[MlMt] iCloud accounts require an app specific password starting June 15th

[Philip Paeps]

On 2017-06-15 00:46:17 (+0200), Bob Stern <bobs.lists at icloud.com> wrote:
> FYI, a counter-intuitive aspect of app-specific passwords is that they 
> need not be specific to a single application.  Although Apple can 
> issue up to 25 different app-specific passwords for a given iCloud 
> account, the account owner can elect to use a single app-specific 
> password for multiple applications.
>
> As Benny states in his blog post, an application is not restricted to 
> a specific subset of iCloud data, which seems to defeat the purpose of 
> app-specific passwords.  The only advantage I can think of for 
> creating different passwords for different applications is it enables 
> you to revoke one application's access to iCloud if, for example, you 
> stop using the application or the application is acquired by a company 
> with notorious privacy practices.

You could also read this as "device specific password" so you can revoke 
access for a device (and all the applications on it) when it gets stolen 
or lost.

There is zero added value to having different passwords for contacts, 
calendar and mail on your laptop.  Being able to kill access for the 
laptop without having to change the password on your phone makes sense.

The main benefit of x-specific passwords -- if implemented correctly -- 
is that they only give access to (possibly a subset of) your data and 
not to your account itself.  In other words: if implemented correctly, a 
compromised x-specific password cannot be used to change your account 
password, create new x-specific passwords or revoke access from other 
x-specific passwords.

Philip

-- 
Philip Paeps
Senior Reality Engineer
Ministry of Information