Specializing in unlocking solutions, Passware has managed to circumvent the protections of the Apple T2 chip. But you have to be patient.
It is well known, no system can be considered inviolable and Apple is no exception to the rule. With its T2 chip introduced at the end of 2007, the firm offers an additional layer of security to recent Macs and the macOS system. The company Passware, which specializes in password recovery tools, claims to have succeeded in “hacking” this famous chip. She assures that a loophole allows her to bypass the protections put in place by Apple to crack Mac passwords.
The T2 chip is not Passware
A silicon chip, the Apple T2 Security integrates several security functions. In particular, it offers encrypted storage and secure boot, creating an enclave to store the machine’s password. Another advantage, it limits the number of attempts to enter passwords and thus complicates the lives of hackers.
The technique developed by Passware is also much slower than those of the tools usually used by hackers to crack passwords. The solution can only test fifteen passwords per second; the process can therefore take several thousand years… for complex passwords. However, most users opt for relatively short and more vulnerable passwords. With an average length of six characters, Passware’s software can find a password in 10 hours.
The firm does not provide any technical details on its method, but it specifies that it has developed two dictionaries. After bypassing Mac security, users can use two different dictionaries. The first contains 550,000 commonly used passwords while the second contains 10 billion. They come from different data leaks. The firm ensures that its solution is only accessible to governments and companies that provide “a valid justification”.
In theory, you can always rest easy if you use a sufficiently complex password. Moreover, the tool requires physical access to the Mac.
The basic advice: choose a voucher
Nevertheless, this case reminds us that it is important to choose a good password. Make sure it is long enough and contains characters of different types (lowercase, uppercase, numbers and special characters). Words taken from a dictionary should also be avoided. And if you have trouble with a long password, it can be (a little) shorter if your account is equipped with additional security.