Slashdot Mirror
Passcodes Prove Predictable
mikejuk writes "Research reveals something we all suspected but couldn't prove — in a four digit pin the most popular first digit is one, the most popular second digit is two. Entropy only really kicks in on the third and fourth digits. What is more looking at the frequencies of four digit groups just 10 different passcodes would be enough to unlock one in seven iPhones!"
This is simple to fix! Everyone, make sure to start all your passcodes with "4" instead of "1" and this attack will be easily foiled!
This Space Intentionally Left Blank
Isn't this a repost of the iPhone app developer who made the photo-graphing lock screen and kept anonymous stats of the "passcodes" people entered into his lock-screen-like lock screen?
0000
Benford's law. If the data isn't truly random (and in the case of something someone chooses, it isn't), it probably applies.
The 0000 guys feel much more secure now!
It's the least likely to be used!
Almost everyone picks 7. When picking a 4 digit passcode, it's inevitable people will pick the same code.
Not much in my phone is worth having. The only reason to lock it is to make butt-dialing harder.
If you're keeping sensitive info in your iPhone, and not protecting it with anything more than the phone's unlock code, you're a dope.
Here's a clue: don't let anyone mess with your phone when you're not there to stop them.
My iphone pin was required to be 6 digits, so I guess I'm safe :P Interestingly both of my 4-digit PINs that I use for other purposes do start with "1".
while [ 1 ]; do echo -n -e "\xe2\x95\xb$((($RANDOM&1)+1))"; done
That the most common first digit is 1 might just be an application of Benford's law:
http://en.wikipedia.org/wiki/Benford%27s_law
I am sure that most people are aware that the entropy of passcode space is culturally dependent.
One way of evading the cultural diminution of passspace entropy is through a selection technique known as "shocking nonsense." (Google)
The sample set for this data is people who are dumb enough to type their unlock code into a fake login app which has been removed from the app store.
I wonder if this is representative of the population as a whole.
So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!
My 4-digit pin is always Earth's space sector. That stupid Green Lantern movie made my pin a mainstream thing instead of a quasi-obscure easy-to-remember number.
Is this an instance of Benford's law?
"According to this law, the first digit is 1 about 30% of the time, and larger digits occur as the leading digit with lower and lower frequency, to the point where 9 as a first digit occurs less than 5% of the time."
How about bank ATMs?
The last time I went to change my pin at the bank, I spent the better part of the walk there (20-30 minutes) developing the perfect algorithm to calculate my pin. It changed with the date, had variables from my life, my spouse's life, my dog--you name it. At the teller, I anxiously put in my 7-digit number, and it kept refusing it. By the fourth attempt, the teller was visibly irritated that I couldn't type in my pin number the same twice in a row. After discussing it with him, he told me that I was capped at four digits--4!!! I had to truncate my number on the spot, and every time I go to the bank now, I keep screwing up the place in which I had truncated my perfect number.
Last week LulzSec released a list of everybody in the world's PIN. I found mine in there anyway!
Done
People don't realize it, but most number start with one. It's called Benford's Law. People expect things to be more "random" than they really are.
Clearly, with the size and complexity of the human neural network, and the amount of gooey analog stuff going on in there, humans should be physically capable of generating reasonably high quality entropy for cryptographic purposes. In the same vein, the occasional appearance of atypical or well-trained subjects demonstrates our theoretical capacity for storing reasonably large keys.
Unfortunately, the African savanna environments of ~500,000 years ago had a dearth of predators that culled according to weakness of RNG, rather than weakness of body. To ensure the future of computer security, it seems obvious that we must supply this unfortunate evolutionary deficit.
Damn it, now I'm going to have to change all of my PINs.
Is it just my observation, or are there way too many stupid people in the world?
9 out of 10 iphone users don't know how to lock their phones or have never bothered to setup a passcode.
We have the best government that money can buy.
Since people are likely to use passcodes based on real-world numbers so they can be remembered, perhaps Benford's law applies.
http://en.wikipedia.org/wiki/Benford's_law
I memorize an offset into the digits of pi and use the digits found there as my PIN. Too bad my offset is always zero... (PIN=3141)
The best code is 9991. If you're going to brute force it, most everyone would start at 0000 and it would take 9991 tries. If you're going to bruteforce descending from 9999 you'd get through 4 or 5 before you decided it was too much trouble. ;)
I was thinking about this topic the other day but logically thought 1 would be less used. Talking to people about how they remember passcodes they almost always state they base it off an acronym or phrase so with 1 not typically having any letters assigned to it (think T9 style) it would be used less.
Taking it a bit further one could most likely deduce which numbers were most likely to show up in a passcode as they contain multiple frequently used letters.
