The Most Common iPhone Passcodes

Orome1 writes "The problem of poor passwords is not confined to computer use, and that fact was illustrated by an app developer who has added code to capture user passcodes to one of its applications. 'Because Big Brother's [the app in question] passcode setup screen and lock screen are nearly identical to those of the actual iPhone passcode lock, I figured that the collected information would closely correlate with actual iPhone passcodes,' says Daniel Amitay. It turns out that of the 204,508 recorded passcodes, 15% were one of the most common ten."

First post

[GameboyRMH]

Number 0001!

What?

[sirboxalot]

No 4242?

Re:What?

[syousef]

No 4242?

Or 6969

Re:What?

[TheInternetGuy]

69 is the new 42

Re:What?

[zonky]

Password use is going to be interesting. Bet 99% are the same as their PIN for any cards, and the same as a home alarm.

Re:What?

[PopeRatzo]

No 4242?

I use the last four digits of pi as my code.

Re:What?

[syousef]

69 is the new 42

Maybe if you're Hugh Hefner.

Re:What?

[FatAlb3rt]

My calculator says it's 2654 - I haz ur passcode, you moran!

Re:What?

E spels it different

Re:What?

Password use is going to be interesting. Bet 99% are the same as their PIN for any cards, and the same as a home alarm.

Oooooor codes are used differently for different devices/services.

My ipod and my father's ipod both have 1-2-3-4 as the unlock codes. Why?

1) The only reason for the lock code in our use is to keep from accidentally opening it while carrying it in a pocket.
2) My 1 year old (now 2) preferred kept attempting that code to unlock it. So either let him play on it or have him lock me out too.

Nitpick

[tripleevenfall]

TFA says "But the fact that makes Amitay's revelation extremely crucial is that if someone steals or finds a lost iPhone, he has a 15% chance of unlocking the device and accessing the data within before it gets wiped just by trying out the passwords on the aforementioned top 10 list."

Isn't it true that 10 successful wrong guesses causes the phone to brick?

Re:Nitpick

[calmofthestorm]

Not by default; you can set it up that way.

Re:Nitpick

[pushing-robot]

15% of iPhones are locked using one of ten codes.

You have ten login attempts before the phone wipes itself.

Thus, if you try each of the top ten codes on a random iPhone, you have a 15% chance of entering the right code before it wipes itself.

Also, I think you meant "successive".

Re:Nitpick

[CharlyFoxtrot]

The whole thing is flawed. His is a gimmicky free app. Clearly most users downloaded it, tested it with a stupid passcode, like the 2 most common "1234" and the app default "0000" and then quickly forgot about it. Got to give him props for PR though, who knows how many downloads is he going to get out of this story.

Re:Nitpick

[jesseck]

Also, I think you meant "successive".

No, he was just being optimistic about guessing wrong.

Re:Nitpick

[mysidia]

is that if someone steals or finds a lost iPhone, he has a 15% chance of unlocking the device and accessing the data within before it gets wiped just by trying out the passwords on the aforementioned top 10 list."

I think that might be off -- If someone steals or finds a lost, working iPhone; he probably has a 80 - 90% chance of finding the device not secured with a passcode to begin with.

If he happened to get so unlucky as to find one of the 20% of iPhones with a passcode; he has a 15% chance of unlocking that locked device.

That brings it closer to a 100% chance of gaining access to it; if the found phone works at all -- only an 85% chance of it using an uncommon passcode. Just because it's uncommon doesn't mean unguessable -- it depends on how much the thief knows or can find out about the person. If the thief gets the wallet too, they might try the birthdate on drivers license or do other research about numbers significant to the person (increasing chances of an unlock beyond 15% for fixed common) -- if we include things like phone numbers, anniversary year, 15% might be a real low ball for the amount of passcodes based on such guessable concepts.

Re:Nitpick

[xSauronx]

If someone steals or finds a lost, working iPhone; he probably has a 80 - 90% chance of finding the device not secured with a passcode to begin with.

Jeebus. I lock my android phone, and my nook color which runs android, with the swipe lock. My friends and their ipad? Not so much, and they're nerds who should know better

Re:Nitpick

[blueg3]

It brings it closer to an 83% chance of accessing it, actually. Not 100%. (15% of top passcodes x only 20% of iPhones locked = 3% of total iPhones use one of the top passcodes).

Re:Nitpick

[Toam]

I lock my android phone with a pattern which is fairly pointless as you can see streaks on the screen from where I've swiped it in

Yes, I'm aware that I can change it to a password or pin which would be more secure, but to be honest having any sort of "lock" on my phone is less about security and more about not making calls etc while the phone is in my pocket.

Re:Nitpick

[sootman]

The good news is, with Find My iPhone (free since iOS 4) you can remotely set a lockscreen code AFTER it has been stolen. So if you a) don't have any super-secret stuff on your phone and b) notice it missing soon after it's stolen, the worst that will happen is the thief will make some calls and use some data. Of course, my preference would be for the thief to keep using the phone, and hopefully Find My iPhone would enable me to actually recover the phone.

Re:Nitpick

[Jstlook]

Certainly not me! I don't need to give somebody my passcode for the heck of it!

Re:Nitpick

[DarthBart]

I never locked my iphone until I accidentally left it somewhere. Fortunately, it was there when I got there but I'd have been boned if someone picked it up and did nefarious things with it before I could reset passwords/passcodes.

Now it's set to lock after 5 minutes of non-use and to nuke itself after 10 bad passcodes.

And no, I don't use the same PIN on my ATM card.

Re:Nitpick

[toleraen]

What nefarious things could be done, honestly? On my android based phone they could send email, make phone calls, send some texts...that's about it. Although if they wiped my Hex Defense scores I'd be pretty pissed.

Re:Nitpick

[mysidia]

Of course, my preference would be for the thief to keep using the phone, and hopefully Find My iPhone would enable me to actually recover the phone.

I have mixed thoughts about that. If more people reported their phone stolen immediately, to have the IMEI blocked by all the cell networks, it could be somewhat a deterrant against theft too. If you want to add a pascode remotely, better remove sensitive data too.

The Find My iPhone function may indeed be used by some people in those situations.

