That's according to a new patent, received by Apple last week, which proposes embedding password recovery secrets--or even encrypted passwords--in a microchip that's placed inside a power adapter, then paired with a specific smartphone or laptop.
Power adapters, however, aren't the only candidates for storing backup passwords. In its patent application, first filed on July 1, 2010 by Apple's VP of software technology, Guy Tribble, Apple said that passwords or recovery secrets could be stored on any "peripheral or companion device"--including a wireless router, backup drive, external monitor, or even flash drive--together with a fingerprint that ties the password to a specific device. Then, whenever the laptop or smartphone and the peripheral device were connected, an automatic handshake could automatically unlock any stored password or password recovery secret. Or if the devices hadn't yet been paired, the operating system might suggest that users store a backup password on the peripheral device.
According to Apple, the benefits of this password-backup approach would be two-fold. First, people would have an easy way to log into their device in the event that they forget a password. Second, people would be more likely to use unique passwords--which are much tougher for attackers to crack--if they knew that those passwords could be easily recovered if forgotten. This, in turn, would help stop more opportunistic thieves--who steal devices from people when they're out and about--from recovering any information off of a stolen device.
Notably, any stored password--or password hint--would be encrypted using a large, unique number to make recovering it via a brute-force attack difficult. The same password, or completely different passwords, could also be distributed to different peripherals. Then, if a user needed to recover a given password, they could initiate a password-recovery process, at which point they would be prompted to plug in a specified peripheral which contained the required password. Alternately, users could store only password hints and plug in the correct peripheral to retrieve those.
Apple said the impetus for its new password-recovery approach was to protect mobile devices. "Although it can be difficult to provide both convenient password recovery and security in all use scenarios, one increasingly important scenario involves protecting a portable computing device when a user carries the device separately from a commonly associated peripheral device," according to Apple's patent filing.
In other words, Apple's security approach has a caveat: it's predicated on users not carrying a paired power adapter--or other peripheral with password-recovery information--with the device. Of course, given the pesky battery life (or lack thereof) that many types of mobile devices sport, in fact users will often be carrying power adapters with them. Accordingly, what happens if attackers manage to steal both a laptop or smartphone, as well as a power adapter containing password data for the device? To help mitigate those types of scenarios, Apple's patent also proposes using a server to add a third layer of security.
Database access controls keep information out of the wrong hands. Limit who sees what to stop leaks--accidental and otherwise. Also in the new, all-digital Dark Reading supplement: Why user provisioning isn't as simple as it sounds. Download the supplement now. (Free registration required.)