Passcodes Prove Predictable

mikejuk writes "Research reveals something we all suspected but couldn't prove — in a four digit pin the most popular first digit is one, the most popular second digit is two. Entropy only really kicks in on the third and fourth digits. What is more looking at the frequencies of four digit groups just 10 different passcodes would be enough to unlock one in seven iPhones!"

Easy to fix!

[Daetrin]

This is simple to fix! Everyone, make sure to start all your passcodes with "4" instead of "1" and this attack will be easily foiled!

Re:Easy to fix!

[gnapster]

I was going to try to make a first post about the entropy of /. first posts, but you disproved my theory.

Re:Easy to fix!

[jojoba_oil]

Incidentally, my voicemail PIN begins with 41...

Re:Easy to fix!

[g0bshiTe]

My passcode is 1234, which coincidentally is the same code as my luggage.

Re:Easy to fix!

[natedeeds]

Whats your voicemail number?

Re:Easy to fix!

[Yvan256]

Too bad your password isn't five digits, otherwise it would have made a very smart, fresh and clever Spaceballs reference!

Re:Easy to fix!

[AvitarX]

I'm really glad that mine (2345) is not on the list, I'm safe.

The best thing is, I still have it on old services that have much stricter requirements (letters, more digits, etc.).

A lot didn't force retro-active password rules. I actually think having a passcode that doesn't match the policy of a site is an advantage, especially when it's easy to type being only four digits, without any letters or special characters.

Re:Easy to fix!

[mcavic]

I think it was close enough. :)

Re:Easy to fix!

[operagost]

The cool thing is that when you type your PIN on slashdot, it just shows asterisks to everyone else, see? ****

Re:Easy to fix!

[elsurexiste]

I trolled people for the lulz only once in my life, and it was using this scheme, on Facebook. Boy, do they felt like idiots when they saw their passwords! XD

Re:Easy to fix!

[DamnStupidElf]

Trolling people on facebook is like shooting dead fish in a barrel with a nuclear weapon.

Re:Easy to fix!

One of the door codes at my work is 12345 (takes me a few seconds to remember why 1234 does not work).

A similar door on the opposite side of the building has a different type of code lock that nobody seems to know the code for. Luckally the door only needs a hard tug before it opens.

Repost

[swb]

Isn't this a repost of the iPhone app developer who made the photo-graphing lock screen and kept anonymous stats of the "passcodes" people entered into his lock-screen-like lock screen?

Re:Repost

[mikejuk]

Dam it - I did do a search to make sure it hadn't appeared before. Sorry if it is a repeat.

Re:Repost

[Anubis+IV]

Yep, it's a repost.

Re:Repost

[mikejuk]

I cant understand how I missed it I did a search for "passcode" and a few other things in the body text. Ah well.... try harder next time. mikej

Re:Repost

[Anubis+IV]

Yeah, I did a search for "PIN" and got nothing, but "iPhone" found it pretty quickly.

Otherwise known as...

Benford's law. If the data isn't truly random (and in the case of something someone chooses, it isn't), it probably applies.

Re:Otherwise known as...

[Hatta]

If the data is truly random on a logarithmic scale, Benford's law applies.

Re:Otherwise known as...

[nog_lorp]

Man, Slashdot is really down the drain. I expected Benford's law to be mentioned in the summary. If not there, one of the *first* comments. I also expected the first mention to be accurate!

Now almost any article is like... "Wait what, they didn't mention [relevant science/math detail]!" Search for a mention in the comments... and the first one is halfway down *and* requires correction.

Re:Otherwise known as...

[bill_mcgonigle]

I expected Benford's law to be mentioned in the summary. If not there, one of the *first* comments.

There's one three hours before yours. I guess each Slashdot story also needs somebody browsing at +5 and then complaining that there are no good comments.

Pick a number between 1 and 10

[Chrysocolla]

Almost everyone picks 7. When picking a 4 digit passcode, it's inevitable people will pick the same code.

Re:Pick a number between 1 and 10

[gstoddart]

Almost everyone picks 7.

I always pick pi until they explicitly tell me they wanted an integer.

Re:Pick a number between 1 and 10

[Z00L00K]

You must get a lot of pies then.

Re:Pick a number between 1 and 10

[orgelspieler]

It's called the pigeonhole principle. If there are more pigeons than pigeonholes, at least one pigeonhole will have more than one pigeon.