There is also a problem, that if you don't have it deactivated immediately, and the thief racks up a few thousand in usage charges, e.g. international calls (your phone used by the thief to fraudulently re-sell toll calls) or overseas data roaming, you could be on the hook for some serious $$ in some cases.

The lost iPhone may be $600 to replace, but at least you can be confident there is such a strict limit to your losses, if you do brick/deactivate the phone's service before the perp can abuse the phone's access to your account.

It should be noted the passcode protection is only good against unsophisticated thieves. There are ways to bypass the passcode and then remove it/view it, or gain access to all data on an iPhone, without requiring any silliness of attempts, or trying to guess the passcode.

That is there are some people who can gain access to 100% of fully working iPhones, with physical access and sufficient motive, common passcode or not.

For this reason.... I don't think there's anything irrational about the decision to use a weak/easy passcode.
Until Apple actually encrypts all data on the phone with the authenticator, that is, and use biometrics, such as face recognition, rather than manual entry of digits.

Re:Nitpick

[rich_hudds]

Isn't it actually more likely that the person who found it was honest.

I know of a few people who've lost their phones and recovered them because the person who found it called some of their friends using the phone.

If you lock it it's probably less likely you'll get it back.

Re:Nitpick

[Laurence0]

Yeah, this. I turned the "draw a pattern to unlock" feature on about a day after I got my Desire, after the second time my pocket called someone.

The vertical swipe to unlock is nice and different to Apple's horizontal swipe to unlock, but it's rather easy for my phone to do in my pocket.

Re:Nitpick

[Keeper+Of+Keys]

If I found a locked phone I would keep it nearby and wait for it to ring.

Re:Nitpick

[Keeper+Of+Keys]

If I found a locked phone I would keep it nearby and wait for it to ring.

(Sorry, I posted this in the wrong thread first time. Now I have to make a pointless change in order to re-submit...)

Re:Nitpick

[MrAngryForNoReason]

The lost iPhone may be $600 to replace, but at least you can be confident there is such a strict limit to your losses, if you do brick/deactivate the phone's service before the perp can abuse the phone's access to your account.

This is why phone insurance is a good idea for anyone who has a handset worth more than a couple of hundred and a contract. Insurance covers you for loss, theft or damage to the handset and also covers any fraudulent calls made on the device.

Block phone, claim on insurance, get replacement.

'Find my iPhone' is all well and good but if it has actually been stolen what are you going to do, go round their house and ask for it back? I guess you could hand the information on to the police but leaving the phone unblocked for days on the off chance you will be able to have the police recover it is a pretty big risk. As well as fraudulent calls and the data you have on the device you also expose anyone who calls your phone to whichever scumbag stole it.

Re:Nitpick

[Coren22]

AT&T does not lock out IMEIs, my brother tried when his wife's iPhone was stolen. AT&T actually sees it as a good thing, because now they have the possibility of adding another subscriber (the thief or whoever he sells to) and you have to pay an absurd amount of money for a new phone (unless you have insurance).

Re:Nitpick

[swb]

What do you recommend for phone insurance? Personally I like the concept, I just worry that any plan that looks financially reasonable ($3-4 per month max) will be ridden with loopholes and filing a claim will be impossible.

Beyond that price point, after two years, you're in the ball park for what you can get a new iPhone for with a new contract discount, making it something of a bad bet, although mid-contract replacement is probably the pricey risk you're actually insuring against.

But while I'm thinking out loud, what about homeowner's insurance? Shouldn't it cover that kind of a loss?

Re:Nitpick

[AvitarX]

How about receive e-mails?

I would think the ability to reset almost any password would be pretty strong (access to SMS + E-mail gets you into a lot).

Re:Nitpick

[MrAngryForNoReason]

Most home insurance has phones excluded from 'our of the home' cover unless you add it specifically. If you do add it then you also get cover from fraudulent calls which is a necessity if you are on a contract.

You invariably get the best deal by just adding phone cover to your house contents insurance. Much cheaper, and you don't need a separate policy. It also has the added benefit that the claims tend to be easier as they care more about keeping you as a customer.

Here's a question...

[jojoba_oil]

...how did an app like "Big Brother" make it onto the App(le) store?

I thought they paid people to test each app before approval; you know, as a first defense against apps that look to imitate the lock screen and steal passcodes...

Re:Here's a question...

[CharlyFoxtrot]

App in question in action. Description from the video :

"This is not a prank application! It really works, and takes pictures of anyone trying to access your iPhone. Big Brother is the only iPhone app which sets off an alarm AND takes a photo if the user presses the home button!

Want to know if someone has been sneaking a peak at your iPhone 4?
Turn on Big Brother, LOCK it, turn off your iPhone, and you're set!
Whenever a person enters an incorrect password, the device will take two photos!"

Not duplicating functionality in the iPhone, not actually stealing your passcode (just its own user settable one is sent back).

Re:Here's a question...

[makubesu]

Indeed, I would've thought they'd block a big brother app for competing with them.

Re:Here's a question...

[qubezz]

It really works, up to the point that this fake phone lock software actually leaves your phone unlocked, all you have to do is quit the app.

Re:Here's a question...

[CharlyFoxtrot]

Yeah because the iPhone was never locked in the first place, just running the app. That's why it sounds an alarm when you quit the app.

Re:Here's a question...

[Macrat]

Want to know if someone has been sneaking a peak at your iPhone 4?

Or don't leave you phone out lying around where anyone can grab it.

Re:Here's a question...

[Anubis+IV]

Hidden functionality in otherwise acceptable apps has made it in occasionally. I was able to pick up a copy of HandyLight about a year back. On the surface, it's a simple flashlight app, which allowed you to choose differently colored lights. In fact, however, it was an app that allowed the user to tether their iPhone with their computer if the proper color combination was input and the correct network settings were used. Apple pulled it down within a few hours of its initial release, but not before the news of it and a YouTube video of the developer explaining how to use it had been thoroughly circulated on the Mac news and rumor sites.

Thankfully, Apple has never pulled the trigger and removed apps like that which users have purchased, so I've actually been able to use it on a few occasions since then, though I try not to abuse it (especially since AT&T is apparently cracking down on illicit tethering of this sort, forcing the people doing it to either buy a tethering data plan or else cease doing it), and haven't used it in a few months.

Re:Here's a question...

