Posted by: David Harley | June 15, 2011

Passcodes and Good Practice

Daniel Amitay has been marketing an app which, apparently, takes photos of anyone using your iPhone 4 or iPod Touch 4 without your permission. In a recent update, he added some code to capture the passcodes used for his app – not, so he says, the passcode for locking the device, though he did assume for research purposes that there would be a correlation between the two. (Not unlikely: we already know that people re-use passwords on many accounts, and passcodes are probably harder to remember and even more liable to re-use.)

So he captured 204,508 passcodes (completely anonymously, he says, and I’ve no reason to disbelieve him) and ran some analysis to see what passcodes people used most. This is similar to lots of research where known collections of exposed passwords have been analysed to see what the most commonly used are, though you might think that it was a little ethically suspect to harvest those addresses from his own app. Well, that depends, I suppose, on what degree of privacy app users were expecting, but as long as there’s no way of tying the passcodes to a specific person or device, it’s hard to see that any real harm was done. But apparently he’s paid for it: the app has been withdrawn from the App Store.

Still, it’s an interesting piece of research, in that it does give some indication of what passcodes people use. And it’s as stereotyped as you’d expect in that 15% of all those passcodes were in the top 10:

  1. 1234
  2. 0000
  3. 2580
  4. 1111
  5. 5555
  6. 5683
  7. 0852
  8. 2222
  9. 1212
  10. 1998

(For the probable logic behind some of the less obvious numbers, see the blog…)

What does this mean in practice if Amitay is correct in his thinking about the correlation with the passcode lock? If you’re using one of those passcodes, it gives someone unauthorized ten chances to get control of your data before all data is wiped off the iPhone or iPod, so you might want to change it to something more imaginative. Or, better still, change the setting so that you can enter a more complex code.

The really interesting question, of course, as Graham Cluley kind of hinted, is whether it reflects what sequences people use in other contexts. Graham mentioned ATM PINs, but you might also wonder about other mobile devices, digital locks, padlocks, handheld authentication devices and so on. My guess is that some will change according to age group, type of keypad, and so on, but there’ll be significant correlation with the more obvious sequences.

I don’t know of any other research on common PIN/passcode sequences offhand, but there’s a decent article offering advice on how to choose a PIN here. I might come back to that topic.

David Harley CITP FBCS CISSP
Small Blue-Green World

About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

Follow

Get every new post delivered to your Inbox.

Join 36 other followers

%d bloggers like this: