Slashdot Mirror
The Most Common iPhone Passcodes
Orome1 writes "The problem of poor passwords is not confined to computer use, and that fact was illustrated by an app developer who has added code to capture user passcodes to one of its applications. 'Because Big Brother's [the app in question] passcode setup screen and lock screen are nearly identical to those of the actual iPhone passcode lock, I figured that the collected information would closely correlate with actual iPhone passcodes,' says Daniel Amitay. It turns out that of the 204,508 recorded passcodes, 15% were one of the most common ten."
Number 0001!
"When information is power, privacy is freedom" - Jah-Wren Ryel
No 4242?
...how did an app like "Big Brother" make it onto the App(le) store?
I thought they paid people to test each app before approval; you know, as a first defense against apps that look to imitate the lock screen and steal passcodes...
This just in: 15% of developers steal the passwords of 80% of all (stupid) users!
Seriously...isn't this just a tad "evil" behavior? Even if its done to prove a point, surely this guy shouldn't be stealing his users passwords?
No kitty, this is my pot pie!
Not by default; you can set it up that way.
93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
That's amazing! I've got the same combination on my luggage!
So, the most common age of the user is 13?
Or the most common age of their offspring?
-AI
For me, it is far better to grasp the Universe as it really is than to persist in delusion
Why lock the iPhone? If you lose it and it is unlocked maybe someone will try to contact someone on your list and return it.
in general the iphone keyboard makes using #$_*! etc and CaPitaLiz3d passwords harder than it should, which tends to lead to bad security. I'd be interested to know how many people use the same iphone 4 digit code as their PIN for their debit. though it looks like the phone lock is more of a 'get me past this lock quickly', which says a lot about how people want to use their phones.
The guy steals people's passwords, then posts about it?
I'm a good cook. I'm a fantastic eater. - Steven Brust
15% of iPhones are locked using one of ten codes.
You have ten login attempts before the phone wipes itself.
Thus, if you try each of the top ten codes on a random iPhone, you have a 15% chance of entering the right code before it wipes itself.
Also, I think you meant "successive".
How can I believe you when you tell me what I don't want to hear?
What I find most amazing is that the iphone only allows 4 digit 0-9 passcodes. That's only 5040 unique codes if I remember the math correctly.
Knowledge Brings Fear
I have a trivial code on my iPhone, just there to provide a speedbump. If my phone were to be lost I'd change my personal & work email passwords. So what? Is anyone supposed to assume that the iPhone passcode provides any real security? If the phone auto-locks after 3 minutes, who wants to put in a 20-character passphrase? BTW, the iPhone passcode is not limited to 4 digits, you can use the entire alphanumeric keyboard, up to at least 10 chars.
rooooar
Most of those are not surprising, but what happened on May 6th 1983 that's so significant?
If the application used a "swipe to unlock" type of mechanism to emulate the iPhone's unlocking mechanism, then this violates an Apple patent.
The whole thing is flawed. His is a gimmicky free app. Clearly most users downloaded it, tested it with a stupid passcode, like the 2 most common "1234" and the app default "0000" and then quickly forgot about it. Got to give him props for PR though, who knows how many downloads is he going to get out of this story.
If all else fails, immortality can always be assured by spectacular error.
I did a study on mobile passwords, be them numeric or graphical. The conclusion was the same for each and every password method: people usually choose graphical configurations like crosses, spirals and diagonal lines. They rarely choose the numbers or focal points of the images that were on the background.
I rarely respond to comments. Also, don't ask for clarifications: a brain and Google are faster, believe me!
Also, I think you meant "successive".
No, he was just being optimistic about guessing wrong.
I'm suprised 1998 is a common passcode, is this a birthdate? It's in amongst obvious 1234, 2222, 0000. But it correspondes to a age of approximately 13. Many 13 year olds with a iPhone? Or this age group least security aware?
Top ten PIN codes:
1234
0000
2580
1111
5555
5683
0852
2222
1212
1998
This interesting. 5683, 2580, 0852 don't seem to have any special significance, they aren't even a particular pattern on the keypad, nor especially natural to punch in, ie right handed, using your thumb.
Is this some odd human cognitive bias revealing itself?
After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
is that if someone steals or finds a lost iPhone, he has a 15% chance of unlocking the device and accessing the data within before it gets wiped just by trying out the passwords on the aforementioned top 10 list."
I think that might be off -- If someone steals or finds a lost, working iPhone; he probably has a 80 - 90% chance of finding the device not secured with a passcode to begin with.
If he happened to get so unlucky as to find one of the 20% of iPhones with a passcode; he has a 15% chance of unlocking that locked device.
That brings it closer to a 100% chance of gaining access to it; if the found phone works at all -- only an 85% chance of it using an uncommon passcode. Just because it's uncommon doesn't mean unguessable -- it depends on how much the thief knows or can find out about the person. If the thief gets the wallet too, they might try the birthdate on drivers license or do other research about numbers significant to the person (increasing chances of an unlock beyond 15% for fixed common) -- if we include things like phone numbers, anniversary year, 15% might be a real low ball for the amount of passcodes based on such guessable concepts.
If someone steals or finds a lost, working iPhone; he probably has a 80 - 90% chance of finding the device not secured with a passcode to begin with.
Jeebus. I lock my android phone, and my nook color which runs android, with the swipe lock. My friends and their ipad? Not so much, and they're nerds who should know better
By and large, language is a tool for concealing the truth. -- George Carlin
All this says is that 15% were one of the top 10 FOR HIS APP. This makes the very large assumption that people who were paranoid enough to buy his app are going to be fooled and use the same password that they do to lock the phone. They very well might, but his app doesn't prove that.
It brings it closer to an 83% chance of accessing it, actually. Not 100%. (15% of top passcodes x only 20% of iPhones locked = 3% of total iPhones use one of the top passcodes).
I lock my android phone with a pattern which is fairly pointless as you can see streaks on the screen from where I've swiped it in
Yes, I'm aware that I can change it to a password or pin which would be more secure, but to be honest having any sort of "lock" on my phone is less about security and more about not making calls etc while the phone is in my pocket.
2046 didn't make the top 10.
"Someone didn't bother reading my carefully prepared memo on commonly-used passwords. Now, then, as I so meticulously pointed out, the four most-used passwords are: love, sex, secret, and...god. So, would your holiness care to change her password?" -Fisher Stevens; Hackers (1995)
"I hope you know how very lucky you are to know me, because I am so incredibly incredible."
The good news is, with Find My iPhone (free since iOS 4) you can remotely set a lockscreen code AFTER it has been stolen. So if you a) don't have any super-secret stuff on your phone and b) notice it missing soon after it's stolen, the worst that will happen is the thief will make some calls and use some data. Of course, my preference would be for the thief to keep using the phone, and hopefully Find My iPhone would enable me to actually recover the phone.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
Certainly not me! I don't need to give somebody my passcode for the heck of it!
---jstlook ---For that is the way of Elves, for they say both yes AND no, and mean every word of it. --- J.R.R.T.
I never locked my iphone until I accidentally left it somewhere. Fortunately, it was there when I got there but I'd have been boned if someone picked it up and did nefarious things with it before I could reset passwords/passcodes.
Now it's set to lock after 5 minutes of non-use and to nuke itself after 10 bad passcodes.
And no, I don't use the same PIN on my ATM card.
What nefarious things could be done, honestly? On my android based phone they could send email, make phone calls, send some texts...that's about it. Although if they wiped my Hex Defense scores I'd be pretty pissed.
I'm going to have to call Jenny about this
Did you know 80 to 90% of the moderators on slashdot wouldn't recognize a troll even if one dragged them under a bridge.
Of course, my preference would be for the thief to keep using the phone, and hopefully Find My iPhone would enable me to actually recover the phone.
I have mixed thoughts about that. If more people reported their phone stolen immediately, to have the IMEI blocked by all the cell networks, it could be somewhat a deterrant against theft too. If you want to add a pascode remotely, better remove sensitive data too.
The Find My iPhone function may indeed be used by some people in those situations.
