I received an email telling me that someone requested a password reset for my Apple ID.
Dear ___,
You recently made a request to reset your password or unlock your Apple ID. Please click the link below to continue.
Reset Password or Unlock Apple ID >
If you did not make this change or you believe an unauthorised person has accessed your account, go to iforgot.apple.com to reset your password without delay. Following this, sign into your Apple ID account page at https://appleid.apple.com/gb to review and update your security settings.
Sincerely,
Apple Support
The part highlighted in bold seems to be saying that I should reset my password. Why?
Here is my general understanding of password reset procedures:
-
Someone requests a password reset (any person can do this for any account)
-
An email containing next steps is sent to the account holder's email
-
The email from step 2 is required to actually perform the password reset
Therefore, unless my email is compromised (which I have no reason to believe), there is no reason to think my Apple ID is at risk, based on the information provided so far. Right?
I also asked @AppleSupport about it on Twitter:
And so they said:
If you did not request this change, for security reasons, update your password.
Given that anyone on the internet can request a password reset for any account, and given that to do so is futile without access to the account holder's email, what security reasons could Apple possibly talking about?
An example of why I think this could be a silly suggestion, let us suppose somebody wanted to annoy somebody else: all he would need to do is send repeated password reset requests. Should the recipient then feel obligated to change his password each time, "for security reasons"?
So, why is Apple saying that I should change my password? And if the answer is "security reasons", what are some examples?
Best Answer
I'm not sure this question is actually on-topic here because you're effectively asking why Apple does something? That said, I offer this answer in the event it is kept open, and because I have worked in the IT Security field.
At the outset, I'm assuming that the email you received was a genuine email from Apple and not a phishing attempt.
The reality is that if someone other than you has requested a password reset, then you should assume they are up to no good. And, if that is the case, how many of your other online services are they also trying to access/reset?
Unfortunately, many online users use the same password for many accounts. And this vulnerability is the number one way that hackers (etc) breach accounts. For example, you would have heard of the iCloud leaks of celebrity photos (known as The Fappening) that occurred in August 2014. While at first it appeared that the fault was somehow related to Apple's iCloud services, after an investigation Apple stated:
Source: Apple Media Advisory
This highlights why Apple would want you to change your password. Say you were being targeted by someone, by obtaining your password from one site they know there's a good chance you've used the same password on another. And if someone has deliberately tried to reset your Apple ID password, then from a risk management perspective you have to assume they've also tried accessing some of your other online services.
So, by Apple telling you reset your password on their service, they are trying to help you manage that risk.
Unfortunately, it's often not just the same password people use on their accounts, but the same security questions, the same recovery emails, etc. So, resetting your password is an excellent precautionary measure to take.
Finally, by Apple stating in their email to reset your password without delay, they are exercising their duty of care and this would be very important in the event of a breach and/or subsequent legal action.