iOS 10 iTunes backups less secure than iOS 9 and much easier to crack, security experts report
Another security researcher, Per Thorsheim, explained that Apple has downgraded the hashing algorithm for iOS 10 from SHA1 with 10K iterations to plain SHA256 with a single iteration, which potentially allows for brute-forcing the password via a common desktop computer processor. Using an Intel Core i5 CPU, Elcomsoft managed to achieve a 6 million passwords per second cracking operation. With the weaker security in place, brute force attacks are up to 40 times faster than GPU-assisted attacks on iOS 9 backups.
Elcomsoft says the brute force attack is only applicable to iOS 10 backups, which are difficult, if not impossible to obtain for attackers unless they have direct access to the victim's mobile device, Apple account credentials, and personal computer. Apple has not addressed the report yet.
source: Elcomsoft, Per Thorsheim