There is also a problem, that if you don't have it deactivated immediately, and the thief racks up a few thousand in usage charges, e.g. international calls (your phone used by the thief to fraudulently re-sell toll calls) or overseas data roaming, you could be on the hook for some serious $$ in some cases.
The lost iPhone may be $600 to replace, but at least you can be confident there is such a strict limit to your losses, if you do brick/deactivate the phone's service before the perp can abuse the phone's access to your account.
It should be noted the passcode protection is only good against unsophisticated thieves. There are ways to bypass the passcode and then remove it/view it, or gain access to all data on an iPhone, without requiring any silliness of attempts, or trying to guess the passcode.
That is there are some people who can gain access to 100% of fully working iPhones, with physical access and sufficient motive, common passcode or not.
For this reason.... I don't think there's anything irrational about the decision to use a weak/easy passcode.
Until Apple actually encrypts all data on the phone with the authenticator, that is, and use biometrics, such as face recognition, rather than manual entry of digits.
That's the kind of a combination and idiot would have on their iPhone.
Isn't it actually more likely that the person who found it was honest.
I know of a few people who've lost their phones and recovered them because the person who found it called some of their friends using the phone.
If you lock it it's probably less likely you'll get it back.
Yeah, this. I turned the "draw a pattern to unlock" feature on about a day after I got my Desire, after the second time my pocket called someone.
The vertical swipe to unlock is nice and different to Apple's horizontal swipe to unlock, but it's rather easy for my phone to do in my pocket.
If I found a locked phone I would keep it nearby and wait for it to ring.
If I found a locked phone I would keep it nearby and wait for it to ring.
(Sorry, I posted this in the wrong thread first time. Now I have to make a pointless change in order to re-submit...)
This is why phone insurance is a good idea for anyone who has a handset worth more than a couple of hundred and a contract. Insurance covers you for loss, theft or damage to the handset and also covers any fraudulent calls made on the device.
Block phone, claim on insurance, get replacement.
'Find my iPhone' is all well and good but if it has actually been stolen what are you going to do, go round their house and ask for it back? I guess you could hand the information on to the police but leaving the phone unblocked for days on the off chance you will be able to have the police recover it is a pretty big risk. As well as fraudulent calls and the data you have on the device you also expose anyone who calls your phone to whichever scumbag stole it.
When Google first demo'd android, they used a G pattern. Though it may be many degrees higher of potential security, I wonder how many people just spell a letter.
I8-D
Imagine that... An app designed to catch people trying to break into your iPhone collects a bunch of common passwords...
1, 2, 3, 4, 5? That's amazing! I've got the same combination on my luggage!
AT&T does not lock out IMEIs, my brother tried when his wife's iPhone was stolen. AT&T actually sees it as a good thing, because now they have the possibility of adding another subscriber (the thief or whoever he sells to) and you have to pay an absurd amount of money for a new phone (unless you have insurance).
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
Knowing where your iPhone is is only half the battle (probably less than half). The rest of the problem is getting the police to actually do something about it. From what I've read, most police departments are not that interested in pursuing something like this even if you can show them where the thief is. And trying to get your phone back yourself, from some guy who stole it from you? Not recommended.
What do you recommend for phone insurance? Personally I like the concept, I just worry that any plan that looks financially reasonable ($3-4 per month max) will be ridden with loopholes and filing a claim will be impossible.
Beyond that price point, after two years, you're in the ball park for what you can get a new iPhone for with a new contract discount, making it something of a bad bet, although mid-contract replacement is probably the pricey risk you're actually insuring against.
But while I'm thinking out loud, what about homeowner's insurance? Shouldn't it cover that kind of a loss?
How about receive e-mails?
I would think the ability to reset almost any password would be pretty strong (access to SMS + E-mail gets you into a lot).
Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
Most home insurance has phones excluded from 'our of the home' cover unless you add it specifically. If you do add it then you also get cover from fraudulent calls which is a necessity if you are on a contract.
You invariably get the best deal by just adding phone cover to your house contents insurance. Much cheaper, and you don't need a separate policy. It also has the added benefit that the claims tend to be easier as they care more about keeping you as a customer.