If 11 people are asked to pick a number between one and 10, then at least two will pick the same number. If there are 10,001 users of a product with a 4-digit pin, at least two will pick the same number. There are sure to be two people with the same number of hairs on their head in any sufficiently large city.

This isn't about two people picking the same number, it's about several people picking from just a few numbers, thereby reducing the entropy of the passcode space.

Re:Pick a number between 1 and 10

[uglyduckling]

I always pick Avagadro's number, unless I'm told they want a number less than 10^23.

Re:Pick a number between 1 and 10

[gstoddart]

I always pick Avagadro's number, unless I'm told they want a number less than 10^23.

Well, he did explicitly say "a number between 1 and 10", so Avogadros' number would be right out.

Even among geeks, the pedantry of selecting non-integers will get you an eye roll, and maybe a friendly offer of a poke in the eye with a sharp stick. ;-)

Re:Pick a number between 1 and 10

[bberens]

That's not true. If 10 people are asked to select a number from 1-10 then the chances of a duplicate are quite high even if the numbers are chosen completely randomly. Since people are really bad at being random there will be an increased likelihood of duplication. The pigeon and hole example only works because there's already a pigeon in the first hole when the second arrives. In the "pick a number" example the numbers don't disappear for the next user.

Re:Pick a number between 1 and 10

[IICV]

Part of the problem is that people seem to think that a PIN must be four digits long. Most people's ATM PINs are that length, for instance, even though almost all banks support longer ones.

For the iPhone I suppose it makes sense - doesn't the iPhone require a four digit PIN? - but pretty much everywhere else in life it doesn't.

Re:Pick a number between 1 and 10

[Mark+J+Tilford]

Even with fewer than 10 people, there's a high chance of duplication. 5 people indpendently picking digits from 1 to 10 have a nearly 70% chance of duplication;

Re:Pick a number between 1 and 10

[war4peace]

I think it depends on how you look at passcodes and whatnot. I tend to regard PIN numbers, passcodes and passwords as "something that has meaning to me" rather than "something that's generally easy to remember".
A good few years back I was testing some applications that embedded within Microsoft Office 2000 and I had to perform MULTIPLE reinstallations of MS Office 2000 (up to 10 a day on various machines), up to the point the Serial Number was memorized. So i used that as password for some of my accounts. 25 letters and numbers is hard to crack, and furthermore I made each even letter an uppercase. It all looked like this: "b3X2sW25pQ7rF213p4Q7nBqY3". It all came naturally for me, though.
PIN Numbers and passcodes I use are following the same simple mnemonic.

Re:Pick a number between 1 and 10

[elsurexiste]

That's incorrect. Chances are, the second picker has 0.9 of not choosing a chosen number. The third has 0.9 * 0.8 = 0.72 (28% that there would be a collision) . With a fourth, 0.9 * 0.8 * 0.7 = 0.504 of not picking a chosen number, so almost 50% of the times there'll be a collision. This is the mathematical substrate behind birthday attacks.

Re:Pick a number between 1 and 10

[pclminion]

That's not true.

What isn't true? The statement that if 11 people select a digit between 0 and 9, at least two people will share a digit? Or if 10001 people select a four-digit sequence, at least two will share a sequence? Because both of those statements are fucking obviously true.

Physical security

[blair1q]

Not much in my phone is worth having. The only reason to lock it is to make butt-dialing harder.

If you're keeping sensitive info in your iPhone, and not protecting it with anything more than the phone's unlock code, you're a dope.

Here's a clue: don't let anyone mess with your phone when you're not there to stop them.

Re:Physical security

[cbiltcliffe]

Here's a clue: don't let anyone mess with your phone when you're not there to stop them.

Really? Do you hear what you're saying?

Re:Physical security

[obarthelemy]

there's one thing very much worth having in your phone: an easy way to dial toll numbers.

Re:Physical security

[rtfa-troll]

Yes you're right. Claymore mines are immoral. He really should be more careful.

Re:Physical security

[element-o.p.]

Well, the obvious way to interpret his sentence is, "Be sure to stop anyone from messing with your phone when you aren't there to protect your phone" which is, of course, a trifle difficult to do. However, it could also be interpreted as "Don't leave your phone unattended in an unsafe location" which is quite a bit more reasonable, and is, I suspect, what O.P. meant by what he said.

Re:Physical security

[cbiltcliffe]

See, I thought that too. But then I got wondering:

Who the hell is going to take a common as dirt phrase like "Don't leave your item unattended" and turn it into something bizarre like "don't let anyone mess with your item when you're not there to stop them." It's just so out there that I can't imagine they actually meant the first one....

