Somebody just uploaded a password-hacking tool called iDict to GitHub that promises to use good old fashioned brute force techniques to crack iCloud passwords. The tool also claims to be able to evade Apple’s rate-limiting and two-factor authentication security that’s supposed to prevent brute force attacks. But it’s not quite as bad as it sounds.
iDict’s capabilities are limited by the size of the dictionary it uses to guess your password. So you’re really only in danger if your password is on the 500-word-long list included with the hacker tool. All of the passwords fulfill the requirements for an iCloud password, but if you’re using one of these rather obvious passwords, you should change your password anyways. Here are some examples:
These are the same kinds of passwords that appear almost every year on the most popular password list, making it stupid simple for hackers to wreak havoc. They also follow a lot of the bad password practices we’ve pointed out before. So for God’s sake, change your password if you use a bad password! And if you haven’t already, you should also enable two-factor authentication on all your accounts, just for good measure.
All that said, iDict isn’t really a plug-and-play hacking device. The developer behind the tool isn’t a friend to script-kiddies, he’s trying to prove a point: Despite security updates since the brute force attack that gave hackers access to countless celebrities’ nude photos, iCloud still isn’t completely secure. Apple needs to fix the “painfully obvious” bug before it’s “privately used for malicious or nefarious activities,” he explains on GitHub. We’ve reached out to Apple to find out what they’re doing about the vulnerability.
It seems like it wouldn’t be that hard to swap out the 500-word-long list with an even longer, better list. Then, a tool like iDict could do real damage. Not to mention that ne’er-do-wells are probably gonna be using this tool as-is until the flaw gets fixed. So double-check your iCloud password against this list now, and pick something better even if your bad password isn’t listed. Protect yourself while Apple’s still working on shoring up that security.