Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Iphone Privacy Security Apple IT

The Most Common iPhone Passcodes 192

Orome1 writes "The problem of poor passwords is not confined to computer use, and that fact was illustrated by an app developer who has added code to capture user passcodes to one of its applications. 'Because Big Brother's [the app in question] passcode setup screen and lock screen are nearly identical to those of the actual iPhone passcode lock, I figured that the collected information would closely correlate with actual iPhone passcodes,' says Daniel Amitay. It turns out that of the 204,508 recorded passcodes, 15% were one of the most common ten."
This discussion has been archived. No new comments can be posted.

The Most Common iPhone Passcodes

Comments Filter:
  • Number 0001!

  • No 4242?
  • Here's a question... (Score:4, Interesting)

    by jojoba_oil ( 1071932 ) on Tuesday June 14, 2011 @07:03PM (#36444252)

    ...how did an app like "Big Brother" make it onto the App(le) store?

    I thought they paid people to test each app before approval; you know, as a first defense against apps that look to imitate the lock screen and steal passcodes...

    • by CharlyFoxtrot ( 1607527 ) on Tuesday June 14, 2011 @07:34PM (#36444538)

      App in question in action [youtube.com]. Description from the video :

      "This is not a prank application! It really works, and takes pictures of anyone trying to access your iPhone. Big Brother is the only iPhone app which sets off an alarm AND takes a photo if the user presses the home button!

      Want to know if someone has been sneaking a peak at your iPhone 4?
      Turn on Big Brother, LOCK it, turn off your iPhone, and you're set!
      Whenever a person enters an incorrect password, the device will take two photos!"

      Not duplicating functionality in the iPhone, not actually stealing your passcode (just its own user settable one is sent back).

      • by qubezz ( 520511 )
        It really works, up to the point that this fake phone lock software actually leaves your phone unlocked, all you have to do is quit the app.
        • Yeah because the iPhone was never locked in the first place, just running the app. That's why it sounds an alarm when you quit the app.

      • by Macrat ( 638047 )

        Want to know if someone has been sneaking a peak at your iPhone 4?

        Or don't leave you phone out lying around where anyone can grab it.

      • Hidden functionality in otherwise acceptable apps has made it in occasionally. I was able to pick up a copy of HandyLight about a year back. On the surface, it's a simple flashlight app, which allowed you to choose differently colored lights. In fact, however, it was an app that allowed the user to tether their iPhone with their computer if the proper color combination was input and the correct network settings were used. Apple pulled it down within a few hours of its initial release, but not before the new

        • Thankfully, Apple has never pulled the trigger and removed apps like that which users have purchased, so I've actually been able to use it on a few occasions since then, though I try not to abuse it (especially since AT&T is apparently cracking down on illicit tethering of this sort, forcing the people doing it to either buy a tethering data plan or else cease doing it), and haven't used it in a few months.

          Hah, I remember that app. I don't remember where I read this (probably somewhere linked from Daringfireball) but developers that have the iCloud pre-release that allows you to download already purchased apps directly to your device reported the option to download apps even if they have been removed from the appstore since they have been paid for. So that's good news if it extends to the final version.

      • by AmiMoJo ( 196126 )

        So they don't check what data is being sent out by the app? That would seem to be a fairly basic security check, and I'd expect to see it mentioned in the EULA.

        This highlights a common problem with permission systems on mobiles (it affects Android too). You give permission for an app to know your location, but can't then control if it sends that information anywhere.

        • On Android: Internet permission flag, and if rooted, Droidwall (iptables frontend, can filter on a per-app basis)

          Note : Root is not the same as jailbreak, root is just enable the "su" binary, and can be done with standard SDK on phones with unlocked bootloaders (and is usually easy to flash a new, unlocked bootloader / kernel on a phone - often with the phone's own flash tools)

          • by AmiMoJo ( 196126 )

            Problem is most apps need the internet permission to do anything useful with your location. For example a mapping app will need to download map tiles for display, but there is no distinction between that and it sending your location to someone else.

            I used to have my Galaxy S rooted but since 2.3 you have only been able to do it via a custom kernel which I don't want to mess about it. Shame as it was handy.

        • I'm under the impression that the App Store reviewers don't actually have access to the source code of your app, just the binary. This, combined with the use of HTTPS, makes it impossible for them to tell what data is being sent. All they know is that data is being sent, and what URL it's being sent to.

  • by tehniobium ( 1042240 ) <lukas&imf,au,dk> on Tuesday June 14, 2011 @07:03PM (#36444254)

    This just in: 15% of developers steal the passwords of 80% of all (stupid) users!

