If Your iCloud Password Is On This List, Change It Before You Get Hacked

If Your iCloud Password Is On This List, Change It Before You Get Hacked

Somebody just uploaded a password-hacking tool called iDict to GitHub that promises to use good old fashioned brute force techniques to crack iCloud passwords. The tool also claims to be able to evade Apple's rate-limiting and two-factor authentication security that's supposed to prevent brute force attacks. But it's not quite as bad as it sounds.

iDict's capabilities are limited by the size of the dictionary it uses to guess your password. So you're really only in danger if your password is on the 500-word-long list included with the hacker tool. All of the passwords fulfil the requirements for an iCloud password, but if you're using one of these rather obvious passwords, you should change your password anyways. Here are some examples:

  • Password1
  • [email protected]
  • Passw0rd
  • Pa55word
  • Password123
  • ABCabc123
  • Devil666
  • Fuckyou2
  • ILoveYou2
  • Blink182

These are the same kinds of passwords that appear almost every year on the most popular password list, making it stupid simple for hackers to wreak havoc. They also follow a lot of the bad password practices we've pointed out before. So for God's sake, change your password if you use a bad password! And if you haven't already, you should also enable two-factor authentication on all your accounts, just for good measure.

All that said, iDict isn't really a plug-and-play hacking device. The developer behind the tool isn't a friend to script-kiddies, he's trying to prove a point: Despite security updates since the brute force attack that gave hackers access to countless celebrities' nude photos, iCloud still isn't completely secure. Apple needs to fix the "painfully obvious" bug before it's "privately used for malicious or nefarious activities," he explains on GitHub. We've reached out to Apple to find out what they're doing about the vulnerability.

It seems like it wouldn't be that hard to swap out the 500-word-long list with an even longer, better list. Then, a tool like iDict could do real damage. Not to mention that ne'er-do-wells are probably gonna be using this tool as-is until the flaw gets fixed. So double-check your iCloud password against this list now, and pick something better even if your bad password isn't listed. Protect yourself while Apple's still working on shoring up that security. [GitHub via 9to5Mac]


Comments

    There's an ancient utility called "Crack" that does a decent job of exploring the password space.
    - Start with a list of every known word in English or any other language, a book of baby names, all very well-known book titles, and all characters in those books. Add strings of characters from the keyboard. The resulting list will be large, but not more than a few million words.
    - Vary capitalisation on those words.
    - Make common substitutions: 4 for A, 5 or $ for S, 1 for "l", ! for "i", and so on.
    - Add a couple of random letters, digits or punctuation marks to the beginning or end of these.

    There are several billion combinations from this; the computer can't test all of them online, but they may be able to observe your encrypted password and check it against a database of similarly encrypted passwords. Remember, a hacker may have effectively unlimited CPU (from botnets) to work with.

    In essence, if your password can be derived from the above rules, it isn't particularly secure. This is why vendors warn when encrypted passwords are stolen. If your password can be derived from the above rules, you need to change it.

    Also, if it follows certain common patterns, such as the one Microsoft use for their Office365 passwords (upper-case letter, 3x lower case letters, then 4 digits) it also isn't secure.

    Watching Crack work its way through an encrypted password database is scarily impressive. When I tried it, many years ago, it managed about a 30% hit rate on the password database.

    I love blink 182 was always on these lists because its a capital and numbers

Join the discussion!

Trending Stories Right Now