[BenJCarter]

In Soviet Russia, we are all Big Brothers...

Re:Here's a question...

[CharlyFoxtrot]

Thankfully, Apple has never pulled the trigger and removed apps like that which users have purchased, so I've actually been able to use it on a few occasions since then, though I try not to abuse it (especially since AT&T is apparently cracking down on illicit tethering of this sort, forcing the people doing it to either buy a tethering data plan or else cease doing it), and haven't used it in a few months.

Hah, I remember that app. I don't remember where I read this (probably somewhere linked from Daringfireball) but developers that have the iCloud pre-release that allows you to download already purchased apps directly to your device reported the option to download apps even if they have been removed from the appstore since they have been paid for. So that's good news if it extends to the final version.

Re:Here's a question...

[AmiMoJo]

So they don't check what data is being sent out by the app? That would seem to be a fairly basic security check, and I'd expect to see it mentioned in the EULA.

This highlights a common problem with permission systems on mobiles (it affects Android too). You give permission for an app to know your location, but can't then control if it sends that information anywhere.

Re:Here's a question...

[Terrasque]

On Android: Internet permission flag, and if rooted, Droidwall (iptables frontend, can filter on a per-app basis)

Note : Root is not the same as jailbreak, root is just enable the "su" binary, and can be done with standard SDK on phones with unlocked bootloaders (and is usually easy to flash a new, unlocked bootloader / kernel on a phone - often with the phone's own flash tools)

Re:Here's a question...

[AmiMoJo]

Problem is most apps need the internet permission to do anything useful with your location. For example a mapping app will need to download map tiles for display, but there is no distinction between that and it sending your location to someone else.

I used to have my Galaxy S rooted but since 2.3 you have only been able to do it via a custom kernel which I don't want to mess about it. Shame as it was handy.

Re:Here's a question...

[teh+kurisu]

I'm under the impression that the App Store reviewers don't actually have access to the source code of your app, just the binary. This, combined with the use of HTTPS, makes it impossible for them to tell what data is being sent. All they know is that data is being sent, and what URL it's being sent to.

Re:Here's a question...

[Anubis+IV]

From what I recall, that feature only works with apps that don't have "legal issues" (hence the prompt developers have been getting recently, asking if any of their apps have legal issues) and apps that were not pulled by Apple itself. So, any apps pulled by the developers for non-legal reasons can still be downloaded, but anything pulled by Apple for violations will not be able to be downloaded. Even so, that doesn't stop you from simply syncing any devices with the app to iTunes.

Re:Here's a question...

[tlhIngan]

Note : Root is not the same as jailbreak, root is just enable the "su" binary, and can be done with standard SDK on phones with unlocked bootloaders (and is usually easy to flash a new, unlocked bootloader / kernel on a phone - often with the phone's own flash tools)

Jailbreaking is also done to enable "su" on the iPhone. It's caleld jailbreaking because apps run sandboxed, and if you want better access, you need to break out of the jail. (Android does this too, but it also isolates apps from each other as each run under a different user account).

It's just on iPhone, besides breaking out and gaining root access, you need to also make changes to the OS so it can accept unsigned binaries and sideloading.

I'd say they're the same, and the differences really are OS-specific. You are, after all, rooting an iPhone, just doing a few extra steps in order to make it more useful in general.

I suppose we call it rooting instead of jailbreaking on Android purely to emphasize that Android's more open. "Jailbreaking" the term refers to breaking security on closed devices, when it really just means breaking out of some sandbox like BSD's jail().

jailbreakme.com ran 2 different exploits - the first was a PDF one to run arbitrary code, that arbitrary code then exploied a hole in the sandbox to get root, then you do the OS mods to keep root and install Cydia.

Evil Developer!

[tehniobium]

This just in: 15% of developers steal the passwords of 80% of all (stupid) users!

Seriously...isn't this just a tad "evil" behavior? Even if its done to prove a point, surely this guy shouldn't be stealing his users passwords?

Re:Evil Developer!

[DMFNR]

I doubt it even matters that the login screen looks like the iPhone's anyway. The type of person who is probably using 1234 as his passcode is probably the same kind of person who uses the same passcode/password for everything. I bet if they did a study like this on peoples debit car PIN numbers the results would be pretty similar.

Re:Evil Developer!

[syousef]

This just in: 15% of developers steal the passwords of 80% of all (stupid) users!

Seriously...isn't this just a tad "evil" behavior? Even if its done to prove a point, surely this guy shouldn't be stealing his users passwords?

'A tad' evil like smoking 3 packs of cigarettes is 'a tad' bad for you or coke has 'a tad' of sugar. This is spyware plain and simple.

I would not do this myself, but if the data's already out there I have no ethical qualms discussing and analysing it. I find it interesting that 2580 popped up. I would not have guessed that. Lots of users into kittens and ponies I guess?

Re:Evil Developer!

Alternatively, the person that uses 1234 to secure this app (whatever it does) may not care about security *for that data* but could have a more secure PIN for the handset.

Admittedly, I'm giving human nature more credit than it has historically earned, but the developer is making quite a stretch with his inference that his results are a fair analogy for what Apple would see if they dropped similarly evil code in the next iOS update. Do I care if you can guess the PIN to my iPhone? Yep. Do I care if you then also guess my "Big Brother" pin? Maybe.... but you've already got my iPhone, so most of the damage is already done, assuming you're evil.

Final point - the developer also assumes that all users of his app also have a lock-screen PIN enabled on their iPhone. As per Anonymous Coward @08:09PM, this isn't always the case.

Re:Evil Developer!

2580 are the numbers in the middle column on a standard phone keypad, like 147* and 369#. I'm surprised 0852 didn't rank in the top 10

Re:Evil Developer!

[urbanheretic]

You'll find that 2580 is just the middle column in the passcode view. It's not really that weird when you look at it that way.

Re:Evil Developer!

[reason]

2580 is the only set of 4 digits in a straight line on the keypad (straight down the middle).

Re:Evil Developer!

[pushing-robot]

From the developer's web site:

Yesterday I posted an analysis of the Most Common iPhone Passcodes, with passcode data taken from my Big Brother Camera Security app. As of today at 4:58pm EST, Big Brother has been removed from the App Store. I’m certainly not happy about it, but considering the concerns a few people have expressed regarding the transfer of data from app to my server, it is understandable.

