toggle

AAPL Stock: 111.78 ( -0.87 )

Printed from http://www.macnn.com

Russian ElComSoft says it can crack iWork passwords

updated 08:15 pm EST, Fri February 10, 2012

Relies on brute force, forensic specialists

A somewhat sensationalist press release from Russian forensic-cryptology company ElComSoft claims that it can "crack" passwords users put on documents created in Apple's iWork software (which comprises Pages, Numbers and Keynote). However, the company admits that the attack is just a variation on a brute-force cracking method that attempts to guess the password.

ElComSoft's update to its Distributed Password Recovery tool can defeat the AES 128-bit key of Apple's iWork password scheme by presuming that users will likely use easy-to-guess passwords, and by committing multiple attacking CPUs and sufficient time to eventually try enough combinations to guess the password. The company also admits that the process, which can guess a few hundred passwords per second for each CPU included in the attack is still "painfully slow," reports CNet, but that the strength of the encryption scheme makes it the "only feasible solution."

The fact that forensic specialists using expensive custom software (ElComSoft's tool costs $600 per seat) and brute-force attacks might crack an iWork password would not be surprising to most users, few of whom routinely password-protect individual documents anyway. Apple could (and might in a future version) increase the complexity of the encryption to a 256-bit AES key instead of 128-bit, but brute-force attacks could still (given additional resources and time) conceivably guess the password.

The press release is not dissimilar to Passware's recent claim of being able to forensically recover Filevault 2 encryption keys (if they still reside in active RAM) through the Firewire port of a Mac; in both cases, physical access to the machine is required, and the hacks do not actually break the encryption method. CNet notes that both companies are inadvertently admitting that Apple's choices for encryption are sufficiently strong for typical use and require very advanced, coordinated and expensive methods to circumvent. It also points out that the company includes a strong-password generator built into Keychain Access and various applications that allow document passwords so allow users can quickly create independent, high-security passwords using a combination of letters, caps and numbers to make passwords extremely resistant to all manner of attempts to recover or circumvent them. [via CNet]








by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

  1. jpellino

    Joined: Dec 1969

    +4

    Um, ok...

    "by presuming that users will likely use easy-to-guess passwords"

    Good luck with that.

    $600 per seat? Tell you what. For $500 I'll just email you copies of my iCloud lecture notes, the presentation on chindogu and I'll even throw in the movie night poster. You save a lot of time and $100.

  1. facebook_Pete

    Via Facebook

    Joined: Feb 2012

    +5

    Are these..

    guys new to brute force password cracking? Really, this has been a method of cracking passwords for years this is nothing new. Just they adding a few CPUs to speed up the process.

    Nothing to see here, get back to what you were doing.

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Dell AD211 Bluetooth speaker

For all of the high-priced, over-engineered Bluetooth speakers in the electronics market, there is still room for mass-market solution ...

VisionTek 128GB USB Pocket SSD

USB flash drives dealt the death blow to both the floppy and Zip drives. While still faster than either of the old removable media, sp ...

Kodak PixPro SL10 Smart Lens Camera

Smartphone imagery still widely varies. Large Megapixel counts don't make for a good image, and the optics in some devices are lackin ...

toggle

Most Commented