Apple Devices all requesting passwords

Yes, but if you want to reuse them, do so with caution. The reason for an app-specific password is so that if one gets leaked (buggy/malicious software or server), the attacker can’t use it on your other accounts, and so you can revoke/change it without breaking other apps.

I see no problem reusing an ASP across multiple installations of a single app, but I would think long and hard before reusing it for apps from different vendors.

Yes It is reusing passwords which is a big no-no. Like all security measures it is a balance between security and inconvenience. I have only ever had three apps using same ASP and two were from same company (BusyMac) and I judged that the risk was acceptable to me. If I had had many more I might have decided different. In fact since then I have stopped using one of the apps and now that the ASP has been revoked I am only using the same ASP across the two BusyMac apps.

I use BusyCal on multiple devices. After setting a new app specific password for my main iMac running Ventura, I was unable to use the same password on my old iMac running High Sierra, forcing me to create a new one.

Perhaps a little insight into the password reset issue. My wife’s phone, which uses only a iCloud.com email didn’t have the reset issue. Only my devices, with an Apple email going all the way back to the beginnings of dot Mac.

So what is to stop a malicious person guessing, or discovering, an AppleID email and attempting to log into iCloud with it numerous times so that a lock-out by Apple is triggered? Not to break into account - just to be nasty.

It would seem the only way to avoid this is to use a “secret” email as your Apple ID. Not much help if you already have an Apple ID and want to retain all your iCloud and account data.

1 Like

I’m not sure if I can sign in using a Mac.com or me.com address. I actually don’t know when I created my account, but maybe it’s like yours after all. I’ve had it for at least 10 years, possibly even since the iTools days.

(I actually don’t use the iCloud.com email address to sign into my account. I use my own, non-Apple email address. The iCloud email is part of my Apple ID and can’t be deleted from it. But fwiw, the iCloud address is listed under the emails addresses in my Apple ID, whereas there are no Mac or me.com addresses there. Dunno if these still exist as hidden aliases.)

Mine is also from iTools days but the email & phone numbers list in my Settings > AppleID > Sign in and Security shows mac.com, me.com and iCloud.com…so not the same as you. However since yours is also old is maybe why it affected you.

And it will be hard to maintain secrecy as your AppleID can appear in a lot of places, not just “sign in with Apple”, but also “Pay with Apple Pay”, iMessage, etc.

It is sounding like either someone ran a dictionary attack on iCloud.com, me.com, etc. or there was a targeted run of leaked emails against Apple IDs timed for a weekend when they hoped it wouldn’t be spotted so quickly.

1 Like

Same here - longtime user of mac.com and me.com emails and yesterday got locked out. Reset password and have spent the next day filling in passwords on different devices Smart TVs to ios devices. Now found my App Specific Password for outlook does not work - GRRRR

1 Like

This also happened to me, a big PITA!

Mine is a mac.com address as well…

1 Like

Like most everyone else, I found out (Fri eve, 4/26) that I was locked out of my iCloud account. I was at a restaurant and got multiple notifications on my watch, but ignored them. Assumed it was a malicious attack attempt, as I hadn’t requested anything. The next morning I went through the ritual of re-verifying my identity through Apple and resetting my password. (My hypothesis was that someone had triggered all this by making multiple login attempts on my iCloud account.)

Within minutes I received an email, “You Have Been Hacked”, trying to extort me. It began with “Hello pervert, I’ve sent this message from your iCloud mail.I want to inform you about a very bad situation for you.” Blah blah blah. Pay the ransom and you’re good… Etc. The sender spoofed the “From” address as my iCloud email address. My hypothesis, it seemed, was gaining some credibility.

As I was not fully awake at that point, this email was, at first, rather worrying. With the help of some caffeine, I soon recognized it as a well-known phishing attack (Google some of the words in the preceding paragraph.)

At this point it morphed into being more amusing than worrying… I’m still struck, though, by the apparent coincidence.

1 Like