Kanye West did something incredibly unwise during his visit to the White House this week that had nothing to do with making the media and a famously impatient President Trump sit through a 10-minute expletive-laced monologue.
Pulling out an iPhone XS to show the assembled throng a picture of the hydrogen-powered aircraft that “our president should be flying in,” West casually unlocked it using the passcode ‘000000’.
Famous people occasionally make security mistakes like this in public, and every time the reaction is the same – ridicule mixed with surprise.
Ridicule because 000000 seems like the sort of passcode anyone could guess, and surprise that West allowed himself to be filmed revealing this naive weakness.
Others are simply bemused that West didn’t use Face ID or Touch ID.
First, let’s get some perspective – 000000 is a bad passcode, but the worst choice available to iPhone users is to use no passcode at all, and at least he’s not doing that.
And while Kanye’s password is almost the worst choice he could have made (that honour goes to 123456) that still doesn’t mean that guessing it is a slam dunk.
That’s because modern smartphones impose limits on the number of incorrect guesses.
Under iOS, an attacker is allowed six failed attempts after which the phone is disabled for a minute. Continue to guess incorrectly and the timeouts increase to 5, 15, and 60 minutes before, after the tenth attempt, the iPhone will either need to be re-initialized via iTunes or (if the option has been enabled) all data will be wiped.
So, while 000000 sounds easy to guess – any brute forcing utility would spot it in fractions of a second if it was used to secure a website account – on a physical device it’s not quite so straightforward.
An attacker with physical access to Kanye West’s iPhone would still have to decide which ten of the million possible passcodes they were going to try.
000000 is one of the most obvious, but there are plenty of other ‘obvious’ combinations of numbers, touch screen pattens or significant numbers (such as birth dates) when you only have ten choices.
So if lesson number one is choose a better passcode, number two is that lock out limits can go a long way to saving users from their own bad choices.
However, there’s an even more important lesson to be learned here…
Even if West had chosen a stronger passcode, it would have made no difference for the simple reason that he entered it in front of others while being filmed.
Before you laugh at Kanye West...— Naked Security (@NakedSecurity) October 11, 2018
...ever wondered how often *your* passwords have been seen/shoulder surfed/recorded by mistake? (This makes a good case for 2FA!) pic.twitter.com/RnkgBkCgTI
Instead of mocking him for naivety, we should thank him for reminding us of this simple security point – complete with a hard-to-miss demonstration of the principle in front of the world’s press and millions of onlookers.