You may have seen in the press over the last couple of days that a large collection of explicit celebrity photos were released. It’s looking like the vast majority came from hacked iCloud accounts, specifically via Find My iPhone service.
From reports, the hackers used a brute force password tool. The tool would target an iCloud account ID and would run through a list of 500 of the most commonly used passwords that complied with Apples’ password policies. At the time, Apple did not throttle or lock out the attempts after a certain number of guesses within a given time. So the hackers would target each account, try each of the passwords, and then move on to the next account. It’s surprising how may accounts you can get through using automated tools.
Since the breach, Apple has now changed things and will now lock out the account after 5 attempts.
However even though this exploit has been closed, it’s always best to incorporate best practices for your passwords. Even though this document is targeted towards iCloud, a lot of this information you can re-use for other type of accounts.
Best Practices
- First, although it’s tempting to use the same password across different services such as iCloud or Facebook. Don’t do this. Use separate, unique passwords for each service. That way if one account gets compromised, the other accounts are safe.
- Use strong passwords. So don’t have passwords that include guessable items such as words found in a dictionary, proper nouns, etc. Don’t create a password based on personal information, such as a birthday. The longer the password, the better.Always use a mixture of characters including upper case and lower case letters. Also include special characters such as £, ? or %. Creating passwords can be a pain. In OS X, you can use the Keychain Access password assistant to create a secure password for you.
- Once you start using more complex passwords they can become a pain to re-enter each time. I use a tool called 1Password that I use to manage all my passwords. They have OS X and iOS versions and is well worth the investment.
- Quite often a service, such as iCloud, will add an additional security measure, and prompt you to select a number of security questions for which you provide the answers. In the event of you being locked out of the account, they will use these questions to verify who you are.Some of the questions relate to information that is easily found such as your mother’s maiden name.I tend to use random answers for these questions, to make them unguessable by other people. So for my mother’s maiden name I could use ‘London”. Again I use 1Password to record these answers.
- Also, Apple offers two-factor authentication. By enabling two-step verification, whenever you attempt to log in on a new device with your Apple ID, you will be asked to enter a 4-digit verification code.This code will be sent to a device that you have registered as a trusted device, such as your iPhone, via the Find My iPhone notification or SMS.Apple has some great instructions on how to set this up which can found here.
I hope this is useful and if you have any concerns feel free to contact us at support@amsys.co.uk