AAPL Stock: 108.73 ( -2.05 )

Printed from

Russian ElComSoft says it can crack iWork passwords

updated 08:15 pm EST, Fri February 10, 2012

Relies on brute force, forensic specialists

A somewhat sensationalist press release from Russian forensic-cryptology company ElComSoft claims that it can "crack" passwords users put on documents created in Apple's iWork software (which comprises Pages, Numbers and Keynote). However, the company admits that the attack is just a variation on a brute-force cracking method that attempts to guess the password.

ElComSoft's update to its Distributed Password Recovery tool can defeat the AES 128-bit key of Apple's iWork password scheme by presuming that users will likely use easy-to-guess passwords, and by committing multiple attacking CPUs and sufficient time to eventually try enough combinations to guess the password. The company also admits that the process, which can guess a few hundred passwords per second for each CPU included in the attack is still "painfully slow," reports CNet, but that the strength of the encryption scheme makes it the "only feasible solution."

The fact that forensic specialists using expensive custom software (ElComSoft's tool costs $600 per seat) and brute-force attacks might crack an iWork password would not be surprising to most users, few of whom routinely password-protect individual documents anyway. Apple could (and might in a future version) increase the complexity of the encryption to a 256-bit AES key instead of 128-bit, but brute-force attacks could still (given additional resources and time) conceivably guess the password.

The press release is not dissimilar to Passware's recent claim of being able to forensically recover Filevault 2 encryption keys (if they still reside in active RAM) through the Firewire port of a Mac; in both cases, physical access to the machine is required, and the hacks do not actually break the encryption method. CNet notes that both companies are inadvertently admitting that Apple's choices for encryption are sufficiently strong for typical use and require very advanced, coordinated and expensive methods to circumvent. It also points out that the company includes a strong-password generator built into Keychain Access and various applications that allow document passwords so allow users can quickly create independent, high-security passwords using a combination of letters, caps and numbers to make passwords extremely resistant to all manner of attempts to recover or circumvent them. [via CNet]

by MacNN Staff



  1. jpellino

    Joined: Dec 1969


    Um, ok...

    "by presuming that users will likely use easy-to-guess passwords"

    Good luck with that.

    $600 per seat? Tell you what. For $500 I'll just email you copies of my iCloud lecture notes, the presentation on chindogu and I'll even throw in the movie night poster. You save a lot of time and $100.

  1. facebook_Pete

    Via Facebook

    Joined: Feb 2012


    Are these..

    guys new to brute force password cracking? Really, this has been a method of cracking passwords for years this is nothing new. Just they adding a few CPUs to speed up the process.

    Nothing to see here, get back to what you were doing.

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Polk Hinge Wireless headphones

Polk, a company well-established in the audio market, recently released a new set of headphones aimed at the lifestyle market. The Hin ...

Blue Yeti Studio

Despite being very familiar with Blue Microphones' lower-end products -- we've long recommended the company's Snowball line of mics ...

ZTE Spro 2 Smart Projector

Home theaters are becoming more and more accessible these days, but maybe you've been a bit wary about buying a home projector. And h ...


Most Commented