Encrypting your iPhone backups? Time to choose a better password

If you’re using the backup encryption method introduced in iPhone OS 3.0 and your password is something like “cat”, “sex”, or “tetherball”, you should probably change it to something a bit more complicated. There be hackers wantin’ your goods!

Password recovery software company ElcomSoft has just released an iPhone backup cracking tool called iPhone Password Breaker.

Now, now – don’t panic. Unlike yesterday’s exploit, this isn’t some new security hole to worry about. In fact, it’s a tale as old as hacking itself: good ol’ fashion bruteforce.

The iPhone Password Breaker application is dictionary-based, meaning it gains access by cycling through a massive dictionary of words and common passwords (like the aforementioned “cat”, “sex”, and “tetherball”) and their variations (such as “c4t”, “s3x”, and “t3th3rb4ll”) until it finds the right one.

As I mentioned, this method is by no means anything new – dictionary attacks are the oldest and most rudimentary form of hacking. Ever try to guess your friends password by typing in random things you’d associate with them? That’s a dictionary attack – just with a much smaller dictionary.

However, this is the first time to our knowledge that someone has built a dictionary application specifically targeting the iPhone’s backup manifest file. As long as you play it safe (use good passwords, keep your backups secure), you should be fine – just know that such tools exist now.