Sophos Cloud Optix
Are you one of the many people who is using a dangerously easy-to-guess passcode on your iPhone?
Maybe you should do something about it – sooner rather than later.
The warning comes after new research suggested that 15% of all iPhone owners use one of just ten passwords on their lock screen:
Apple iPhone app developer Daniel Amitay published the interesting research, looking at the four digit passcodes that users choose to secure their systems with.
Fortunately, he didn’t snoop on the actual passcodes used by iPhone users to lock their devices – but instead anonymously collected the codes chosen by users to secure the “Big Brother Camera Security” app he develops. In all, Amitay collected over 204,000 passcodes.
Amitay postulated that as Big Brother’s password setup and lock screen are nearly identical to the actual iPhone lock screen, the likelihood is that the passcodes used would most likely correlate with the codes used to lock iPhones.
Now, I can think of strong arguments why some people would choose different passcodes for an app than the one they use to lock their smartphone, but my hunch is that many people don’t bother.
Regardless of those quibbles – Amitay’s findings are worthy of exploring.
Some of the passcode choices that Amitay’s research has thrown up are sadly predictable. People who are choosing the likes of “1234”, “0000” and “1111” as their passcode, for instance, are doing the equivalent of locking up their cars with a piece of thin string.
Those who have chosen “0852” and “2580” aren’t doing much better – they’ve just chosen their passcode by sweeping up and down the keypad.
What I couldn’t immediately understand, however, was any rhyme or reason behind “5683” and “1998”.
Fortunately, Amitay has a theory on this. He points out that “5683” spells out “LOVE” on the keypad, and that may be why it’s so widely used.
And “1998”? Well, it turned out that 199* represented the highest frequency of choices that could represent a decade (the 1990s) – so maybe this is an indication of birth years or the year of graduating college.
I hope you’re not using an easy-to-crack passcode on your iPhone.
Maybe you should switch to using a passphrase for your phone’s security instead? At the very least that won’t restrict you to four numeric digits – so you can make things a little more complex.
If you want to turn the simple passcode off on your iPhone, click on the Settings icon, followed by General to reach the Password Lock options.
With the Simple Passcode option disabled, you’ll be able to choose a longer, more complex password which can comprise upper- and lowercase letters, numbers and even special characters.
Of course, you’ll still need to be sure you don’t choose one of the top 50 passwords you should never use.
Oh, and one final thought.. What’s the 4 digit PIN you use at the bank’s ATM cash machine?
I think a lot of people use a pattern as a way to ensure their phone doesn't unlock itself accidentally in their bag or pocket, *not* as a security password.
This may be the case, but NOT applicable to the iphone–it CAN NOT accidentally unlock itself in a bag.
It would be extremely difficult to do in a pocket as it requires an electrical charge (such as from your fingers)–you can't even use it with ordinary gloves. This is also why most styluses do not work with the phone.
My wife's iPhone would beg to differ. I've gotten purse dialed several times.
Of course if she forgets to turn it off before putting it in there then that’s a different story (;
Phew mine isn't there. Scary.
First of all – I looked at that app in the App Store, and even downloaded it. Not sure I am going to install it on my iPhone, because nowhere did it mention that the app was reporting data like *the PIN used to secure it* back to the developer! This sounds like a really dangerous type of app: one which has a lock screen that looks like the one that came with the iPhone, and which "phones home" with the PIN you entered. I'm really surprised the App Store gatekeepers let this one by, to be honest.
That said, the weaknesses of using a 4-digit PIN to secure an iPhone are well known, so good call on suggesting people disable the "simple passcode".
Last, but not least: I don't know about your bank, but mine doesn't require a 4-digit PIN (it either allows, or *requires*, a longer code.)
~EdT.
Your bank allows or requires a longer than four digit PIN at the ATM? Wow! That is really rare!
Your bank requires a longer code? Interesting.
Be careful if you travel abroad, however. A friend of mine traveled to Bangkok with an 8 digit ATM pin code but ATMs there only accept 4 digits. He can use it as a credit card, but not get money from an ATM.
Ethical practice of software engineers is to store passwords in a non human readable manner (e.g. MD5 encryption). I'm afraid the developer is lack in ethics.
As far as the ATM machine is concerned I think 4 digits are enough because it require lot of effort to do a bruit force to an ATM.
I personally really like the pattern lock, one for not unlocking by accident but the security isnt bad so long as you make it complex enough. I know most of my friends all just have a Z pattern so its not hard to guess.
My question is why apple restricted the PIN to 4 digits????
I would gladly have a much longer string of digits (alpha password would is too cumbersome).
Not sure if you read the article because it says you can change it to more digits than 4.