I think I should clarify exactly what data I was referring to, and how I was obtaining it. First, these passcodes are those that are input into Big Brother, not the actual iPhone lockscreen passcodes. Second, when the app sends this data to my server, it is literally sending only that number (e.g. “1234”) and nothing else. I have no way of identifying any user or device whatsoever.

Re:Evil Developer!

[cgeys]

Alternatively, the person that uses 1234 to secure this app (whatever it does) may not care about security *for that data* but could have a more secure PIN for the handset.

Admittedly, I'm giving human nature more credit than it has historically earned, but the developer is making quite a stretch with his inference that his results are a fair analogy for what Apple would see if they dropped similarly evil code in the next iOS update. Do I care if you can guess the PIN to my iPhone? Yep. Do I care if you then also guess my "Big Brother" pin? Maybe.... but you've already got my iPhone, so most of the damage is already done, assuming you're evil.

Final point - the developer also assumes that all users of his app also have a lock-screen PIN enabled on their iPhone. As per Anonymous Coward @08:09PM, this isn't always the case.

Yeah no shit. For my computer and logins I save everything neatly in KeePass, different passwords to every site I use. But I don't really care about my phone. It's paid upfront, so you can't do damage with it. For the pin code I just use my birthdate. Yes, that's right. It's easy to remember so that I don't lock the phone if I happen to forget the pin number. I also want it to be quickly entered when I start my phone. And this is even more true for something like screen-locked pin code. If I lose my phone, I'm more pissed at the fact that I lost hardware and can't use it. I don't really have anything on the phone, nothing that I consider valuable anyway. So I might aswell make my life easier and use an easy pin.

Re:Evil Developer!

[mrchaotica]

I'm surprised 0852 didn't rank in the top 10

According to the chart in TFA, it did.

Re:Evil Developer!

[mirix]

2580 is equivalent to 'asdf' on a normal keyboard.

Re:Evil Developer!

[hedwards]

3 packs of cigarettes is a tad bad for you. If you only smoke 3 packs during your entire life the adverse effects are going to be minimal to the point of being hard to identify.

Re:Evil Developer!

[Cimexus]

On a smartphone though, the threat isn't that the thief will get your phone and rack up a bill. It's that they can get all your personal data. Contacts, usernames for any sites/services you use on the phone, etc.

Worse: most people have their mail application set to remember password. So they can read all your mail, or send mail pretending to be you. Similarly with apps like Facebook - these are generally left logged in/password remembered. So even if your various passwords are long and difficult to guess, this is moot if they protected only via a 4 digit number on the phone.

Re:Evil Developer!

This is spyware plain and simple

But...but...I thought the Holy Sanctified Apple iObjects were immune to spyware! Lord Jobs told me so himself!

Re:Evil Developer!

[Rennt]

"I haven't actually compromised your iPhone, all I've done is publish the results data-mining your passwords... trust me!"

About as far as I can throw you, Jackass.

1-2-3-4-5?

[TheRedDuke]

That's amazing! I've got the same combination on my luggage!

Re:1-2-3-4-5?

mod parent UP!

"I said across her nose not up it!"

Re:1-2-3-4-5?

[rolfwind]

Please show me where you get 5 combination luggage? I'm still struggling to finding any with more than 3 combos :D

Re:1-2-3-4-5?

[hansamurai]

You're doing the joke wrong.

Re:1-2-3-4-5?

[mrchaotica]

It's a special feature of "Spaceballs: The Suitcase."

Re:1-2-3-4-5?

[tverbeek]

I figured that 5-5-5-5 would be too obvious, so on mine phone I reversed the order.

Re:1-2-3-4-5?

For added security you can ROT13 twice on top of that.

1998, lol

[AlienIntelligence]

So, the most common age of the user is 13?

Or the most common age of their offspring?

-AI

Re:1998, lol

[ceoyoyo]

Or they graduated in 1998 and they're around 30.

Re:1998, lol

[billcopc]

So, the most common age of the user is 13?

Or the most common age of their offspring?

-AI

Or the last year we remember that didn't royally suck. Y2K, 9/11, and the decade of hypercapitalist deception that ensued... yeah, I miss the 90's. The music was better too.

Re:1998, lol

[kvvbassboy]

Yes to everything else, but the music did suck. Remember backstreet boys, boyzone, nsync, michael jackson etc? :P

If I had a choice between 2000s and1990s I would choose the latter though. IMHO, it was the decade of greatest technological progress since the 60s.

Re:1998, lol

[tverbeek]

And the kids stayed offa my lawn!

Re:1998, lol

[nherm]

1997

Re:1998, lol

[tverbeek]

As a matter of fact I don't remember those bands, aside from recognizing the names. I couldn't name a single song by any of them (with the obvious exception of Jackson, who transcends the 1990s). That's because I had stopped listening to whatever's-in-fashion music by the 90s, and since then I've just followed my own interests and that of people around me (e.g. on community radio). Complaining about crappy pop music is like complaining about crappy fast food: no one's forcing you to eat it.

Re:1998, lol

Yes to everything else, but the music did suck.

For every backstreet boys, there's a Portishead. For every boyzone, there's a Massive Attack. nsync? Underworld. michael jackson? Chemical Brothers. As for rock, there was Pixies, My Bloody Valentine, Polvo, Ride, PJ Harvey. And so on, and so forth, etcetera.
Things were not quite as bad as you seem to remember them.

Re:1998, lol

What the 1990s had that is missed:

Radio actually playing music that matters, rather than yet the same 100 songs over and over again because each station is owned by the same conglomerate so the local flavor is confined to what remains in the DJ's facial hair.

Actual innovation. Not "innovation through litigation". People didn't sue; they actually went out and built shit. Cypherpunks coded, companies laid fiber (as opposed to wringing their hands in front of Congress that people are using their infrastructure.)

Actual computer security. This was before PHBs deemed security a cost center, and therefore something to only pay lip service to. Locking down hosts took more thinking than just assuming the Cisco router will guard against everything.

Your career didn't end if you had a night in jail somewhere. These days, I am forced to turn candidates down for a job even if they are qualified if they were arrested for anything, even if they have zero convictions.

Cars didn't suck until the SUV craze hit. Even SUVs tried to look cool, rather than the bloated coffee beans of crossovers and other glorified station wagons.

Crypto was something the government was trying to outlaw. Not something companies were trying to use against users with DRM stacks.

OSS solutions were allowed in companies. Not so after Enron and SOX made it a prison term unless the F/OSS solution had FIPS and Common Criteria stickers.

Viruses destroyed computers. This means that even the moronic computer users actually did basic computer security practices. The worst culprit for compromised machines were Suns.

There was no spam until Canter & Segal showed that one could get away with it scot-free. If an E-mail message wound up in your mailbox, at worst it was some clueless freshman forwarding a chain letter, or some MAKE.MONEY.FAST dufas.

Be a net.asshole, and get your account access pulled. System admins didn't tolerate hackers, exploiters, or people giving a reputation to their domain, and if someone cursed in a forum (other than alt.flame), it was likely the BOFH in charge of the system would take out the garbage. Good luck getting an ISP to pull access, unless you decide to make up some copyright violation charge from your rectum.

You could walk into an airport and eat at restaurants near the gate. Try that now without working there or having a ticket, and its 20-life.

Prisons actually held bad people. Not people who are held because it is profitable to do so, and who couldn't afford a good defense lawyer.

You could cross a border with just your driver's license.

You could take a plane trip without waiting two hours for some guy to finish his "white glove treatment."

You could visit websites without worrying about an infected ad server completely compromising your box.

Mexico was a nice tourist destination.

Movies were not regurgitated, "gritty" reboots.

A police offer would hand you your ticket personally. You didn't find out that some camera somewhere accused you of something which is impossible to fight against.

Your food came from somewhere in the US, not mixed with random adulterants in some backwater nation and imported.

Semis went all through the US, not just to the ports and warehouses.

People actually went out and protested, not just signed a facebook petition.

Oh, did I say the music actually wasn't shit? Godsmack versus the XX, Metallica (before Load) versus Justin Beiber. Nirvana versus Lady Gaga. Can we say the stuff made now (to use a term I saw on a /. post a ways back) is gimper than a quadriplegic in a vacuum bed. It should never be played in the same places that actual musicians like Dimebag Darrell, Slash, Kurt Cobain, or other greats have stood.

Re:1998, lol

Or they moved out of their parents' basement in 1998 and got their own place so they're about 43.

Re:1998, lol

[pandrijeczko]

For every backstreet boys, there's a Portishead.

You do realise you are not making it any better, don't you?

Re:1998, lol

[FunkSoulBrother]

You have the whitest taste in music ever.

Re:1998, lol

Thats pop, and negative talk!! :)

Look at the positives!
Nirvana, No Doubt, Stone Roses, Bluetones, Placebo, Portishead, Pulp, Blur, Radiohead, Oasis, Foo Fighters, Korn, Jurrasic 5 and many, many more.

Back to the article, does this app cope with long passwords? I use long passwords and not the 4 digit codes?

Re:1998, lol

You have the whitest taste in music ever.

Gotta love it from UserID FunkSoulBrother!

Why lock it?

Why lock the iPhone? If you lose it and it is unlocked maybe someone will try to contact someone on your list and return it.

Re:Why lock it?

You're new to this planet, aren't you

Re:Why lock it?

[syousef]

Why lock the iPhone? If you lose it and it is unlocked maybe someone will try to contact someone on your list and return it.

Because it's more likely that the kind of person who'll pick up a phone that doesn't belong to them will run up a huge bill calling a foreign country and buy lots of apps if you don't have that locked down?

Re:Why lock it?

It is also likely someone will find that they can use it to run up huge charges for the phone and wireless, buy a ton of music, sell the contacts to gangbangers as addresses for their next hits, log onto Facebook and start sending out spam, or random death threats, log onto Exchange and snarf business E-mail, etc.

Instead, I rather have return info as a graphic on the lockscreen, and if someone is kind enough to return the phone, they can call that number for a reward. There are too many thieves, criminals, and psychopaths to risk being naiive and not having decent security.

Re:Why lock it?

[Manos_Of_Fate]

I'll give you the international calls, but purchasing apps or music requires an iTunes password, every time (well it keeps you logged in for like 10 minutes after you enter it).

Re:Why lock it?

[psithurism]

it's more likely that the kind of person who'll pick up a phone...

Will be the average guy/gal in your area. I don't know where your from, but in my area I'd say 80% would return it if it was easy and a small fraction of the remaining 20% would be criminal enough to do anything more than attempt to e-bay it.

Your confusing people who will find a dropped phone with people who would steal a phone.

Re:Why lock it?

[mjwx]

Why lock the iPhone? If you lose it and it is unlocked maybe someone will try to contact someone on your list and return it.

Because most people aren't trying to protect themselves from strangers, they are trying to keep their indiscretions secret from people they know. An Iphone user not wanting his boyfriend knowing he's been seeing other men is more important in their mind then keeping their confidential and compromising data secure.

Re:Why lock it?

[syousef]

it's more likely that the kind of person who'll pick up a phone...

Will be the average guy/gal in your area. I don't know where your from, but in my area I'd say 80% would return it if it was easy and a small fraction of the remaining 20% would be criminal enough to do anything more than attempt to e-bay it.

Your confusing people who will find a dropped phone with people who would steal a phone.

Nope. Where I live, if you lose your phone you better make tracks and report it ASAP. Many horror stories about lost phones.

Re:Why lock it?

[pandrijeczko]

I would actually do my best to return it.

After all, if you're that deluded to buy an iPhone in the first place then you probably need every "help-up" in life that you can get.

Re:Why lock it?

[RivenAleem]

Yes, there are some really SICK people out there.

Re:Why lock it?

Maybe you need to move to a nicer city? :) Of course normal people pick up a phone that seems to be forgotten there -- that's the decent thing to do.

I've lost my phone twice, both times the finder called the number that was last called. I've done the same thing to a phone I found (after recharging, it had apparently been in the snow for 2 months).

Re:Why lock it?

[w_dragon]

My Blackberry has my name and contact info on the screen when the phone is locked for just that reason. Doesn't the iPhone do that, or does the Great Jobs think the background is sufficient to display when the phone is locked?

