Compromising photos leaked: What it means for your users

hand shadow on keyboard

An alarming gap in security seems to be to blame for private photos of celebrities leaking online. Apple’s claiming the problem has been fixed, but many remain skeptical and are wondering how it was allowed to happen in the first place. 

There are still plenty of unknowns in the attack that revealed sensitive information thought to be secure on iCloud. And no one has of yet taken credit for the hack which revealed naked pictures of celebrities.

The information that is available so far:

  • The attack seems to be the result of a security oversight in Find My iPhone, a service that locates lost phones and allows them to be wiped remotely. While many services lock users out after a certain number of failed password attempts, it appears Find My Phone didn’t – which allowed hackers to make perhaps millions of guesses without being detected.
  • Apple has reportedly patched the security flaw since the revelation of the photos. That’s not to say it’s necessarily the problem that led to the leak are connected – but it raises a lot of eyebrows.

Password complexity can help

There are at least two ways to look at this attack: One is that Apple’s security flaws were a serious breach of users’ trust, and one that will make the company the target of ire and distrust. Another is that if a hacker is determined enough, no security method is going to discourage attacks.

Both may be accurate.

These attacks were certainly targeted against individuals, not iCloud as a whole. Apple has been very quick to point this out, and hopefully limit some of its negative exposure as a result. So unless your users are celebrities or are targeted for other reasons, chances are this attack didn’t affect them personally.

But it serves as an important reminder of the importance of solid password protection.

Consider this experiment using a very non-scientific random password this author made up:

  • an 8-character password with no capitalization or numbers can be cracked in about 35 minutes on a standard CPU
  • an 8-character password of letters and lowercase numbers would take about 8 hours
  • adding two upper-case characters increases the time to four years, and
  • adding symbols such as $ or % can up that to 2,000 years.

The bad news: Those are just for standard desktop PCs. Botnets or advanced equipment cuts down the time-to-crack considerably.

Password rules

So what can we take away from this lesson?

  • Complex passwords are always better, but still aren’t perfect. That’s why it’s important that users always guard their passwords carefully and avoid using anything that can be found in a dictionary.
  • Once a password is leaked for one site, be sure to change it anywhere it may be repeated. The strongest password becomes useless once it’s compromised.
  • Remind users that nothing is truly deleted if it’s still backed up in the cloud.
  • Use two-factor authentication whenever possible. This measure can help prevent some attacks, and at the very least should notify you if there’s any suspicious activity on an account.

Check out our password policy template for advice to pass along to users.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy