Tuesday, July 29, 2008

iPhone unable to log in to iTunes Store

I ran into an unexpected problem this morning after my iPhone 3G informed me that updates were available for my current favourite time-waster, Aurora Feint. While I downloaded the game through iTunes on my PC and sync'ed it over to the iPhone, the updates are downloaded over the air, so to get them I had to log into my iTunes account on the iPhone for the first time.

First attempt failed. Now, I'm still not quite up to speed on typing on the iPhone keyboard, so I figured I'd got it wrong and tried again. Still wrong password, even though I made sure I got it right. I even double-checked that I had the right password by logging into my account from my PC.

Then I had an idea - being Norwegian, my password contains "funny" characters. Could the iPhone be messing up the input of special characters, even though it properly displays them and makes them available for input?

I changed my iTunes password to "safe" characters only, and tried logging in from the iPhone again. Success first time - my hypothesis was strengthened.

To confirm my findings, I went back to my account page in iTunes and tried changing the password back to my original one.

Password contains an invalid character. Only letters, without accents, numbers, and simple punctuation may be used. Your password contained unacceptable characters.

Hmmm. But this is my OLD password that was perfectly fine all along? (Except not being able to log in from my iPhone, obviously ...)

So - a couple of problems with this approach, Apple:
  • Limiting passwords to 7-bit ASCII characters is a Bad Thing.
  • Not realising that TWOTUS(*) has more than 26 "letters, without accents" is a Bad Thing.
  • Changing the set of allowable characters in the passwords after making your service 'live' is a Bad Thing.
  • Not detecting existing passwords with newly outlawed characters and informing your users is a Bad Thing. (**)
  • Reducing your server security to accommodate "inferior" clients is a Bad Thing. (Assuming this is iPhone/iPod-touch related, that is. I can't think why else you'd do it, though.)

Not impressed. Must do better.

(*) TWOTUS: The World Outside The United States.

(**) Note on password security:
You should NOT be able to scan your database of existing accounts to find the offending passwords, but it should be trivial to hook into the validation process at log-in to discover accounts with newly-invalidated passwords.
Posted by at 12:00

2 comments:

Anvil said...

You are right about (stevejobsgreedinfestedRotten) Apple. The iPhone is a hitech money sponge designed to funnel our hard earned funds into Steve &Pals bank accounts via iTunes, etc... No(Effective) security does not bother apple. As long as they get their .99 (why not just call it a f**king dollar?) All on board passcodes are 4 digits. Need I say more? Anvil

7/1/09 08:03
Rob said...

Hey what's up .. I found your blog spot looking for someone who migh tof encountered a password problem with subversion for the same reason. I have a user who is TWOTUS and I am assuming that he had an invalid char in his password. Apache and windows passed it along just fine but when it ended up at subversion repository it would get rejected. User changed his password and is working fine now.

19/8/09 20:20

Post a Comment

Subscribe to: Post Comments (Atom)