iCloud when I was setting up 2-factor for her? I'm not doubting you at all. I just want to know what the reasoning behind that is. I still can't set it up for her because it's asking for that password which, by the way, she has tried to remember and we have tried multiple but they don't work.

 

[doogald]

I see what you're saying about how the password is actually protected through the method you're explaining, but why would I have been still being asked for that password for a device that she got rid of a long time ago and wasn't on her device list in iCloud when I was setting up 2-factor for her? I'm not doubting you at all. I just want to know what the reasoning behind that is. I still can't set it up for her because it's asking for that password which, by the way, she has tried to remember and we have tried multiple but they don't work.

You'll have to call Apple Support to get an answer to this question. (I'd be interested to know what they say in response.)

 

[klimbo13]

An iPhone 6 Plus' Touch ID stopped working and the user couldn't remember the passcode and, after many failed attempts, was forced to choose between setting up as a new iPhone or restoring from backup.