Disclaimer: This is entirely non-researched based assumptions and completely ignorant to how the real world actually functions. I just find it convenient to see published work on topic to what I was pondering recently.
that the office needs posts it to keep track of them.
I don't have an iPhone, so can someone explain this? Why would people pick 4 numeric digits as a password? Is there something about the device that limits you to passwords of that form?
Even on my mobile device, my password is longer than that and uses letters as well as numbers.
No-one can guess my Slashdot password!
I suck.
That's a failure in training.
IT's is trivially easy to get a strong password. Poeple jsut don't know how to think about it.
Example:
First Pet, Hobby. Vowels are umbers.
So for me:
T0by_G4m3r
For uniqueness, add and indicator unique to what it is you ar elogging into.
So:
T0by_G4m3r_a_J0b
No, that is't the combo use.
The Kruger Dunning explains most post on
DH "So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage! " ...
CS: "It worked, sir, we have the combination"
PS: "that's great, we can now take every last breath of fresh air off Druidia, what was the combination?"
CS: "12345"
PS: "12345?"
CS: "yes"
PS: "that's amazing, I have the same combination on my luggage"
Who knew that Mel Brooks was so visionary?
Just because you're paranoid doesn't mean they aren't out to get you
While the same may be true for all uses of passcodes I think an iPhone is a poor place to conduct the research if you want to generalize it. I'm much more random with my ATM codes and house lock code than I am with my iPhone. The reason being I care about the first two where as the iPhone code I only need to comply with my corporate security policy and I'm really looking for a code that is easy to unlock so I can use my phone in the shortest amount of time possible. Turns out I'm still better off than most with my codes but that was just dumb luck as I structured the iPhone code so it would be easy for me to enter with one hand rather than so it would be secure.
4-digit PINS are nearly useless. I use a 16-digit pin-code plus 256-bit AES encryption of all of my sensitive data.
I guess 1777 is now just plain out the window as a good passcode.
Most ignorance is vincible ignorance. We don't know because we don't want to know. --Aldous Huxley
It is called Benford's Law, and it has been known for over 100 years. It isn't just pass codes, it is almost all large sets of numbers.
I have an android, not an iphone, but assuming security is implemented the same way, it's ridiculous. there's no way to set a timeout, so after every call the phone secures itself. If I want to make multiple calls, I have to enter the damn PIN between each one.
Dear developers, please leave the phone unlocked for 10 minutes after I enter my PIN, or better yet let me choose how long to set it.
Never let a lack of data get in the way of a good rant.
Cool, now I have to think of a new one every 3 months :P
It doesn't mean much now, it's built for the future.
I would bet that most are the last 4 digits of your phone number or social security number. Knowing that, you can probably get into my garage.
Offer something besides numbers in the code. Look, it's an option of 4 characters from a 10-character set. If you want people to be more secure in their own daily uses, allow them to use a larger character set. Give the option to use letters (26 characters) and even symbols. It won't fix the problem, but it will decrease its prevalence.
Yes, and if people only ever needed one password and didn't need to change it that would be fine.
However, the very first rule of strong passwords is to never use the same password on two different systems. So "it's trivially easy to get a strong password" is useless; you need to say "it's trivially easy to get fifty strong passwords and remember which password gets into which system."
(I actually have more than fifty passwords, but let's call it fifty for now.)
But a lot of systems these days also require you to change them every 90 days or so, and not re-use any of your last ten passwords, so what you really really meant to say is "it's trivially easy to get five hundred strong passwords, and remember which password gets into which system, and which one is the current password and which ones were old passwords that aren't used anymore."
And that's not so trivial.
http://www.geoffreylandis.com
Look at garage door openers. How many different combinations of "passcodes" are available to choose from? It would be trivial for me to take my garage door opener and start guessing 'passcodes' until I can open my neighbors garage door.
A lot of things that we take for granted aren't as secure as we think they are.
What about the lock on your front door. It's still not too difficult for a determined criminal to break in.
Interesting that the second digit is frequently 2. I would have really expected it to be a 9 and would have expected it to switch to 2 and 0 for first and second over the next few decades.
AJ Henderson
I'm getting old...
First Pet, Hobby. Vowels are umbers.
True, but then you give everyone else in the company the method for determining everyone else's password. Because, as sure as there are bad password guessers, there are people that will copy your exact method, even if you tell them to create their own. These are usually the people in the most sensitive areas.
Most company data thefts are inside jobs. And given enough time of just socializing, you could get a good idea to salt a password cracking program for very high accuracy.