    Seriously...isn't this just a tad "evil" behavior? Even if its done to prove a point, surely this guy shouldn't be stealing his users passwords?

    • by syousef ( 465911 )

      This just in: 15% of developers steal the passwords of 80% of all (stupid) users!

      Seriously...isn't this just a tad "evil" behavior? Even if its done to prove a point, surely this guy shouldn't be stealing his users passwords?

      'A tad' evil like smoking 3 packs of cigarettes is 'a tad' bad for you or coke has 'a tad' of sugar. This is spyware plain and simple.

      I would not do this myself, but if the data's already out there I have no ethical qualms discussing and analysing it. I find it interesting that 2580 popped up. I would not have guessed that. Lots of users into kittens and ponies I guess?

      • by reason ( 39714 )

        2580 is the only set of 4 digits in a straight line on the keypad (straight down the middle).

      • by mirix ( 1649853 )

        2580 is equivalent to 'asdf' on a normal keyboard.

      • 3 packs of cigarettes is a tad bad for you. If you only smoke 3 packs during your entire life the adverse effects are going to be minimal to the point of being hard to identify.

    • From the developer's web site:

      Yesterday I posted an analysis of the Most Common iPhone Passcodes, with passcode data taken from my Big Brother Camera Security app. As of today at 4:58pm EST, Big Brother has been removed from the App Store. I’m certainly not happy about it, but considering the concerns a few people have expressed regarding the transfer of data from app to my server, it is understandable.

      I think I should clarify exactly what data I was referring to, and how I was obtaining it. First, these passcodes are those that are input into Big Brother, not the actual iPhone lockscreen passcodes. Second, when the app sends this data to my server, it is literally sending only that number (e.g. “1234”) and nothing else. I have no way of identifying any user or device whatsoever.

      • by Rennt ( 582550 )

        "I haven't actually compromised your iPhone, all I've done is publish the results data-mining your passwords... trust me!"

        About as far as I can throw you, Jackass.

  • 1-2-3-4-5? (Score:5, Funny)

    by TheRedDuke ( 1734262 ) on Tuesday June 14, 2011 @07:07PM (#36444300)
    That's amazing! I've got the same combination on my luggage!
  • 1998, lol (Score:4, Interesting)

    by AlienIntelligence ( 1184493 ) on Tuesday June 14, 2011 @07:08PM (#36444306)

    So, the most common age of the user is 13?

    Or the most common age of their offspring?

    -AI

    • by ceoyoyo ( 59147 )

      Or they graduated in 1998 and they're around 30.

    • So, the most common age of the user is 13?

      Or the most common age of their offspring?

      -AI

      Or the last year we remember that didn't royally suck. Y2K, 9/11, and the decade of hypercapitalist deception that ensued... yeah, I miss the 90's. The music was better too.

      • Yes to everything else, but the music did suck. Remember backstreet boys, boyzone, nsync, michael jackson etc? :P

        If I had a choice between 2000s and1990s I would choose the latter though. IMHO, it was the decade of greatest technological progress since the 60s.

        • As a matter of fact I don't remember those bands, aside from recognizing the names. I couldn't name a single song by any of them (with the obvious exception of Jackson, who transcends the 1990s). That's because I had stopped listening to whatever's-in-fashion music by the 90s, and since then I've just followed my own interests and that of people around me (e.g. on community radio). Complaining about crappy pop music is like complaining about crappy fast food: no one's forcing you to eat it.

      • And the kids stayed offa my lawn!

  • by Anonymous Coward on Tuesday June 14, 2011 @07:09PM (#36444320)

    Why lock the iPhone? If you lose it and it is unlocked maybe someone will try to contact someone on your list and return it.

    • by syousef ( 465911 )

      Why lock the iPhone? If you lose it and it is unlocked maybe someone will try to contact someone on your list and return it.

      Because it's more likely that the kind of person who'll pick up a phone that doesn't belong to them will run up a huge bill calling a foreign country and buy lots of apps if you don't have that locked down?

      • I'll give you the international calls, but purchasing apps or music requires an iTunes password, every time (well it keeps you logged in for like 10 minutes after you enter it).
      • it's more likely that the kind of person who'll pick up a phone...

        Will be the average guy/gal in your area. I don't know where your from, but in my area I'd say 80% would return it if it was easy and a small fraction of the remaining 20% would be criminal enough to do anything more than attempt to e-bay it.

        Your confusing people who will find a dropped phone with people who would steal a phone.