That reminds me of President Skroob:
"1-2-3-4-5? That's amazing. I've got the same combination on my luggage." http://www.imdb.com/title/tt0094012/quotes
That's amazing! I've got the same combination on my luggage!
Must only be an option for 3GS phones and above… I think I am on the latest update for my 3G, and I only have the option to turn the lock on or off. I always thought the 4 digit pass code was a joke. I agree with Ben; why was a 4 digit numeric code ever used as the default…
Apple acts quickly to remove the big brother app for collecting passcodes
http://buzzintechnology.com/2011/06/apple-removes…
Lol, 1998. Do that many 12 year olds really have iphones? I guess it could be the birth date of a child for some people… but usually when it's a date it's their own birth day.
Or HS or college graduation?
As an IT tech, I often sit in front of someone’s computer and when confronted with a password challenge, say “what’s your password? No, wait, let me guess. What’s the name of your favourite pet?” The amount of times I see the colour drain from their face is funny.
4 numbers is small. Pass phrases becomes difficult.
WTF, so this guy was HARVESTING PASSWORDS with his app? Why isn't anyone seeing anything wrong with this? I know I will NEVER buy, use, or install any software made by this guy or anyone he works for in the future. Those passwords should be hashed, preferably before even sending over the wire. Who the EFF harvests and stores passwords? Crackers and criminals – that's who. JEEZ. *stepping off my soapbox*
You overlook the least elegant, but undoubtedly most common way of passcode theft: watching someone else's screen. Picture yourself in the mall, at a coffee shop, even with a group of friends, when you need the phone, so you grab it, but, darn, the screen is locked. Gasp, you have a screen that now seems gigantic that anyone in back of you can see. So you have to let everyone around you know that you don't trust any of them while you try to hide the screen by positioning it in such a way that nobody can see it while you punch in your passcode. I would venture to say that, rather than letting it be known that you don't trust all of those around you, even if you are (reasonably enough) paranoid about the passcode, you enter it without making it appear that you are trying to hide it.
Surprising that for an Apple device, that 1-9-8-4 would not be higher. Maybe I'm of the wrong generation.
Feel kinda proud that my phone isn't a smart phone so it's pretty much worthless.
They missed 5150, which is police code for 'crazy' ,and is used by tons of people!
1998 -> France (3) – Brazil (0)
🙂
You can't fix stupid
I've noticed on my Android devices, the pattern is often clearly marked by the oils on my fingers. Not really noticeable until you start turning it to different angles. Cleaning the screen very often is something else everyone should keep in mind. I've not noticed it as much on my iPhone but it's still relevant. I could see my fingerprints on the numbers that I use for the numeric pass sometimes, that's why I switched to the actual passphrase.
If you're talking about easy-to-guess passwords, the point is well taken. Otherwise, one 4-digit password is as good as another, since the chance of a given sequence being the correct password is still 1 in 10 x 10 x 10 x 10—and it sounds as though users are not given the choice of longer or alphanumeric passwords.
If you disable simple passcodes and setup a longer numeric passcode, then you get the same numeric keypad with an OK button. It's still easy to type, but more secure.
As a parent, I think I can shed some light on this. When you have young children, you don't want them getting into your ever-tempting touchscreen and deleting all your apps because they left their finger lingering on that fascinating Craigslist peace sign. I do have a very simple passcode on my iPhone, and it has nothing to do with security. Its there because my 3 year old doesn't know how to enter a passcode, period.
I have the best solution. No cell phone or bank card. I lived most of my life before they were invented.
Old Timer.
I appeciated those who spending time in express their views, opinion and suggestions about passward/code in using the ipod or ipad. The situatuion, in my humble opininon, it is a long existing prblem not just for those moblie devices…. online and internet banking , and particularly, on shop-counters and, more seriously, on the bank-counters. Why not consider redesigning those keypads and letting the cardholders feeling more confidently or securely to do their key-in ? To redesign the Key-pad is a simple job by simply putting on a cover over the key-pad. The Key-Pad-Cover, says …has a hole on its top and, with a slot underneither that allows a hand to stick in for doing the key-in. From the hole, it enables the cardholder to see his/her finger operation. Is it simply ? and would anyony interest to recomend the thought like this ? JH Feb 22, 2013
5683 spells LOVE
Yep. The article says that. The rest of us can read too.
Virtually any 4 digit number–actually virtually any number of any reasonable length–can be meaningful. Eliminating 'meaningful' numbers as possible PINs cannot improve security. Making the pool of possibilities smaller simply can't!
My bank allows 5 digit PIN codes! Which I, of course, use.
I heard that the guy who came up with the idea of PIN codes wanted 6 digits, but people complained that it was too hard.