4 digits?

[jomama717]

My iphone pin was required to be 6 digits, so I guess I'm safe :P Interestingly both of my 4-digit PINs that I use for other purposes do start with "1".

Re:4 digits?

[hellkyng]

My BlackBerry requires 7 characters/numbers or greater, and I even add in special characters to make things a bit more fun. Do you have any idea how hard it is to type Hunter2! into a BlackBerry?!? The upside is that the phone auto-wipes after three failed attempts, so I get put out of my misery pretty quickly.

*Please excuse typos, posted from any mobile device other than BlackBerry

Benford's law

That the most common first digit is 1 might just be an application of Benford's law:

http://en.wikipedia.org/wiki/Benford%27s_law

Re:Benford's Law

Since people are likely to use passcodes based on real-world numbers so they can be remembered

Rather than using real numbers, people should try complex passcodes. My iPhone is locked with: 0000+9999i

Re:Benford's Law

[Geoffrey.landis]

The distribution certainly looks like it follows Benford's law (probability of initial digit being n is logarithmic).

In fact, to within noise, the graph of Benford's law http://mathworld.wolfram.com/BenfordsLaw.html
is nearly indistinguishable from the graph in the article (original source: http://amitay.us/blog/files/most_common_iphone_passcodes.php )

Re:Benford's Law

[Kjella]

Actually both for PIN codes, lottery numbers etc. people are very often using birth dates and such. Since a lot of people are born on 10-19th and 20-29th of a month, well.... it doesn't apply to 0 though because people don't think they're born on the 06th. It might look close to Benford's law but really it's not.

Re:Benford's Law

[Kamiza+Ikioi]

I also know that there are over 9000 combinations to any 4 digit passcode, and at least 100 start with 1 and 2. QED!

I was actually thinking that most easily remembered 4 digit numbers are years, usually birthdays. And for the past 1000 years, they've all started with 1 until very recently. I now suspect that the use of the number 2 as the first digit will rise for the next 1000 years.

Re:Benford's Law

[N0Man74]

I never liked using dates. It limits passcodes too greatly. I have used the last digits of phone numbers or addresses of people that I remembered from my childhood though. Numbers that haven't been valid for 20 years, for example, but that I have a strong personal memory of.

Re:Benford's Law

[nairatinu]

I had the same conclusion. But why don't all the digits conform? The rule applies to any set of data derived from a natural phenomenon (even your tax return entries).

Re:Benford's Law

[selven]

Could also be the birthday effect - a birthday that has four digits in it must begin with a one, and the second digit must be 0,1 or 2. Interestingly enough, under Benford's law the second digit is also significantly skewed toward lower numbers when the first digit is a 1, so to find out which effect is predominant we would have to look at the third digit.

Ok, now I'm curious, want to go and snoop on a few thousand PINs for us?

Re:Benford's Law

[KritonK]

I use a slightly less complex one: 1234+0i.

Entropy of passcode space

[h1q]

I am sure that most people are aware that the entropy of passcode space is culturally dependent.

One way of evading the cultural diminution of passspace entropy is through a selection technique known as "shocking nonsense." (Google)

Re:Entropy of passcode space

[cbiltcliffe]

selection technique known as "shocking nonsense." (Google)

Huh? How are you supposed to use Goatse as a passcode?!

Re:Entropy of passcode space

[errandum]

In a few years, if this sticks, we'll see a slashdot article about common words like n**** f** etc that should be avoided.

Re:Entropy of passcode space

[AndrewNeo]

1, 2, 3, 6, 9, 8, 7, 4.

Re:Entropy of passcode space

[rmstar]

One way of evading the cultural diminution of passspace entropy is through a selection technique known as "shocking nonsense." (Google)

(from here):

"Shocking nonsense" means to make up a short phrase or sentence that is both nonsensical and shocking in the culture of the user, that is, it contains grossly obscene, racist, impossible or other extreme juxtaposition of ideas. This technique is permissable because the passphrase, by its nature, is never revealed to anyone with sensibilities to be offended.

On the face of it the idea sounds good. But I would not use it without some additional care, because you never know under which circumstances you will be forced to surrender the passphrase. Then it better not be, for example, something brutal up the police, if you get my meaning.

Anyway I don't see how this is supposed to help with pins.

Re:Entropy of passcode space

[jomama717]

From the top google article:

This technique is permissable because the passphrase, by its nature, is never revealed to anyone with sensibilities to be offended.

