Password review and sanity check in iOS

My Spotify account got hacked the other day. I was using a really insecure password that was identical to that of another login I used from a site that had been compromised.

So either someone guessed it or “acquired” it.

Either way, I know it got hacked because at 5:15AM yesterday morning I was listening to a Mozart concerto and then all of a sudden my HomePod started playing some crazy noises that I would have never queued up.

I was expecting the adagio movement of Mozart’s clarinet concerto and got this masterpiece instead!

Groggily looking at my play history in the early morning hours, it was clear that someone else was simultaneously logged into my account. I didn’t jump to action on it but figure I’d deal with it later.

Then, later in the evening all the family accounts associated with my membership stopped working. The natives grew restless and I needed to deal with the situation.

So I changed the password and thought things would be fine.

But this other party was still logged in!

Simply changing your Spotify password doesn’t log out all the other instances of the app. So this time I changed the password and found the button on the Spotify page for “logout All devices.” Additional help here on dealing with compromised Spotify accounts.

This seemed to do the trick. But got me thinking, man, what other accounts have I used that password for?

My MacBook is out of order for a bit so I’m exclusively on iOS 13 and had no idea how to edit the keychain data on my iPad.

Turns out, not only is it pretty easy but Apple does a really decent job of alerting you to:

  • When you’ve stored an insecure/short/easily guesable password
  • When you’ve used the same password on multiple sites

Simply go to:

Settings->Passwords & Accounts->Websites & App Passwords

There you’ll see all of your saved passwords.

If you look for entries that contain a little warning sign like this with the little triangle:

You can click through to those entries and iOS will tell you that the password is either insecure (too easy) or used in multiple locations (a bad practice).

I still have some warnings on mine, but I’ve changed all the passwords that matched the one of the account that was compromised, so that’s a step in the right direction.

Anyway, hope this helps.