I’ve written here before about the security vulnerabilities introduced by authentication “secrets” that are easy to guess, like the answers to security questions; and by bad passwords and password policies. Now,Daniel Amitay, a student, blogger, and applications developer for Apple iOS devices (such as the iPhone) has posted the results of an experiment he did to examine the four-digit “pass codes” users set to secure their iPhones. It will probably not come as a complete surprise to learn that users’ selection of these codes is just as lousy as their password selection.
The ten most common codes, which account for 15% of all passcodes in the sample, were:
Most of these are obvious patterns on the phone’s keypad. The exceptions are ‘1998’, probably a date, and ‘5683’, which, as Mr. Amitay points out, corresponds to the letters ‘L-O-V-E’. (The phrase “iloveyou” is a very common password in other contexts.) Passcodes of the form ‘199x’ (that is, a year in the 1990s) were also very common.
As Mr. Amitay points out, this means that, just by trying the 10 most common passcodes, a thief has about a 15% chance of unlocking a given iPhone, without triggering any security alarms.
A thief (or just a prankster) could safely try 10 different passcodes on your iPhone without initiating the data wipe. With a 15% success rate, about 1 in 7 iPhones would easily unlock …