Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Iphone Security Apple News

Passcodes Prove Predictable 167

mikejuk writes "Research reveals something we all suspected but couldn't prove — in a four digit pin the most popular first digit is one, the most popular second digit is two. Entropy only really kicks in on the third and fourth digits. What is more looking at the frequencies of four digit groups just 10 different passcodes would be enough to unlock one in seven iPhones!"
This discussion has been archived. No new comments can be posted.

Passcodes Prove Predictable

Comments Filter:
  • by Daetrin ( 576516 ) on Tuesday June 28, 2011 @12:04PM (#36599626)
    This is simple to fix! Everyone, make sure to start all your passcodes with "4" instead of "1" and this attack will be easily foiled!
  • Repost (Score:5, Informative)

    by swb ( 14022 ) on Tuesday June 28, 2011 @12:04PM (#36599634)

    Isn't this a repost of the iPhone app developer who made the photo-graphing lock screen and kept anonymous stats of the "passcodes" people entered into his lock-screen-like lock screen?

  • by Anonymous Coward

    Benford's law. If the data isn't truly random (and in the case of something someone chooses, it isn't), it probably applies.

    • by Hatta ( 162192 )

      If the data is truly random on a logarithmic scale, Benford's law applies.

      • Man, Slashdot is really down the drain. I expected Benford's law to be mentioned in the summary. If not there, one of the *first* comments. I also expected the first mention to be accurate!

        Now almost any article is like... "Wait what, they didn't mention [relevant science/math detail]!" Search for a mention in the comments... and the first one is halfway down *and* requires correction.
        • I expected Benford's law to be mentioned in the summary. If not there, one of the *first* comments.

          There's one three hours before yours. I guess each Slashdot story also needs somebody browsing at +5 and then complaining that there are no good comments.

  • Almost everyone picks 7. When picking a 4 digit passcode, it's inevitable people will pick the same code.

    • Almost everyone picks 7.

      I always pick pi until they explicitly tell me they wanted an integer.

      • by Z00L00K ( 682162 )

        You must get a lot of pies then.

      • I always pick Avagadro's number, unless I'm told they want a number less than 10^23.
        • I always pick Avagadro's number, unless I'm told they want a number less than 10^23.

          Well, he did explicitly say "a number between 1 and 10", so Avogadros' number would be right out.

          Even among geeks, the pedantry of selecting non-integers will get you an eye roll, and maybe a friendly offer of a poke in the eye with a sharp stick. ;-)

    • It's called the pigeonhole principle. If there are more pigeons than pigeonholes, at least one pigeonhole will have more than one pigeon.

      If 11 people are asked to pick a number between one and 10, then at least two will pick the same number. If there are 10,001 users of a product with a 4-digit pin, at least two will pick the same number. There are sure to be two people with the same number of hairs on their head in any sufficiently large city.

      This isn't about two people picking the same number, it's about

      • by bberens ( 965711 )
        That's not true. If 10 people are asked to select a number from 1-10 then the chances of a duplicate are quite high even if the numbers are chosen completely randomly. Since people are really bad at being random there will be an increased likelihood of duplication. The pigeon and hole example only works because there's already a pigeon in the first hole when the second arrives. In the "pick a number" example the numbers don't disappear for the next user.
        • Even with fewer than 10 people, there's a high chance of duplication. 5 people indpendently picking digits from 1 to 10 have a nearly 70% chance of duplication;

        • That's not true.

          What isn't true? The statement that if 11 people select a digit between 0 and 9, at least two people will share a digit? Or if 10001 people select a four-digit sequence, at least two will share a sequence? Because both of those statements are fucking obviously true.

      • by IICV ( 652597 )

        Part of the problem is that people seem to think that a PIN must be four digits long. Most people's ATM PINs are that length, for instance, even though almost all banks support longer ones.

        For the iPhone I suppose it makes sense - doesn't the iPhone require a four digit PIN? - but pretty much everywhere else in life it doesn't.

      • That's incorrect. Chances are, the second picker has 0.9 of not choosing a chosen number. The third has 0.9 * 0.8 = 0.72 (28% that there would be a collision) . With a fourth, 0.9 * 0.8 * 0.7 = 0.504 of not picking a chosen number, so almost 50% of the times there'll be a collision. This is the mathematical substrate behind birthday attacks.
    • I think it depends on how you look at passcodes and whatnot. I tend to regard PIN numbers, passcodes and passwords as "something that has meaning to me" rather than "something that's generally easy to remember".
      A good few years back I was testing some applications that embedded within Microsoft Office 2000 and I had to perform MULTIPLE reinstallations of MS Office 2000 (up to 10 a day on various machines), up to the point the Serial Number was memorized. So i used that as password for some of my accounts.
  • Not much in my phone is worth having. The only reason to lock it is to make butt-dialing harder.

