I miss the days when the daily mistakes happened under Steve Jobs Apple.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
iTunes Backup Passwords 'Much Easier' to Crack in iOS 10, Apple Working on Fix
- Thread starter MacRumors
- Start date
- Sort by reaction score
That doesn't really matter. Of all security concerns it's the very last one. I'm mean it's sad to read that keychain isn't encrypted on its own within the backup but rather stored plaintext hoping the encryption of the backup container takes care of the security. This is bad practice in first place. I'm not sure if backup over wifi is still unencrypted as well. That's what I'd be more concerned of if you are using a shared WiFi. If you want to secure the data on your computer (including your backup) use either File-Vault or Windows EFS for advanced security. If you'r paranoid use a 3rd party software that you trust (e.g. the audited version of TrueCrypt).
That only and exclusively applies to U.S. citizens, if you are anywhere else in the world nothing like that is needed.
The majority of Apple users are outside of the U.S.
FOR REFERENCE
independent.co.uk said:
http://www.idownloadblog.com/2013/01/30/us-authorities-icloud-access/
ALSO SEE
vocativ.com said:
http://www.vocativ.com/310616/apple-transparency/
But what if there is something wrong and you do need to type that password when restoring from backup?
30 would be a good length.
Why?
Of course not. The backup data never leaves the device unencrypted, regardless whether you use USB or Wifi.
WOW ... the Apple PR department has descended in force to put a lid on this.
But what if something is going wrong and you do need to enter that lengthy password? My practice: take a note, keep it safe. Don't just trust keychain and FileVault. I had problems with keychain access and I was forced to create a new keychain database. God knows if some iTunes backup password was removed in the process.
>> Apple has switched from using a PBKDF2 hashing algorithm with 10,000 iterations to using a SHA256 algorithm with a single iteration, allowing for a significant speed increase when brute forcing a password. <<
1st off, thank god this was publicly outed - so it has to get fixed. Guess I'll stay on 9 till the "fix" happens and is verified, just cause.
From a security standpoint, this is a WTF was Apple management thinking when the they authorized this - moment. The govt has gotten all quiet for the last 3 months. Maybe Apple management caved? If they did, we'd never know, cause they'd keep it quiet (just like this was happening).
Personally I wasn't thinking Tim would (his replacement, whomever that may be in the future, is another matter) - but this is a big No No when your company is placing itself as the only firm who cares about their users privacy in the world (at this point). Apple needs to carefully explain what happened here (not their normal procedure) or risk looking like they've chosen to work with the 3 letter agencies.
That's the thing that's gnawing at me - this isn't an accident - going all the way to production. Every government in the world would want this. Might want someone on the inside doing this. Its crazy we're depending on one company to be the protectors of their customers privacy...that can only be a doomed condition.
1st off, thank god this was publicly outed - so it has to get fixed. Guess I'll stay on 9 till the "fix" happens and is verified, just cause.
From a security standpoint, this is a WTF was Apple management thinking when the they authorized this - moment. The govt has gotten all quiet for the last 3 months. Maybe Apple management caved? If they did, we'd never know, cause they'd keep it quiet (just like this was happening).
Personally I wasn't thinking Tim would (his replacement, whomever that may be in the future, is another matter) - but this is a big No No when your company is placing itself as the only firm who cares about their users privacy in the world (at this point). Apple needs to carefully explain what happened here (not their normal procedure) or risk looking like they've chosen to work with the 3 letter agencies.
That's the thing that's gnawing at me - this isn't an accident - going all the way to production. Every government in the world would want this. Might want someone on the inside doing this. Its crazy we're depending on one company to be the protectors of their customers privacy...that can only be a doomed condition.
thats the new FBI feature gone live. Remember how the FBI wanted to be able to crack the passwords faster?
I never made any reference to an "Evil Plan."
[doublepost=1474766547][/doublepost]
Sure have. Interesting, eh?
good thing those days never happened...
so you have zero to miss
We already rely on TLS encryption securing tons of Internet traffic that's sent over easily hackable wires.
Simple. This is why the US isn't giving Apple a hard time on the tax avoidance issue.
The same as 9 I believe. This was a huge step backwards making their users local backups 2500 times easier to brute force (nation states, especially our current Administration (and both choices for the next one), would want this). Remember iCloud backups get handed over to those nation states when they ask, these local copies prior to iOS 10 were very hard to break.
It reminds me of Microsoft taking the Elephant Diffusor out of BitLocker (their windows disk encryption program) starting with Windows 8 - there was no reason to do it, except the governments would like it because it would make brute forcing possible / easier.
Apple needs to be totally transparent about this or their whole "we care about our users privacy" stance (the only major tech company on earth doing that) will blow up in their faces...
This will be easily fixed:
Apple to buy Elcomsoft and shut it down.
They didn't get the memo that iOS 10 is an FBI version.
Apple to buy Elcomsoft and shut it down.
They didn't get the memo that iOS 10 is an FBI version.
Last edited:
What's going on at Apple? This kind of thing is so basic and usually Apple gets the basics down quite well. BIG OVERSIGHT.
Oh come on, you're not going to show us how many iOS 10 cracks per second you got on the 1080??
Then what about wireless?
I believe wireless signal interpretation is a lot easier than cutting through wire and tapping something nasty.
Bull***t, the majority of friends and family I've helped or asked about this over the years do a local iTunes backup either because they either "don't trust the cloud" or prefer to have control over their data (iCloud backups are not necessarily daily even if on external power, on Wi-Fi, and locked, i.e. criteria for iCloud backups to auto-initiate). I do a local backup since I re-sync daily. So this is a bigger deal than you portray (though I'm not worried about it).
D'oh, I guess Timmy doubled down on the wrong type of security.
Don't worry folks, Apple will give you 5% off your next Apple Watch TM band purchase if your account is hacked.
Don't worry folks, Apple will give you 5% off your next Apple Watch TM band purchase if your account is hacked.
This is like saying if you use the spare tire you're a hypocrite for complaining that the car has bad brakes and poor acceleration. iOS backup has nothing to do with music and other media mishandling.