Dec 18, 2014 · 1 minute

A tool used by law enforcement to gain access to Apple's iCloud service has been updated to bypass the two-factor authentication feature, which requires a randomly-generated code in addition to a user's normal password. Apple introduced this feature after iCloud was hacked in August.

The tool only works if law enforcement -- or a hacker who purchases the software for themselves -- can already gain access to iCloud via some other method. The most common way to gain access is by learning someone's Apple ID and its corresponding password, but digital files stolen from a laptop used to connect to the cloud service can be used, too.

The threat posed by this tool could be mitigated, then, if people used complex passwords. They don't. A study published in 2013 showed that the most popular password is "123456." It was closely followed by "password," "12345678," "qwerty," and other passwords based on sequential numbers, common words, and letter combinations taken right off the keyboard.

All of which proves again that humans are the weakest aspect of their security measures. Sure, Apple's record on security is far from pristine, after it failed to adopt standard industry practices and failed to properly implement basic security protocols. But these problems are fixable. Apple can't fix its customers' own ineptitude.

It also shows that technology won't be able to stay ahead of law enforcement, or dedicated attackers, forever. The two-factor authentication made private information more secure, but now it can be bypassed. In another example, the peace of mind offered by the biometric sensor on the new iPhone and iPads was later undermined by a Circuit Court judge.

As long as there's someone who wants to keep something private and someone else who wants to access whatever that thing is, technology companies are going to be caught in a game of back-and-forth with law enforcement officials who want access to all data and hackers who are in it for the money or a desire to get their rocks off. (Sometimes the two overlap.)

So it's better to assume something can be compromised than to be surprised when it is. Oh, and to have a password that's a little more complicated than "abc123" or just "password." It's easy enough for people to gain access to your information -- don't make it any easier.

[illustration by Brad Jonas]