Re:Why lock it?

[N1AK]

Nope. Where I live, if you lose your phone you better make tracks and report it ASAP. Many horror stories about lost phones.

Generally stories about, I left my phone at a bar and went back later to collect it don't spread as well as the horror stories.

I've left a wallet in a bar and dropped it outside of a shop. I've left a phone on a train, another in a cinema and yet another at a club. Every single one was handed in, with nothing taken. I've also found wallets and phones, and either phoned the owner or taken them to the staff/owner of the place where they were found.

Perhaps us Brits are just honest, perhaps this is a case of exceptional good luck, or perhaps people don't steal everything when given the chance.

Re:Why lock it?

The picture on my lock screen includes contact details on what do do if you find my lost phone.

Re:Why lock it?

[dotancohen]

I've found and returned at least two phones in the past few years. I've never stolen one (but I've had at least three attempts at stealing mine).

Re:Why lock it?

[Duradin]

So clever it's droll.

Re:Why lock it?

[mlts]

Same here. If a phone is lost, remote wipe it ASAP, then call the telco to zap the SIM and put the IMEI of the device on the stolen list.

Where I live, the phone likely would be on eBay within minutes of being found, or within hours as parts (it is likely that the thief will just disassemble it, and sell the parts for as much, if not more than the entire unit, and not have to worry about serial numbers.)

Re:Why lock it?

Or maybe he lives in Japan.

the iphone makes good passwords hard...

[Sir_Sri]

in general the iphone keyboard makes using #$_*! etc and CaPitaLiz3d passwords harder than it should, which tends to lead to bad security. I'd be interested to know how many people use the same iphone 4 digit code as their PIN for their debit. though it looks like the phone lock is more of a 'get me past this lock quickly', which says a lot about how people want to use their phones.

Re:the iphone makes good passwords hard...

[The+Good+Reverend]

My passcode set to get me past the lock screen quickly - entering a complex code every time I wanted to do/check something on my phone would be absurd. But I've also got it set to wipe after 10 tries, so anyone who finds it is very unlikely to guess the code before getting in and seeing my stuff. Even if they did, Find My iPhone lets me do a remote lock/wipe. No big deal.

Re:the iphone makes good passwords hard...

[mlts]

Actually, iPhone passwords are easy. If you use an all numeric passcode, instead of pulling up a full keyboard, it pops up a PINpad with the enter button, just like the pad used for entering a SIM pin.

So, entering an 8-12 digit PIN can be done quite quickly.

Re:the iphone makes good passwords hard...

[PNutts]

in general the iphone keyboard makes using #$_*! etc and CaPitaLiz3d passwords harder than it should...

No it doesn't and if you think so why? You press Shift for caps, .?123 for numbers and common special characters, and #+= for less common special characters? What magic keyboard do you have that allows access to all of those at once? Sheesh.

Re:the iphone makes good passwords hard...

[EvanED]

IIRC, my old "moderately secure" password (used for my two university logins) took over 50% more button/screen presses to enter on my N900 than a normal keyboard.

Re:the iphone makes good passwords hard...

[Sir_Sri]

right now there are 4 keyboard screens, which would work just as well with 2 that take up the entire screen, rather than half it takes up now.

Re:the iphone makes good passwords hard...

[yuhong]

In particular, iOS 4 and later supports data protection, and how secure do you think it is with only 10000 values possible for a passcode?

Re:the iphone makes good passwords hard...

[Cimexus]

Wow ... so it does! Thank you good sir.

This was what was stopping me moving away from the default 4-number simple PIN. I thought that soon as I enabled complex passwords it'd give me the whole keyboard (hard to type on quickly with one hand). But yep if you keep it all-numeric it keeps the standard keypad. That's awesome, and allows me to increase my PIN to 8+ digits without making it harder to type.

Re:the iphone makes good passwords hard...

This is why I like my Desire Z with its excellent keyboard. Punctuation, capitals and series of numbers are very easy to type on this.

Re:the iphone makes good passwords hard...

Because all of that is difficult to do one-handed while while doing 85mph on the highway...

So wait...

[nitehawk214]

The guy steals people's passwords, then posts about it?

Re:So wait...

[CharlyFoxtrot]

The passcode to his app, which is a gimmick app to imitate the real lockscreen and take a picture when the wrong code is entered. Doesn't actually expose any data or anything.

Re:So wait...

Doesn't actually expose any data or anything.

Or that's exactly what he wants you to think. There were enough stats to create a graph of the 10 most common passcodes, was there not?

Re:So wait...

There were enough stats to create a graph of the 10 most common passcodes, was there not?

This is based on the assumption that people are using their real unlock code for the dummy one in the app. Assuming this app is free (has it been pulled? it's not showing up when I search for it,) most people are probably just installing it as a novelty and entering 1234 or 0000 rather than think of a proper pass code. Plus if you follow the story to the demo video, 0000 is the default code, so people just as well might be entering 0000 0000 0000 to blow through that part of setup.

At worst, it's just some clever social engineering. All that's left is to fly around and steal all those iPhones!

What I find most amazing ...

[slinches]

What I find most amazing is that the iphone only allows 4 digit 0-9 passcodes. That's only 5040 unique codes if I remember the math correctly.

Re:What I find most amazing ...

> What I find most amazing is that the iphone only allows 4 digit 0-9 passcodes

?! My passcode is 6 digits. What limits you to 4?

Re:What I find most amazing ...

[drb226]

10^4 = 10000

Re:What I find most amazing ...

[ceoyoyo]

You can use any alphanumeric + symbols code you want. Most people just use the simple numerical code because it's quick, easy, and does the job. If you guess wrong too many times the phone will enforce a timeout between guesses and you can set it to wipe if too many wrong guesses are entered.

And you remembered the math incorrectly. It's 10,000 unique codes. Your value is for the number of codes with no repeated numbers.

Re:What I find most amazing ...

0000 - 9999 I would reckon on 10,000 unique codes.

Re:What I find most amazing ...

[The+Good+Reverend]

The iPhone has had the choice of 4-digit PIN-style codes or longer alpha-numeric codes for quite a while now.

Re:What I find most amazing ...

It's actually 10,000 codes -- 10^4. Your math would be right if you weren't allowed to repeat a digit. Still, your point stands -- there are far less possible codes than iPhones.

