iLousy Passcodes

I’ve written here before about the security vulnerabilities introduced by authentication “secrets” that are easy to guess, like the answers to security questions; and by bad passwords and password policies.  Now,Daniel Amitay, a student, blogger, and applications developer for Apple iOS devices (such as the iPhone) has posted the results of an experiment he did to examine the four-digit “pass codes” users set to secure their iPhones.  It will probably not come as a complete surprise to learn that users’ selection of these codes is just as lousy as their password selection.

The ten most common codes, which account for 15% of all passcodes in the sample, were:

  1. 1234
  2. 0000
  3. 2580
  4. 1111
  5. 5555
  6. 5683
  7. 0852
  8. 2222
  9. 1212
  10. 1998

Most of these are obvious patterns on the phone’s keypad.  The exceptions are ‘1998’, probably a date, and ‘5683’, which, as Mr. Amitay points out, corresponds to the letters ‘L-O-V-E’.   (The phrase “iloveyou” is a very common password in other contexts.)   Passcodes of the form ‘199x’ (that is, a year in the 1990s) were also very common.

As Mr. Amitay points out, this means that, just by trying the 10 most common passcodes, a thief has about a 15% chance of unlocking a given iPhone, without triggering any security alarms.

A thief (or just a prankster) could safely try 10 different passcodes on your iPhone without initiating the data wipe. With a 15% success rate, about 1 in 7 iPhones would easily unlock  …

As Princeton Professor Ed Felten  has pointed out, the use of passwords for security persists as a “Worst Practice”, because it is easy for the developers, who do not bear the costs of bad security.

Comments are closed.

%d bloggers like this: