In the article, it mentions that the password are hashed using SHA-512. As has been mentioned before, using such a fast hashing scheme for passwords is a terrible idea. Any idea as to why they do it this way? (instead of using bcrypt)
Apple uses a key strengthening algorithm on their passwords, similar in concept to Bcrypt - I think they've increased the number of rounds past the 1000 mentioned since this paper came out: http://people.cis.ksu.edu/~sakthi/src/data/filevault_sakthi....
If you've already compromised an account and have access as that user, it's likely that what you're going after isn't going to be their password...
... although, if you were to nab the password file and their keychain file (which contains passwords to other accounts that they access) which is generally encrypted with the same password (the system nags you if it's not the same), you could potentially do some real damage.
It's bad, but it's not that bad. SHA is widely supported, and not that bad, yet.
Also this is protecting desktop computers, where cracking hashes is not a common security problem. Getting the machine stolen in starbucks is probably much more common for this type of machine.
Most everybody uses some form of slow hashing. Bcrypt is a particularly secure and convenient form of slow hashing, which is why people recommend it so much, but there are other schemes possible. For example, you can take a cryptographic hash function and iterate it a few thousand times.
You're using an apple product. When did they ever claim to be secure? Your life is easier, more magical, full of glass, and very fast! Security is... a little bit of whipped cream on top. So enjoy your gestures on that magic touchpad, don't worry about being safe.
Apple doesn't ignore security, they advertise security enhancements in their products:
"Address space layout randomization (ASLR) has been improved for all applications. It is now available for 32-bit apps (as are heap memory protections), making 64-bit and 32-bit applications more resistant to attack."
"Application sandboxing protects the system by limiting the kinds of operations an application can perform, such as opening documents or accessing the network. Sandboxing makes it more difficult for a security threat to take advantage of an issue in a specific application to affect the greater system."
Erm... I forgot I was in a place where preemptively apologizing for making a joke isn't enough for people to think you're joking.
I would like to point out though, that the text you just copied are pretty much apple's only words on the topic.
To further my joke even more:
Google search for "easy" on apple.com [1] returns 3.3 million results.
Google search for "secure" on apple.com [2] returns .5 million results.
On the internet easy returns 3.6 billion results, and secure 1.25 billion. So on the apple site, you would expect easy to show up 3 times as much as secure. In fact, easy shows up over 6 times as much as secure.
This definitely proves apple cares about security only half as much as the rest of the internet does!
I downvoted not because you joked, but because you made patently untrue claims and then backed them up with a very poor methodology. So poor that you can't simultaneously be smart enough to read and understand this site and dumb enough to think it's logical to argue this way.
I wasn't talking about the downvotes, that's to be expected. I was talking about the humorless replies :)
If we all acted our IQs, all the time, the world would be a very boring place. It's not responsible to buy myself expensive toys, it's not respectable to be sarcastic. Yet we do it anyway.
Trolling is meant to make people angry, I meant to to get a chortle out of at least somebody... but now I know, beyond a shadow of a doubt, that this is not the site for that. Thank you for helping me realize it.
Joking is fine -- as long as you make a point and contribute to the discussion. Throwing out some one-liner about Apple security is not a valuable contribution, and then yes, your jokes weren't funny either.