Re:What I find most amazing ...

[slinches]

Correction, it's only 5040 if it disallowed repeat numbers. I was over-thinking it a bit. It's 10,000 possible numbers 0000-9999.

Re:What I find most amazing ...

[scromp]

And it'll wipe itself after 10 tries..

Re:What I find most amazing ...

Woosh, that flew right over your head.

Re:What I find most amazing ...

[Anubis+IV]

It's times like this that you don't correct yourself and just let everyone think it was a joke.

Re:What I find most amazing ...

You can pick the same number more than once, so there are 10 possibilities for each one. 10 * 10 * 10 * 10 = 10,000

Re:What I find most amazing ...

[CAIMLAS]

It's almost a non-point.

The only time you'd need it is if it's lost - in which case it's somewhat a moot point, due to lack of storage encyption. Otherwise, the device is in your pocket, on your person, or otherwise in your 'immediate' control (such as on a bedside next to your girlfriend, who would otherwise be tempted to see if you're still sleeping around).

Personally, I prefer the 'swipe' functiononality available on Android. Less secure, mathematically, but quite a bit more functional.

Re:What I find most amazing ...

You are allowed to use the same digit multiple times, you know.

Re:What I find most amazing ...

What i find amazing is that you don't know how many characters can be used for a passcode on an iPhone. Here is a hint: It isn't 4.

Re:What I find most amazing ...

The second most common passcode is 0000, so I don't get why some people thought 5040 was a joke.

Re:What I find most amazing ...

[Smurf]

10^4 = 10000

Woosh, that flew right over your head.

Given that it wasn't a joke, I would love to know what you thought was the joke.

Well, so what?

[Evro]

I have a trivial code on my iPhone, just there to provide a speedbump. If my phone were to be lost I'd change my personal & work email passwords. So what? Is anyone supposed to assume that the iPhone passcode provides any real security? If the phone auto-locks after 3 minutes, who wants to put in a 20-character passphrase? BTW, the iPhone passcode is not limited to 4 digits, you can use the entire alphanumeric keyboard, up to at least 10 chars.

5683?

Most of those are not surprising, but what happened on May 6th 1983 that's so significant?

Re:5683?

[Aladrin]

It spells LOVE on the keypad.

Re:5683?

[JamesP]

Good thing my password spells LOUD on the iPhone

Oh wait...

Re:5683?

[mirix]

pfft, it spells LOUD.

Love as a password, what a silly species... somewhat nauseatingly lame.

Re:5683?

[billcopc]

Says so right in TFA: 5683 lines up with the letters L-O-V-E

You know, because chicks use phones too.

Re:5683?

[Cimexus]

No idea. But something important clearly happened on 5 June 1983. :)

Re:5683?

[N1AK]

Good show old chap.

What do these screens actually look like?

[pclminion]

If the application used a "swipe to unlock" type of mechanism to emulate the iPhone's unlocking mechanism, then this violates an Apple patent.

Appetite for patterns

[elsurexiste]

I did a study on mobile passwords, be them numeric or graphical. The conclusion was the same for each and every password method: people usually choose graphical configurations like crosses, spirals and diagonal lines. They rarely choose the numbers or focal points of the images that were on the background.

Re:Appetite for patterns

[CharlyFoxtrot]

Sounds about right. My girlfriend has the ability to instantly memorize anyone's pincode for years (people don't believe it and so they're dumb enough to tell her), she doesn't actually remember the numbers but seems to remember the pattern on a grid. She could have a great career as a shoulder-surfer.

Re:Appetite for patterns

Of course! How else do you remember strings of digits that you type into a keypad? Phone numbers and PINs are easily memorable by remembering the path on the standard 10-digit keypad.

Re:Appetite for patterns

[Cimexus]

I thought this was the normal way of memorising typed numbers. It's certainly the way I've always done it.

If you ask me to quote my bank card PIN, or the code on the security system at the office etc. or ask me to type them on a randomly ordered keypad (or the number keys across the top of a QWERTY keyboard), I will not be able to do it very easily. I would have to visualise a normal keypad, move my hand across it in my mind, then figure out which numbers I pressed.

That is to say, I know my various PINs only by the pattern of movement I have to make to enter it (e.g. up, down, across 2, diagonally down and left, enter). The actual numbers? No idea off the top of my head.

ed hardy jeans

[edhardyjeans]

everybody should take the health as a big problem! ed hardy cheap ed hardy ed hardy clothes

Interesting trend.

[w0mprat]

I'm suprised 1998 is a common passcode, is this a birthdate? It's in amongst obvious 1234, 2222, 0000. But it correspondes to a age of approximately 13. Many 13 year olds with a iPhone? Or this age group least security aware?

Top ten PIN codes:

1234
0000
2580
1111
5555
5683
0852
2222
1212
1998


This interesting. 5683, 2580, 0852 don't seem to have any special significance, they aren't even a particular pattern on the keypad, nor especially natural to punch in, ie right handed, using your thumb.

Is this some odd human cognitive bias revealing itself?

Re:Interesting trend.

[w0mprat]

FAIL. I was looking at the numpad on a keyboard. Different when looking at actual phone and considering alphanumeric. There's the cognitive bias I was talking about.

Re:Interesting trend.

[AresTheImpaler]

2580 is a straight line down.
0852 is a straight line up
I dunno about 5683, I find that one little bit weird

Re:Interesting trend.

Vertical, horizontal, etc. lines.

The article says that 5683 reads "love". In that same logic, I'd have used 3825. Puzzles me the 1998 as *relevant* year. But here's the list of the top 10000 passwords for iPhone:

for (i=0; i10000; i++) { printf("%04d\n",i); }

Re:Interesting trend.

[NewWorldDan]

RTFA.

5683, with letter substitutions, spells LOVE.

I'm pleased to see that none of the 4 number codes I use in daily life made the top 10 list. If someone wants to steal my bike, they'll have to work at it a bit longer.

Re:Interesting trend.

5683 = love

Re:Interesting trend.

I think 5683 is related to teenage girls spelling out silly words on the keypad.

