If you pick a weak password, brute force techniques allow captured, encrypted passwords to be tested with home-computer equipment against billions of passwords per second — yes, per second. In those weakest cases, finding one password match also allows the attacker to find all accounts that use the same password. (What's a strong password? Either make it very long — 15 to 20 characters — or it should be a gibberish mix of letters, numbers, and punctuation.)
In the iDict exploit, however, there's no way to get the encrypted form of the password. Instead, the software tests passwords one at a time and, despite no apparent throttle on queries previous to Apple patching the flaw, the code has to wait for Apple's authentication server to reply to each attempt before testing the next.
iDict came with a list of a few hundred default passwords that meet Apple's minimum requirements for an Apple ID (see the image above). These could be added to (or modified by) anyone using the code. Making these short lists even more dangerous, it's possible for hackers to chain attacks. Plus, using passwords extracted from people's accounts on other services, they can attempt to break an Apple ID with an iDict-like exploit using passwords that might have been used by the same person. (Because Apple IDs are email addresses — except for those legacy accounts set up years ago — they allow for easy matching.)
If you're using any password on that list, or anything similar, change it immediately. Better still, if you haven't already, also enable two-step verification (and make sure you know how to find your Recovery Key in the future).
The other two elements required for an iDict attack to work are under the control of Apple, and it concerns me that, after years of running online authentication servers, the company still has these vulnerabilities. Every publicly reachable URL that deals with authentication, password recovery, and the like should have been tested by Apple long ago — and should be routinely tested as updates are rolled out to ensure throttling, monitoring, and notification are still functioning. If all the detals around iDict are accurate, Apple needs to step up its game.
Real world, real problems
I tweeted about iDict after it was released, and shortly thereafter my Apple ID account was locked down for security concerns. This is likely because someone used the iDict software and my Apple ID to see if they could crack my account. Fortunately, I have both a strong password and two-step verification enabled. And, having just written about issues of finding a Recovery Key, I knew just where it was, restored my account access, and reset the key.
Sign up for Computerworld eNewsletters.