I8-D
I like the idea of simple geometric transpositions of a common number for forming a pin. Take the year of a major event for example, but form your own number pad pattern that does not correspond with the actual keypad, but can be easily remembered. Makes it really easy to remember my pins without having them be easy to guess since people don't know my transposition and can't easily figure it out unless they compromise multiple of my pins.
The Error dialog from my current job, after I had accidentally tried to re-use an old password: Change Password Your password must be at least 8 characters, cannot repeat any of your previous 7 passwords and must be at least 9 days old. Please type a different password. Type a password which meets these requirements in both text boxes.
It doesn't mean much now, it's built for the future.
sucks when the last 4 of your SSN is 12xx like mine and everybody in hell give you a default pin of the last four of your SSN
... "That's amazing. I've got the same combination on my luggage."
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
As it is the closest button to the "Emergency Call" button, and anyone who has tried to unlock their iPhone with one hand will tell you, that you end up hitting it pretty often which is annoying. Also the name also makes me think it is about to auto dial 911, which always freaks me out.
I ended up typing my stupid 26 character hex WEP key so many times that I ended up memorizing it. I now end up using this (slightly modified) in many places where long passwords are allowed and the safety of my data is non-trivial. If you have memorized product keys for anything you might consider using that too as a base for your longer passwords.
... and the inability to use the & symbol as the leading character in many of your password fields like Outlook Webmail). (I understand that reduces the possible password complexity and combinations, but if someone really wants to make rainbow tables this large, be my guest... fact is, I can easily remember a password that is freaking huge, is not written down anywhere, and is unique for everything I use it in).
/system of memorization is called I would be interested in links as it's the only way I have been able to memorize large strings of information accurately and without problems during recall.
Granted, it doesn't have a wide range of possible characters, so I capitalize part of the alphabetic characters according to a pattern only I know. This being used as the passphrase for another encryption algo is definitely better than most passwords and since it doesn't use symbols it doesn't have much of a problem being used in web-forms (I'm looking at you Microsoft
What I have been doing to randomize it is to type the previously mentioned static 26 character string of mixed case gobbly gook appended with the basic name or description of what I'm authenticating to. This makes it one hell of a password which is unique across all of my different services and in effect securing my various web accounts from each other if one of the other parties systems is breached and password lists compromised. Now I only need to remember the simple name I chose to use for a place or company instead of a specific password. Good luck building a rainbow table for my passwords, you would have better luck compromising either myself, the location where my data is stored, or bypassing the authentication its self.
As for the places which have small limits on their passwords (i.e. 4-8 character max) especially in web forms where you can't really use all of the symbols due to them not being acceptable as input (i.e. "&") or are stored in plain text or without salt on the device being authenticated to; the people who designed those authentication systems should be systematically shot.
In any case, memorizing the 26 character key which no one else knows (and is no longer related to my wireless network since it's WPA-256 now) actually wasn't as hard as I thought... once Windows got a bug in it which would make it forget my key every time I had to connect... (and it used to ask twice for the key each time I had to enter it). It reads in my head as it would if you were reading a really long product key (grouped clumps) out to someone, or how it sounds when you recite the alphabet (recall based on surrounding characters and the pattern (mental song) of the recital it's self). abcd-efgh-ijkl-mnop-qrst sort of grouping while I'm recalling it from memory but it has a song or pitch component too. The only part I have to pay any attention to now is the simple name of what I'm logging into.
On another note, if anyone knows what this pattern
1 in 7's not bad, but from my experience as an iOS developer in a large company, the current year (or last year) works 2/3 of the time. A 4-digit passcode is not security, its a minor deterrent to your friends using your phone to post embarrassing things in your accounts.
mine is 3726... oops, there goes my account control :)
Never antropomorphize computers, they do not like that
These are the codes people entered into a lock screen "alarm" app. Most people likely did not enter their real code in it. Maybe some people felt a lock app that you could get around with the home button was a good idea and actually used it...
This is not surprising because in mathematics there is a law called Benford’s law after one of its main founders, Frank Benford, who discovered it in 1935 as a physicist at General Electric. The law tells how often each number (from 1 to 9) appears as the first significant digit in a very diverse range of data sets.
So in other words there is nothing unusual about this because the four digit pin number is just a another data set. This law tends to be more accurate when values are distributed across multiple orders of magnitude. Because the 4 digit pin number spans several orders of magnitude, the 4 digit pin number is therefore following Benford's law.
Warm regards
Slashdotgirl
The more I know, the less I know
These are the first two digits in the PIN for my debit card. To the best I can remember, my first debit card pin was 1121, and somewhere along the lines it switched to 1211.
How many stories a week do we need on the front page that say the exact same thing?
I get it. People are dumb and use bad passwords. People need to be educated about it. I don't need one article per each device/service that uses passwords!!