If Your iCloud Password is on This List, Change it Before You Get Hacked

By Adam Clark Estes on at

Somebody just uploaded a password-hacking tool called iDict to GitHub that promises to use good old fashioned brute force techniques to crack iCloud passwords. The tool also claims to be able to evade Apple's rate-limiting and secondary authentication security that's supposed to prevent brute force attacks. But it's not quite as bad as it sounds.

iDict's capabilities are limited by the size of the dictionary it uses to guess your password. So you're really only in danger if your password is on the 500-word-long list included with the hacker tool. All of the passwords fulfil the requirements for an iCloud password, but if you're using one of these rather obvious passwords, you should change your password anyway. Here are some examples:

  • Password1
  • P@ssw0rd
  • Passw0rd
  • Pa55word
  • Password123
  • ABCabc123
  • Devil666
  • Fuckyou2
  • ILoveYou2
  • Blink182

These are the same kinds of passwords that appear almost every year on the most popular password list, making it stupid simple for hackers to wreak havoc. They also follow a lot of the bad password practices we've pointed out before. So for God's sake, change your password if you use a bad password!

All that said, iDict isn't really a plug-and-play hacking device. The developer behind the tool isn't a friend to script-kiddies, he's trying to prove a point: Despite security updates since the brute force attack that gave hackers access to countless celebrities' nude photos, iCloud still isn't completely secure. Apple needs to fix the "painfully obvious" bug before it's "privately used for malicious or nefarious activities," he explains on GitHub.

It seems like it wouldn't be that hard to swap out the 500-word-long list with an even longer, better list. Then, a tool like iDict could do real damage. So double-check your iCloud password against this list now, and pick something better even if your bad password isn't listed. Protect yourself while Apple's still working on shoring up that security. [GitHub via 9to5Mac]