toggle

AAPL Stock: 100.75 ( + 0.64 )

Printed from http://www.macnn.com

Russian ElComSoft says it can crack iWork passwords

updated 08:15 pm EST, Fri February 10, 2012

Relies on brute force, forensic specialists

A somewhat sensationalist press release from Russian forensic-cryptology company ElComSoft claims that it can "crack" passwords users put on documents created in Apple's iWork software (which comprises Pages, Numbers and Keynote). However, the company admits that the attack is just a variation on a brute-force cracking method that attempts to guess the password.

ElComSoft's update to its Distributed Password Recovery tool can defeat the AES 128-bit key of Apple's iWork password scheme by presuming that users will likely use easy-to-guess passwords, and by committing multiple attacking CPUs and sufficient time to eventually try enough combinations to guess the password. The company also admits that the process, which can guess a few hundred passwords per second for each CPU included in the attack is still "painfully slow," reports CNet, but that the strength of the encryption scheme makes it the "only feasible solution."

The fact that forensic specialists using expensive custom software (ElComSoft's tool costs $600 per seat) and brute-force attacks might crack an iWork password would not be surprising to most users, few of whom routinely password-protect individual documents anyway. Apple could (and might in a future version) increase the complexity of the encryption to a 256-bit AES key instead of 128-bit, but brute-force attacks could still (given additional resources and time) conceivably guess the password.

The press release is not dissimilar to Passware's recent claim of being able to forensically recover Filevault 2 encryption keys (if they still reside in active RAM) through the Firewire port of a Mac; in both cases, physical access to the machine is required, and the hacks do not actually break the encryption method. CNet notes that both companies are inadvertently admitting that Apple's choices for encryption are sufficiently strong for typical use and require very advanced, coordinated and expensive methods to circumvent. It also points out that the company includes a strong-password generator built into Keychain Access and various applications that allow document passwords so allow users can quickly create independent, high-security passwords using a combination of letters, caps and numbers to make passwords extremely resistant to all manner of attempts to recover or circumvent them. [via CNet]








by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

  1. jpellino

    Joined: Dec 1969

    +4

    Um, ok...

    "by presuming that users will likely use easy-to-guess passwords"

    Good luck with that.

    $600 per seat? Tell you what. For $500 I'll just email you copies of my iCloud lecture notes, the presentation on chindogu and I'll even throw in the movie night poster. You save a lot of time and $100.

  1. facebook_Pete

    Via Facebook

    Joined: Feb 2012

    +5

    Are these..

    guys new to brute force password cracking? Really, this has been a method of cracking passwords for years this is nothing new. Just they adding a few CPUs to speed up the process.

    Nothing to see here, get back to what you were doing.

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

ActvContent Sync Smartband

Smartbands of all sorts are hitting the market. Some build on the buzz around fitness trackers, while others offer simpler features fo ...

RocketStor 6324L Thunderbolt 2 eSATA bridge

Like it or not, the shift to Thunderbolt is underway. The connection is extremely flexible, allowing for video and data to co-habitate ...

Patriot Stellar Boost XT 64GB USB 3.0 drive

A vast selection of USB memory sticks means that consumers can often find exactly the size drive they need in a configuration that can ...

toggle

Most Commented