Daniel Amitay has been marketing an app which, apparently, takes photos of anyone using your iPhone 4 or iPod Touch 4 without your permission. In a recent update, he added some code to capture the passcodes used for his app – not, so he says, the passcode for locking the device, though he did assume for research purposes that there would be a correlation between the two. (Not unlikely: we already know that people re-use passwords on many accounts, and passcodes are probably harder to remember and even more liable to re-use.)
So he captured 204,508 passcodes (completely anonymously, he says, and I’ve no reason to disbelieve him) and ran some analysis to see what passcodes people used most. This is similar to lots of research where known collections of exposed passwords have been analysed to see what the most commonly used are, though you might think that it was a little ethically suspect to harvest those addresses from his own app. Well, that depends, I suppose, on what degree of privacy app users were expecting, but as long as there’s no way of tying the passcodes to a specific person or device, it’s hard to see that any real harm was done. But apparently he’s paid for it: the app has been withdrawn from the App Store.
Still, it’s an interesting piece of research, in that it does give some indication of what passcodes people use. And it’s as stereotyped as you’d expect in that 15% of all those passcodes were in the top 10:
(For the probable logic behind some of the less obvious numbers, see the blog…)
What does this mean in practice if Amitay is correct in his thinking about the correlation with the passcode lock? If you’re using one of those passcodes, it gives someone unauthorized ten chances to get control of your data before all data is wiped off the iPhone or iPod, so you might want to change it to something more imaginative. Or, better still, change the setting so that you can enter a more complex code.
The really interesting question, of course, as Graham Cluley kind of hinted, is whether it reflects what sequences people use in other contexts. Graham mentioned ATM PINs, but you might also wonder about other mobile devices, digital locks, padlocks, handheld authentication devices and so on. My guess is that some will change according to age group, type of keypad, and so on, but there’ll be significant correlation with the more obvious sequences.
I don’t know of any other research on common PIN/passcode sequences offhand, but there’s a decent article offering advice on how to choose a PIN here. I might come back to that topic.
David Harley CITP FBCS CISSP
Small Blue-Green World