    If you're keeping sensitive info in your iPhone, and not protecting it with anything more than the phone's unlock code, you're a dope.

    Here's a clue: don't let anyone mess with your phone when you're not there to stop them.

    • by cbiltcliffe ( 186293 ) on Tuesday June 28, 2011 @12:18PM (#36600044) Homepage Journal

      Here's a clue: don't let anyone mess with your phone when you're not there to stop them.

      Really? Do you hear what you're saying?

      • Yes you're right. Claymore mines are immoral [wikipedia.org]. He really should be more careful.
      • Well, the obvious way to interpret his sentence is, "Be sure to stop anyone from messing with your phone when you aren't there to protect your phone" which is, of course, a trifle difficult to do. However, it could also be interpreted as "Don't leave your phone unattended in an unsafe location" which is quite a bit more reasonable, and is, I suspect, what O.P. meant by what he said.
        • See, I thought that too. But then I got wondering:

          Who the hell is going to take a common as dirt phrase like "Don't leave your item unattended" and turn it into something bizarre like "don't let anyone mess with your item when you're not there to stop them." It's just so out there that I can't imagine they actually meant the first one....

    • there's one thing very much worth having in your phone: an easy way to dial toll numbers.

  • My iphone pin was required to be 6 digits, so I guess I'm safe :P Interestingly both of my 4-digit PINs that I use for other purposes do start with "1".
    • My BlackBerry requires 7 characters/numbers or greater, and I even add in special characters to make things a bit more fun. Do you have any idea how hard it is to type Hunter2! into a BlackBerry?!? The upside is that the phone auto-wipes after three failed attempts, so I get put out of my misery pretty quickly.

      *Please excuse typos, posted from any mobile device other than BlackBerry

  • by Anonymous Coward

    That the most common first digit is 1 might just be an application of Benford's law:

    http://en.wikipedia.org/wiki/Benford%27s_law

  • I am sure that most people are aware that the entropy of passcode space is culturally dependent.

    One way of evading the cultural diminution of passspace entropy is through a selection technique known as "shocking nonsense." (Google)

    • selection technique known as "shocking nonsense." (Google)

      Huh? How are you supposed to use Goatse as a passcode?!

      • 1, 2, 3, 6, 9, 8, 7, 4.

        • by elsurexiste ( 1758620 ) on Tuesday June 28, 2011 @04:36PM (#36604682) Journal

          I have said this once or twice in the past, but what the hell. :)

          I did research on this subject and you, sir, nailed it. People don't choose numbers: they choose patterns, all the time. The most common passwords are, unsurprisingly, lines. A few are one or two repeating digits. People also have a fondness of diagonals and spirals, although this is noticeable when there are 16 or more buttons. That being said, I'm surprised that 5683 is so common.

          • by martyb ( 196687 )

            People also have a fondness of diagonals and spirals, although this is noticeable when there are 16 or more buttons. That being said, I'm surprised that 5683 is so common.

            (emphasis added)

            "5683" are the numbers on a phone keypad which correspond to the letters for "LOVE". FWIW, 5683 also spells: jove, lote, and loud..

    • In a few years, if this sticks, we'll see a slashdot article about common words like n**** f** etc that should be avoided.

    • by rmstar ( 114746 )

      One way of evading the cultural diminution of passspace entropy is through a selection technique known as "shocking nonsense." (Google)

      (from here [uni-kl.de]):

      "Shocking nonsense" means to make up a short phrase or sentence that is both nonsensical and shocking in the culture of the user, that is, it contains grossly obscene, racist, impossible or other extreme juxtaposition of ideas. This technique is permissable because the passphrase, by its nature, is never revealed to anyone with sensibilities to be offended.

      On th

    • From the top google article:

      This technique is permissable because the passphrase, by its nature, is never revealed to anyone with sensibilities to be offended.

      I know the article is written in the context of PGP secret passphrases, but if this technique were applied to normal passwords I can guarantee it will prove embarrassing. Such as when the CTO of your company is showing off his fancy emacs script that allows you to ssh into a server from the editor but fails to realize that the password field is not hidden before he tells you to log in using your outrageously obscene password...that one still makes me wince. Randomly generated p

      • by Plekto ( 1018050 )

        Of course, it doesn't have to be sexual in nature. You could have "rabid frogs" or "brittle soup" or something similar as a perfectly safe-to-view example in case it was ever found out.

    • Reminds me of this pseudo URL shortener [shadyurl.com]. I like it when people double check the link and uneasily open it. :D

  • by Swanktastic ( 109747 ) on Tuesday June 28, 2011 @12:14PM (#36599934)

    The sample set for this data is people who are dumb enough to type their unlock code into a fake login app which has been removed from the app store.