        • by syousef ( 465911 )

          it's more likely that the kind of person who'll pick up a phone...

          Will be the average guy/gal in your area. I don't know where your from, but in my area I'd say 80% would return it if it was easy and a small fraction of the remaining 20% would be criminal enough to do anything more than attempt to e-bay it.

          Your confusing people who will find a dropped phone with people who would steal a phone.

          Nope. Where I live, if you lose your phone you better make tracks and report it ASAP. Many horror stories about lost phones.

          • by N1AK ( 864906 )

            Nope. Where I live, if you lose your phone you better make tracks and report it ASAP. Many horror stories about lost phones.

            Generally stories about, I left my phone at a bar and went back later to collect it don't spread as well as the horror stories.

            I've left a wallet in a bar and dropped it outside of a shop. I've left a phone on a train, another in a cinema and yet another at a club. Every single one was handed in, with nothing taken. I've also found wallets and phones, and either phoned the owner or

      • I've found and returned at least two phones in the past few years. I've never stolen one (but I've had at least three attempts at stealing mine).

    • by mjwx ( 966435 )

      Why lock the iPhone? If you lose it and it is unlocked maybe someone will try to contact someone on your list and return it.

      Because most people aren't trying to protect themselves from strangers, they are trying to keep their indiscretions secret from people they know. An Iphone user not wanting his boyfriend knowing he's been seeing other men is more important in their mind then keeping their confidential and compromising data secure.

    • Yes, there are some really SICK people out there.

    • My Blackberry has my name and contact info on the screen when the phone is locked for just that reason. Doesn't the iPhone do that, or does the Great Jobs think the background is sufficient to display when the phone is locked?
  • by Sir_Sri ( 199544 ) on Tuesday June 14, 2011 @07:12PM (#36444352)

    in general the iphone keyboard makes using #$_*! etc and CaPitaLiz3d passwords harder than it should, which tends to lead to bad security. I'd be interested to know how many people use the same iphone 4 digit code as their PIN for their debit. though it looks like the phone lock is more of a 'get me past this lock quickly', which says a lot about how people want to use their phones.

    • My passcode set to get me past the lock screen quickly - entering a complex code every time I wanted to do/check something on my phone would be absurd. But I've also got it set to wipe after 10 tries, so anyone who finds it is very unlikely to guess the code before getting in and seeing my stuff. Even if they did, Find My iPhone lets me do a remote lock/wipe. No big deal.

    • by mlts ( 1038732 ) *

      Actually, iPhone passwords are easy. If you use an all numeric passcode, instead of pulling up a full keyboard, it pops up a PINpad with the enter button, just like the pad used for entering a SIM pin.

      So, entering an 8-12 digit PIN can be done quite quickly.

      • Wow ... so it does! Thank you good sir.

        This was what was stopping me moving away from the default 4-number simple PIN. I thought that soon as I enabled complex passwords it'd give me the whole keyboard (hard to type on quickly with one hand). But yep if you keep it all-numeric it keeps the standard keypad. That's awesome, and allows me to increase my PIN to 8+ digits without making it harder to type.

    • by PNutts ( 199112 )

      in general the iphone keyboard makes using #$_*! etc and CaPitaLiz3d passwords harder than it should...

      No it doesn't and if you think so why? You press Shift for caps, .?123 for numbers and common special characters, and #+= for less common special characters? What magic keyboard do you have that allows access to all of those at once? Sheesh.

      • by Sir_Sri ( 199544 )

        right now there are 4 keyboard screens, which would work just as well with 2 that take up the entire screen, rather than half it takes up now.

    • by yuhong ( 1378501 )

      In particular, iOS 4 and later supports data protection, and how secure do you think it is with only 10000 values possible for a passcode?

  • The guy steals people's passwords, then posts about it?

    • The passcode to his app, which is a gimmick app to imitate the real lockscreen and take a picture when the wrong code is entered. Doesn't actually expose any data or anything.

  • by slinches ( 1540051 ) on Tuesday June 14, 2011 @07:18PM (#36444400)

    What I find most amazing is that the iphone only allows 4 digit 0-9 passcodes. That's only 5040 unique codes if I remember the math correctly.

    • by drb226 ( 1938360 ) on Tuesday June 14, 2011 @07:25PM (#36444460)
      10^4 = 10000
    • by ceoyoyo ( 59147 )

      You can use any alphanumeric + symbols code you want. Most people just use the simple numerical code because it's quick, easy, and does the job. If you guess wrong too many times the phone will enforce a timeout between guesses and you can set it to wipe if too many wrong guesses are entered.

      And you remembered the math incorrectly. It's 10,000 unique codes. Your value is for the number of codes with no repeated numbers.

    • The iPhone has had the choice of 4-digit PIN-style codes or longer alpha-numeric codes for quite a while now.

    • Re: (Score:2, Redundant)

      by slinches ( 1540051 )

      Correction, it's only 5040 if it disallowed repeat numbers. I was over-thinking it a bit. It's 10,000 possible numbers 0000-9999.

    • by CAIMLAS ( 41445 )

      It's almost a non-point.

      The only time you'd need it is if it's lost - in which case it's somewhat a moot point, due to lack of storage encyption. Otherwise, the device is in your pocket, on your person, or otherwise in your 'immediate' control (such as on a bedside next to your girlfriend, who would otherwise be tempted to see if you're still sleeping around).

      Personally, I prefer the 'swipe' functiononality available on Android. Less secure, mathematically, but quite a bit more functional.

  • I have a trivial code on my iPhone, just there to provide a speedbump. If my phone were to be lost I'd change my personal & work email passwords. So what? Is anyone supposed to assume that the iPhone passcode provides any real security? If the phone auto-locks after 3 minutes, who wants to put in a 20-character passphrase? BTW, the iPhone passcode is not limited to 4 digits, you can use the entire alphanumeric keyboard, up to at least 10 chars.

  • If the application used a "swipe to unlock" type of mechanism to emulate the iPhone's unlocking mechanism, then this violates an Apple patent.

  • I did a study on mobile passwords, be them numeric or graphical. The conclusion was the same for each and every password method: people usually choose graphical configurations like crosses, spirals and diagonal lines. They rarely choose the numbers or focal points of the images that were on the background.

    • Sounds about right. My girlfriend has the ability to instantly memorize anyone's pincode for years (people don't believe it and so they're dumb enough to tell her), she doesn't actually remember the numbers but seems to remember the pattern on a grid. She could have a great career as a shoulder-surfer.

      • I thought this was the normal way of memorising typed numbers. It's certainly the way I've always done it.

        If you ask me to quote my bank card PIN, or the code on the security system at the office etc. or ask me to type them on a randomly ordered keypad (or the number keys across the top of a QWERTY keyboard), I will not be able to do it very easily. I would have to visualise a normal keypad, move my hand across it in my mind, then figure out which numbers I pressed.

        That is to say, I know my various PINs onl

  • I'm suprised 1998 is a common passcode, is this a birthdate? It's in amongst obvious 1234, 2222, 0000. But it correspondes to a age of approximately 13. Many 13 year olds with a iPhone? Or this age group least security aware?

    Top ten PIN codes:

    1234
    0000
    2580
    1111
    5555
    5683
    0852
    2222
    1212
    1998


    This interesting. 5683, 2580, 0852 don't seem to have any special significance, they aren't even a particular pattern on the keypad, nor especially natural to punch in, ie right handed, using your thumb.

    Is th
    • FAIL. I was looking at the numpad on a keyboard. Different when looking at actual phone and considering alphanumeric. There's the cognitive bias I was talking about.
    • 2580 is a straight line down.
      0852 is a straight line up
      I dunno about 5683, I find that one little bit weird

      • RTFA.

        5683, with letter substitutions, spells LOVE.

        I'm pleased to see that none of the 4 number codes I use in daily life made the top 10 list. If someone wants to steal my bike, they'll have to work at it a bit longer.

        • by metlin ( 258108 )

          I like using combinations of interesting numbers and math/physics constants. If you use the more esoteric ones (think Ramanujan's number or the first 3 Fermat numbers), then you also learn new and interesting numbers.

    • "1234". Shit. Excuse me while I change my root password. And my luggage. Thank God the combination to the air shield is more complex.
  • All this says is that 15% were one of the top 10 FOR HIS APP. This makes the very large assumption that people who were paranoid enough to buy his app are going to be fooled and use the same password that they do to lock the phone. They very well might, but his app doesn't prove that.

  • 2046 didn't make the top 10.

  • "Someone didn't bother reading my carefully prepared memo on commonly-used passwords. Now, then, as I so meticulously pointed out, the four most-used passwords are: love, sex, secret, and...god. So, would your holiness care to change her password?" -Fisher Stevens; Hackers [imdb.com] (1995)
  • by NotSoHeavyD3 ( 1400425 ) on Tuesday June 14, 2011 @10:38PM (#36445798) Journal
    I'm going to have to call Jenny about this

Two can Live as Cheaply as One for Half as Long. -- Howard Kandel

Working...