2, 5, 8, and 0 are the center column, reducing "memorize a sequence of 4 digits" (or locations on-screen, if you memorize it spacially) to "memorize a permutation of the only 4 digits in a straight line" (or a traveling-salesman route) -- reducing both the symbol space and the fundamental difficulty of the problem (since e.g. remembering any 3 digits tells you the 4th). If you have a brain the size of a very small walnut, this could be the breakthrough that spares you writing your passcode down and referring to it for a few days until you can remember it yourself. And if you have the aforementioned very-small-walnut-sized brain, the fact that you just reduced the attacker's search space the same amount won't occur to you.

And it's "Class of 1998" -- the center of the iPhone demographic would be about 30, wouldn't you think? That or their old phone used a 3-digit code, they used 999, and doubled it to fill 4 digits, zero having not yet been invented.

Re:Interesting trend.

[TheDormouse]

I'm suprised 1998 is a common passcode, is this a birthdate?

I think it must be that the age bracket that has the greatest number of iPhone users also had significant life events in 1998. 30-31 year-olds graduated high school in 1998. Lots of 30-40 year-olds got married or had their first kid in 1998.

Re:Interesting trend.

L-O-V-E on a phone keypad

Re:Interesting trend.

5683 = LOVE

Re:Interesting trend.

5683 is LOVE on a phone.

Re:Interesting trend.

2580 is a straight line down.
0852 is a straight line up
I dunno about 5683, I find that one little bit weird

5683 is the numeric represenation of 'LOVE'

Re:Interesting trend.

5863 is a diamond, easy to type with right thumb when holding phone in right hand.

Re:Interesting trend.

5683 is the popular "more complex" pattern. That "smarter" people use. This is just an inference, looking at the above mentioned list.

Re:Interesting trend.

[metlin]

I like using combinations of interesting numbers and math/physics constants. If you use the more esoteric ones (think Ramanujan's number or the first 3 Fermat numbers), then you also learn new and interesting numbers.

Re:Interesting trend.

[UnknowingFool]

"1234". Shit. Excuse me while I change my root password. And my luggage. Thank God the combination to the air shield is more complex.

Re:Interesting trend.

5683 == LOVE.

Maybe that's it?

Re:Interesting trend.

2580 and 0852 are the central numbers running up and down the number pad. Hence obvious. And easy.

If you had RTFA it said that the 5683 combination, while seemingly random, spells LOVE. This is apparently a common password -> iloveyou

Re:Interesting trend.

This interesting. 5683, 2580, 0852 don't seem to have any special significance, they aren't even a particular pattern on the keypad, nor especially natural to punch in, ie right handed, using your thumb.

how is 0852 and 2580 not a pattern? straight up and straight down the middle.

Re:Interesting trend.

[Colde]

This interesting. 5683, 2580, 0852 don't seem to have any special significance, they aren't even a particular pattern on the keypad, nor especially natural to punch in, ie right handed, using your thumb.

Actually 2580 and 0852 is the middle row of keys from top to bottom or vice versa. I agree with the strangeness of 5683 though.

Re:Interesting trend.

2580 and 0852 would be straight up or down the middle of a number pad

Re:Interesting trend.

except that 2580/0852 is a straight line and 5683 is L-O-V-E

Re:Interesting trend.

From TFA:
5683 is the passcode with the least obvious pattern, but it turns out that it is the number representation of LOVE (5683)

And 2580 and 0852 are the only 4 numbers in one vertical row on the numpad.

Re:Interesting trend.

2580 and 0852 are a straight line (top to bottom or bottom to top) on the keypad. 5683 is interesting though. It spells "LOVE". /me shrugs.

Re:Interesting trend.

2580 and 0852 are just straight Up (or Down) the middle line of keys.

Re:Interesting trend.

5 = L 6 = O 8 = V 3 = E. when writing an SMS message and the dictionary feature is on.

iPhone strong passphrase irrelevant

I had changed my iPhone from a passcode to a strong passphrase but I realized that all it did was bug me. The passcode keeps the casual user out, but even with a strong passphrase, a tool like Cellubrite can dump all data despite your efforts. So you inconvenience yourself and don't increase real security with anything other than a 4-digit code...

Um, no.

[webdog314]

All this says is that 15% were one of the top 10 FOR HIS APP. This makes the very large assumption that people who were paranoid enough to buy his app are going to be fooled and use the same password that they do to lock the phone. They very well might, but his app doesn't prove that.

Not a lot of Catholics with iPhones I guess

[iiioxx]

2046 didn't make the top 10.

The Plague

[MoldySpore]

"Someone didn't bother reading my carefully prepared memo on commonly-used passwords. Now, then, as I so meticulously pointed out, the four most-used passwords are: love, sex, secret, and...god. So, would your holiness care to change her password?" -Fisher Stevens; Hackers (1995)

So wait 5309 isn't one of them?

[NotSoHeavyD3]

I'm going to have to call Jenny about this

Re:So wait 5309 isn't one of them?

You're getting old, man!

1... 2... 3... 4

[amnesia_tc]

That's the kind of a combination and idiot would have on their iPhone.

sex, god, and love

I thought the most common passwords would be: sex, god, and love. What is the world coming to?!

App pulled by apple

Apple has pulled the app, which seems a bit harsh as it is pretty much anonymous and improves (?) future security
http://www.reghardware.com/2011/06/15/pin_spy_app_pulled/

Letter G

[Kamiza+Ikioi]

When Google first demo'd android, they used a G pattern. Though it may be many degrees higher of potential security, I wonder how many people just spell a letter.

And this is news why?....

[kwolf22]

Imagine that... An app designed to catch people trying to break into your iPhone collects a bunch of common passwords...

High School Grads

So, the most common age of the user is 13?

Or the most common age of their offspring?

-AI

No, that's when they graduated high school. (For a lot of people, this is a big deal. Apparently, they think of that as the height of their lifetime's achievement or something.) So their average age is 31.

1, 2, 3, 4, 5?

[micahjc]

1, 2, 3, 4, 5? That's amazing! I've got the same combination on my luggage!

On Find My iPhone

[sean.peters]

Knowing where your iPhone is is only half the battle (probably less than half). The rest of the problem is getting the police to actually do something about it. From what I've read, most police departments are not that interested in pursuing something like this even if you can show them where the thief is. And trying to get your phone back yourself, from some guy who stole it from you? Not recommended.