Thursday, February 24, 2022

Passware Bypasses T2 Rate Limiting

Ben Lovejoy:

Until recently, however, it wasn’t practical to mount brute-force attacks on Macs with a T2 chip. This is because the Mac password is not stored on the SSD, and the chip limits the number of password attempts that can be made, so you’d instead have to brute-force the decryption key, and that is so long it would take millions of years.

However, 9to5Mac has learned that Passware is now offering an add-on module that can defeat Macs with the T2 chip, apparently by bypassing the features designed to prevent multiple guesses.


The process is still slower than usual, at a relatively sedate 15-ish passwords per second. In theory, this could still take thousands of years, but most people use relatively short passwords which are vulnerable to dictionary attacks. The average password length is just six characters, which can be cracked in around 10 hours.

2 Comments RSS · Twitter

I don't know. Maybe it is time to just forbid making this kind of software commercially available. That would not making that kind of research illegal however using it for monetary gain would.

If it weren't available commercially, only companies selling it to the criminal underground and/or authoritarian governments would know that it's possible. That's worse.

Leave a Comment