    I wonder if this is representative of the population as a whole.

    • Re: (Score:3, Insightful)

      by Opportunist ( 166417 )

      Well, think about how stupid the average person is and realize that half of the people are even stupider.

      • Fortunately I doubt the average thief is much smarter either .. the article says "the implication is that a thief could safely try 10 different passcodes on your iPhone ... With a 15% success rate, about 1 in 7 iPhones would unlock" .. in reality the average thief would go "whuuu!?!?" about three sentences into reading this article.

  • So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!

    • by hal2814 ( 725639 )
      1-2-3-4-5? That's the same combination I use on my luggage!
    • As popular as the movie Spaceballs has become, it's still a great mystery why so many people continue to use a simple sequential number sequence like that as their primary password,. . . I guess most people are idiots?
      • Because it is easy to remember, and given a choice between "easy" and "secure" most people will choose "easy" unless forced to do otherwise. Even here on /. you see some pretty lively arguments between good password security and real-world usability. Think about it this way: do you use Enigmail or a VPN to correspond with others, or do you send your SMTP traffic in clear text from the free WiFi hotspot at the coffee shop?
  • How about bank ATMs?

    The last time I went to change my pin at the bank, I spent the better part of the walk there (20-30 minutes) developing the perfect algorithm to calculate my pin. It changed with the date, had variables from my life, my spouse's life, my dog--you name it. At the teller, I anxiously put in my 7-digit number, and it kept refusing it. By the fourth attempt, the teller was visibly irritated that I couldn't type in my pin number the same twice in a row. After discussing it with him, he told
    • Well the other option is password/phrase requirements for secure systems now days. Changed every 60 days. Requiring so many different character combos that all users do is write down their password/phrase. So pick your poison on this. Either it's an easy pass phrase that can be 'guessed' or a pass phrase that is written on a card in your wallet.

  • Last week LulzSec released a list of everybody in the world's PIN [guzer.com]. I found mine in there anyway!

  • Clearly, with the size and complexity of the human neural network, and the amount of gooey analog stuff going on in there, humans should be physically capable of generating reasonably high quality entropy for cryptographic purposes. In the same vein, the occasional appearance of atypical or well-trained subjects demonstrates our theoretical capacity for storing reasonably large keys.

    Unfortunately, the African savanna environments of ~500,000 years ago had a dearth of predators that culled according to we
  • 9 out of 10 iphone users don't know how to lock their phones or have never bothered to setup a passcode.
    • by bkaul01 ( 619795 )

      That's not necessarily an oversight on their part. I don't usually have a passcode enabled on my (non-i)phone, since it's almost always in one of three places: in my pocket, in my hand, or on my headboard. It's just a hassle to type in every single time I unlock the phone, and an unnecessary one as long as I maintain sole access to the device. The slight risk that someone could mug me and steal it is one I'll just live with.

      On the other hand, the passcode I do use when I occasionally enable one (e.g. phone

      • That's not necessarily an oversight on their part. I don't usually have a passcode enabled on my (non-i)phone, since it's almost always in one of three places: in my pocket, in my hand, or on my headboard. It's just a hassle to type in every single time I unlock the phone, and an unnecessary one as long as I maintain sole access to the device. The slight risk that someone could mug me and steal it is one I'll just live with.

        I stopped password-protecting my Android phone the second time it dialed 911 - stupid "Emergency Call" button...

    • I have an android, not an iphone, but assuming security is implemented the same way, it's ridiculous. there's no way to set a timeout, so after every call the phone secures itself. If I want to make multiple calls, I have to enter the damn PIN between each one.

      Dear developers, please leave the phone unlocked for 10 minutes after I enter my PIN, or better yet let me choose how long to set it.
    • You know, I tried it for a while. For me, it's just way too much effort. I don't have teen age friend who like to hijack my Facebook statuses. Or the nuclear launch codes.

  • Benford's Law (Score:5, Interesting)

    by Bobtree ( 105901 ) on Tuesday June 28, 2011 @12:22PM (#36600146)

    Since people are likely to use passcodes based on real-world numbers so they can be remembered, perhaps Benford's law applies.

    http://en.wikipedia.org/wiki/Benford's_law [wikipedia.org]

    • Re: (Score:3, Funny)

      by Anonymous Coward

      Since people are likely to use passcodes based on real-world numbers so they can be remembered

      Rather than using real numbers, people should try complex passcodes. My iPhone is locked with: 0000+9999i

    • The distribution certainly looks like it follows Benford's law (probability of initial digit being n is logarithmic).

      In fact, to within noise, the graph of Benford's law http://mathworld.wolfram.com/BenfordsLaw.html [wolfram.com]
      is nearly indistinguishable from the graph in the article (original source: http://amitay.us/blog/files/most_common_iphone_passcodes.php [amitay.us] )

    • by Kjella ( 173770 )

      Actually both for PIN codes, lottery numbers etc. people are very often using birth dates and such. Since a lot of people are born on 10-19th and 20-29th of a month, well.... it doesn't apply to 0 though because people don't think they're born on the 06th. It might look close to Benford's law but really it's not.

      • I never liked using dates. It limits passcodes too greatly. I have used the last digits of phone numbers or addresses of people that I remembered from my childhood though. Numbers that haven't been valid for 20 years, for example, but that I have a strong personal memory of.

    • I also know that there are over 9000 combinations to any 4 digit passcode, and at least 100 start with 1 and 2. QED!

      I was actually thinking that most easily remembered 4 digit numbers are years, usually birthdays. And for the past 1000 years, they've all started with 1 until very recently. I now suspect that the use of the number 2 as the first digit will rise for the next 1000 years.

    • by selven ( 1556643 )

      Could also be the birthday effect - a birthday that has four digits in it must begin with a one, and the second digit must be 0,1 or 2. Interestingly enough, under Benford's law the second digit is also significantly skewed toward lower numbers when the first digit is a 1, so to find out which effect is predominant we would have to look at the third digit.

      Ok, now I'm curious, want to go and snoop on a few thousand PINs for us?

  • by Control-Z ( 321144 ) on Tuesday June 28, 2011 @12:32PM (#36600344)

    The best code is 9991. If you're going to brute force it, most everyone would start at 0000 and it would take 9991 tries. If you're going to bruteforce descending from 9999 you'd get through 4 or 5 before you decided it was too much trouble. ;)

    • Dear god, the horrible flash back. Old phone, my passcode was originally 99XX, my phone number was 99YY. For some odd reason I bowed down to mocking and changed it to some random thing I forgot, either 5xxx or 8xxxx.

      I brute forced myself from 9999 to 9000, then I started from 0001 on up to the 5000s. In the mean time (around 3000) I went to my phone dealer and they tried tricking past it. What they and I didn't realize was they didn't fail. Their "trick" was deemed insecure and instead reset the passco

    • But if the best code is 9991, then a thief should try it first, which would make it not the best code, which would make something else the best code, which would make some other code the one thieves would try first, which ...

      • Re:9991 (Score:4, Funny)

        by Caerdwyn ( 829058 ) on Tuesday June 28, 2011 @01:22PM (#36601342) Journal

        But if the best code is 9991, then a thief should try it first, which would make it not the best code, which would make something else the best code, which would make some other code the one thieves would try first, which ...

        But I surely cannot choose the wine in front of me.

    • Isn't that Beethoven's code for his luggage? (First 4 notes of the 5th symphony.,.)
  • DH "So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage! " ...
    CS: "It worked, sir, we have the combination"
    PS: "that's great, we can now take every last breath of fresh air off Druidia, what was the combination?"
    CS: "12345"
    PS: "12345?"
    CS: "yes"
    PS: "that's amazing, I have the same combination on my luggage"

    Who knew that Mel Brooks was so visionary?

  • I guess 1777 is now just plain out the window as a good passcode.
  • Offer something besides numbers in the code. Look, it's an option of 4 characters from a 10-character set. If you want people to be more secure in their own daily uses, allow them to use a larger character set. Give the option to use letters (26 characters) and even symbols. It won't fix the problem, but it will decrease its prevalence.

    • The iphone offers exactly the level of security the user requests.
      Iphone users can choose between just swiping, a PIN or a pass-phrase. A pass-phrase can be of arbitrary length, include numbers letters and punctuation. A PIN is a 4 digit number.
      I had just swipe until my company started requiring security (government without clearance, everything I send or receive in email is legally a public record anyway). I put a real password at first, then I switched to a one-handed 4-digit pin once I realized that s

  • Interesting that the second digit is frequently 2. I would have really expected it to be a 9 and would have expected it to switch to 2 and 0 for first and second over the next few decades.

  • ... "That's amazing. I've got the same combination on my luggage."

  • As it is the closest button to the "Emergency Call" button, and anyone who has tried to unlock their iPhone with one hand will tell you, that you end up hitting it pretty often which is annoying. Also the name also makes me think it is about to auto dial 911, which always freaks me out.

  • by youn ( 1516637 )

    mine is 3726... oops, there goes my account control :)

  • These are the codes people entered into a lock screen "alarm" app. Most people likely did not enter their real code in it. Maybe some people felt a lock app that you could get around with the home button was a good idea and actually used it...

You know you've landed gear-up when it takes full power to taxi.

Working...