Whose is going to wander around with a cluster of four AMD Radeon HD 7970s, looking for personal hotspots to crack? Silly.
Yeah, it really is that simple. For the amount of effort, there is little to gain.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Researchers Crack iOS-Generated Hotspot Passwords in 50 Seconds
- Thread starter MacRumors
- Start date
- Sort by reaction score
Yeah, it really is that simple. For the amount of effort, there is little to gain.
The math in that comic is wrong.
The first password would take much longer to crack than the comic suggests unless some mitigating circumstance is a factor such as the attacker having some preexisting knowledge about the format of the password.
I don't know if the final assumption of the comic is correct or not.
Here is the source of that info:
http://www.lockdown.co.uk/?pg=combi
Attachments
Last edited:
Hardly seems a problem. It's only a temporary number, and what are the chances that somebody will be running a cracker on your hotspot just so they can get a bit of free bandwidth.
How is this research "attacking" Apple? What evidence do you have of these researchers having some sort of malicious agenda against Apple as you claim?
And...if the current way iOS generates these passwords is perfectly fine, then why did it change to be more randomised in iOS 7?
As far as I see the best and most common purpose of hacking a wireless connection is for free wireless, which I don't think anyone would go to the extent of trouble for when the connection is only so temporary. So a simpler password is much more convenient to remember and wouldn't have the opportunity of being exploited so much as it's only very temporary.
Considering they may be trying to steal your information, this could be a concern. However how many people honestly type credit card details over a not HTTPS SSL connection? The only time I've ever seen sites without HTTPS requesting credit cards is scam sites, where if you use them you're screwed anyway.
Perhaps they could steal your password from a login request to macrumors, or steal some cookies, but to what great end? Most people are really quite boring. So remember not to use banking or email passwords for normal sites on the web and you're pretty much good.
Probably a better solution would be having a very limited number of attempted connections to the device over a period of time. Once a corrected password is entered within the limited period of attempts a much more secure encryption password will be shared between the 2 devices for actual use.
So...
1) Connection Password with limited attempts.
2) Complex very random encryption key shared between the devices via public/private key encryption.
This way you could have both a simple password for connection and a complex password for actual encryption that would be very much more secure. 1 password you need to remember that can't be brute forced, and another for encryption that is too impractical to be memorized or brute forced.
You could still argue there's social engineering weaknesses and man-in-the-middle attacks, but when can't you get those?
Oh and a lovely little button on the device to reset connection attempt limits just incase you do typo a few times or forget it. I'll see someone reaching over to my devices anyway.
----
So while their system is semi-reasonable for their purposes and can be defended, there are other simple ways to get a much much better result. I have no idea why we don't have any better solutions available at the moment and why we rely on our login key for our data encryption also. I see no good reason for it.
Considering they may be trying to steal your information, this could be a concern. However how many people honestly type credit card details over a not HTTPS SSL connection? The only time I've ever seen sites without HTTPS requesting credit cards is scam sites, where if you use them you're screwed anyway.
Perhaps they could steal your password from a login request to macrumors, or steal some cookies, but to what great end? Most people are really quite boring. So remember not to use banking or email passwords for normal sites on the web and you're pretty much good.
Probably a better solution would be having a very limited number of attempted connections to the device over a period of time. Once a corrected password is entered within the limited period of attempts a much more secure encryption password will be shared between the 2 devices for actual use.
So...
1) Connection Password with limited attempts.
2) Complex very random encryption key shared between the devices via public/private key encryption.
This way you could have both a simple password for connection and a complex password for actual encryption that would be very much more secure. 1 password you need to remember that can't be brute forced, and another for encryption that is too impractical to be memorized or brute forced.
You could still argue there's social engineering weaknesses and man-in-the-middle attacks, but when can't you get those?
Oh and a lovely little button on the device to reset connection attempt limits just incase you do typo a few times or forget it. I'll see someone reaching over to my devices anyway.
----
So while their system is semi-reasonable for their purposes and can be defended, there are other simple ways to get a much much better result. I have no idea why we don't have any better solutions available at the moment and why we rely on our login key for our data encryption also. I see no good reason for it.
You should at least add your initials to your birthdate. Someone who does not know anything about you would have trouble guessing your birthdate, but that is still a less-than-arbitrary sequence of numbers.
----------
I hope you don't use that for bank or credit card passwords. You could end up broke or seriously in debt if that's the case.
While it is nice of you to help educate people about bad passwords, it would be good to pick up certain cultural references...
That's kind of the point of the XKCD comic, it is describing a very common format. According to your source, "B33r&Mug" is a very secure password, but it would succumb to basic real-life attacks in a heartbeat.
Brute-forcing is not really done for anything but short passwords in these cases. Dictionaries of words (and known passwords), common substitutions and combinations thereof are more likely.
In other words, a random password is more or less like your source stated and will be secure against the attack mentioned above, but if you base the password on a real word with some slight additions and substitutions, it is more like the XKCD case and will likely not withstand an attack.
Since many passwords are of the second type, that's where the attacks are focused unless the encryption has an exploitable flaw of course...
Or he presses summit on his android or jailbreaked iphone and lets his rented cloud computer do it in 5 seconds.... Or lets his gaming rig at home do in 3 minutes.
----------
You know the machine cracking the password can be anywhere in the world? We do live in a world with internet, you can submit the wifi packets with your phone to a cloud computer and have that do it in seconds.
The comic refers to entropy which is a factor in brute forcing.
The issue with the math is that it doesn't take into account all the permutations that can occur due to password length and other factors, such as the order in which the different variables occur.
The source that I provided earlier shows how permutations apply to cracking passwords.
In relation to dictionary attacks, words list are limited to single commonly used words with common substitutions, such as p@$$w0rd, and commonly used words with common additions, such as love4$.
Passwords that include uncommonly used words with common substitutions and/or additions, multiple common words with common substitutions and/or additions, or any uncommon substitution and/or additions are only going to be found in word lists so large that the time to run the word list wouldn't be any quicker than a brute forcing.
I would argue that the word used in that comic is uncommon and, therefore, it would be secure except for the fact that it was used as an example in that comic strip.
My issue with the comic is that the example chosen over emphasizes the scope of passwords that seem secure but shouldn't be used.
Yeah, I know, I'm late to this party...
My father was born in 1937 in a rural area of a country I won't name (I don't feel it's necessary to do so). Record keeping was kind of haphazard there at the time and at some point his year of birth became 1939. When his 65th/63rd birthday was approaching, he went through the process of correcting his date of birth with Social Security so he could start receiving S.S. benefits and be covered by Medicare two years sooner. He didn't get his D.O.B. changed on his passport or his driver's license because there was no need to.
a little perspective maybe ?
(note: late arrival to this thread - have not read every post)
1/ Congrats on the crack
2/ boo to Apple for not using a readily available algorithm here
3/ we are talking about iPhone hotspots, honestly these should be short term connections, so the risk is much reduced by the hacked having to be "close" and "at the same time". So speed is not the only factor to consider
(note: late arrival to this thread - have not read every post)
1/ Congrats on the crack
2/ boo to Apple for not using a readily available algorithm here
3/ we are talking about iPhone hotspots, honestly these should be short term connections, so the risk is much reduced by the hacked having to be "close" and "at the same time". So speed is not the only factor to consider
windows 8 is the safest OS right now but still i love my iphone more.
Windows 8 was hacked at the last pwn20wn. Mac OS X Lion and Mountain Lion haven't been hacked the last 2 years at pwn2own.
So, do you have any evidence to back your statement up. I have a lot readily available to refute the claim that Windows 8 is more secure than any recent Apple made OS.
I posted this a long time ago and the mods acted like it wasn't news worthy.
https://forums.macrumors.com/showthread.php?p=17453534
https://forums.macrumors.com/showthread.php?p=17453534
Yeah, it was a potential issue for a little while, but I don't think many folks actually got their iPhone hotspots cracked and had Gigabytes worth of free data used up from their internet accounts. It's an iPhone hotspot, it's temporary and short-term, as was mentioned in previous posts in this thread.
Passphrase passwords, such as "correct horse battery staple", are becoming no longer secure.
http://www.intego.com/mac-security-blog/the-end-of-passphrase-passwords/
http://www.intego.com/mac-security-blog/the-end-of-passphrase-passwords/