TransWikia.com

Does Apple save a (hashed) version of my device passwords?

Ask Different Asked on November 8, 2021

As earlier described in this question, I was asked today by my iPad to enter the user account password of my MacBook, and my MacBook later asked me to provide the passcode of my iPad. I’m specifically not talking about my iCloud password, the actual device passwords were requested and this behaviour is kind of known.

Now my question is: What happens to these passwords? Are they sent over to Apple? Are they used locally to decrypt something that has been encryted with that passcode?

So is Apple in possession of data that can be used to run brute-force attacks agains my device passwords? This would be totally against the idea of the T2-chip limiting brute-force attacks and I never agreed that such information is sent over to Apple and at no point was I informed about that. I’m not sharing my KeyChain with iCloud and do not wish to.

I couldn’t find any exact information on that matter, anybody shedding some light on it is highly welcomed.

One Answer

I haven't reverse engineered if it's a hashed / salted version of the password or if it's just key exchange and entangled secrets that are cryptographically difficult to alter. However, my best estimate is no - it's not simply a hashed version of your password.

Apple states that they don't retain the secret or shared key, so I expect if that's the case, it is unintentional or a weakness in their algorithm / implementation and not they are lying to us about their design intent and execution.

There are very high visibility cases where FBI and U.S. Government frequently complain bitterly, publicly and in the courts arguing that Apple should change their design to make it easier for government to get into people's data and devices, so I tend to think Apple is largely doing precisely what they say to protect the integrity of your data / keys and passwords against surveillance, and unlocking.

Apple clearly designs things to have much data encrypted before your device sends: IP addresses and device identifiers. When they don’t retain that data indefinitely, that limits the potential for lost or stolen data, as well as limits what could even be delivered to the government by legal or procedural discovery. What I can tell is Apple works continually to reduce any non-brute-force access avenues by technical design and by making it easy to choose a complicated passphrase. When we choose secure secrets, that makes bypassing encryption more costly in terms of time and effort.

Whether you feel Apple can be honest or just is honest and/or transparent is hard to know ultimately unless you’re there in the room when the government comes knocking for data or concessions.

Answered by bmike on November 8, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP