iCloud Password Hacking Brute Force Tool iDict
On New Years Day, a password hacking tool going by the name of iDict was posted online to Github by someone identifying themselves as “Pr0x13” (Proxie). iDict apparently uses a brute force attack to obtain access to iCloud accounts easily, even managing to get through Apple's rate-limiting and two-factor authentication security that's supposed to prevent these types of brute force attacks. In Pr0x13’s own words (found here on Github:)
“This bug is painfully obvious and was only a matter of time before it was privately used for malicious or nefarious activities, I publicly disclosed it so apple will patch it.”
However, thankfully, it’s not all bad, within just 24 hours on the 2nd of January, Apple had already responded by patching their systems, when Pr0x13 put out the following tweet https://twitter.com/pr0x13/status/551119230070833153 indicating the tool would no longer be effective:
As with most brute force attacks, the capabilities of this tool are limited by the dictionary used with it, so as long as your password isn’t incredibly simple, you should be safe. The tool comes with a dictionary of roughly 500 of the most commonly used password, here’s a few examples;
so clearly, if you are using one of these passwords then, well… don’t. Sadly, all of the passwords on this list meet the minimum criteria for an iCloud password.
As well as the clear dictionary restrictions, another major hindrance to the effectiveness of this tool is the level of skill required to use the tool itself. The developer behind the tool isn't a friend to script-kiddies, he's trying to prove a point: Despite security updates since the brute force attack that gave hackers access to countless celebrities' nude photos, iCloud still isn't completely secure. However, the silver lining on this iCloud incident is that Apples security may just be a bit better than it was before this tool was made publicly available.
How Do You Create a STRONG Password?
By taking some simple precautions, you can protect yourselves from these types of attack - and we wanted to take the time to detail what you should look for:
- As Long As Possible - The longer your password, the less likely someone is to ‘guess it’ - and the more combinations machines will need to try before attempting to use the correct password. We recommend a very minumum of 8 letters - though ideally as many as possible.
- Use a Letters, Numbers & Extended Chars - don’t just stick to letters - be sure to include numbers and also extended characters such as ! or % or @ etc. Less directed types of brute force attacks will try each possible letter combination - there are 26 letters in the alphabet, but if you start using the other characters, this is nearer 128 - massively increasing the space an attacker needs to brute force in order to find the right combination.
- Do Not Repeat - Many dictionary based attacks will also try repetitions of known words, so do not repeat a simple word twice and expect it to be just as secure as a longer password.
- Avoid Names, Use Non-Words - Most brute force attacks are highly inefficient and to combat this, many will use dictionary and keyword lists as this one did - if you use common words or phrases, or even names, it is much more likely your chosen words will appear in a dictionary list, and this puts you at much greater risk from tools like this which use a dictionary-type attack.
- Do Not Re-Use Passwords - The risk here may not be so apparent; but each time you re-use a password, you increase the chances of one of them being compromised - as there are more instances of the same password out there. What’s worse, many websites and services will use different hashing algorithms (some use none at all!) increasing the likelihood that eventually, it will become known.
Fun With Randomness!
If you have trouble thinking up a good password, there are some good tools which can generate one for you. However, be careful! Computers cannot generate random numbers, since they run code, and machine code instructions will always execute the same way when given exactly the same input every time - how would you write a function that returns a random number? To get around this, several techniques are usually employed (often involving some a large-ish random seed input and some clever maths before attempting to generate a number) - but even this would not be totally random and it would be possible to reverse engineer any technique used in code if an attacker were to know everything about the system.