I know the article is written in the context of PGP secret passphrases, but if this technique were applied to normal passwords I can guarantee it will prove embarrassing. Such as when the CTO of your company is showing off his fancy emacs script that allows you to ssh into a server from the editor but fails to realize that the password field is not hidden before he tells you to log in using your outrageously obscene password...that one still makes me wince. Randomly generated passwords for me from that point on.

Re:Entropy of passcode space

[Plekto]

Of course, it doesn't have to be sexual in nature. You could have "rabid frogs" or "brittle soup" or something similar as a perfectly safe-to-view example in case it was ever found out.

Re:Entropy of passcode space

[elsurexiste]

I have said this once or twice in the past, but what the hell. :)

I did research on this subject and you, sir, nailed it. People don't choose numbers: they choose patterns, all the time. The most common passwords are, unsurprisingly, lines. A few are one or two repeating digits. People also have a fondness of diagonals and spirals, although this is noticeable when there are 16 or more buttons. That being said, I'm surprised that 5683 is so common.

Re:Entropy of passcode space

[elsurexiste]

Reminds me of this pseudo URL shortener. I like it when people double check the link and uneasily open it. :D

Re:Entropy of passcode space

[martyb]

People also have a fondness of diagonals and spirals, although this is noticeable when there are 16 or more buttons. That being said, I'm surprised that 5683 is so common.

(emphasis added)

"5683" are the numbers on a phone keypad which correspond to the letters for "LOVE". FWIW, 5683 also spells: jove, lote, and loud..

Sample Set

[Swanktastic]

The sample set for this data is people who are dumb enough to type their unlock code into a fake login app which has been removed from the app store.

I wonder if this is representative of the population as a whole.

Re:Sample Set

[Opportunist]

Well, think about how stupid the average person is and realize that half of the people are even stupider.

Re:Sample Set

[BeanThere]

Fortunately I doubt the average thief is much smarter either .. the article says "the implication is that a thief could safely try 10 different passcodes on your iPhone ... With a 15% success rate, about 1 in 7 iPhones would unlock" .. in reality the average thief would go "whuuu!?!?" about three sentences into reading this article.

Dark Helmet

[AgentUSA]

So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!

Re:Dark Helmet

[hal2814]

1-2-3-4-5? That's the same combination I use on my luggage!

Re:Dark Helmet

[cashman73]

As popular as the movie Spaceballs has become, it's still a great mystery why so many people continue to use a simple sequential number sequence like that as their primary password,. . . I guess most people are idiots?

Re:Dark Helmet

[element-o.p.]

Because it is easy to remember, and given a choice between "easy" and "secure" most people will choose "easy" unless forced to do otherwise. Even here on /. you see some pretty lively arguments between good password security and real-world usability. Think about it this way: do you use Enigmail or a VPN to correspond with others, or do you send your SMTP traffic in clear text from the free WiFi hotspot at the coffee shop?

iPhones!?

[digitalderbs]

How about bank ATMs?

The last time I went to change my pin at the bank, I spent the better part of the walk there (20-30 minutes) developing the perfect algorithm to calculate my pin. It changed with the date, had variables from my life, my spouse's life, my dog--you name it. At the teller, I anxiously put in my 7-digit number, and it kept refusing it. By the fourth attempt, the teller was visibly irritated that I couldn't type in my pin number the same twice in a row. After discussing it with him, he told me that I was capped at four digits--4!!! I had to truncate my number on the spot, and every time I go to the bank now, I keep screwing up the place in which I had truncated my perfect number.

Re:iPhones!?

[Capt+James+McCarthy]

Well the other option is password/phrase requirements for secure systems now days. Changed every 60 days. Requiring so many different character combos that all users do is write down their password/phrase. So pick your poison on this. Either it's an easy pass phrase that can be 'guessed' or a pass phrase that is written on a card in your wallet.

That's nothing...

[dbolger]

Last week LulzSec released a list of everybody in the world's PIN. I found mine in there anyway!

Re:That's nothing...

[NuclearDog]

Oh, funny. Mine didn't make the list.

Bank teller will only let me have a 4 digit PIN. Went to an ATM and used the 'change PIN' feature. Could get it up to twelve digits. I settled on 10. Changed banks, did the same thing.

I've yet to run into a single place where it doesn't work - I do get some really funny looks though when I start typing up a novel on the pin pad.

Most Numbers Start with One

People don't realize it, but most number start with one. It's called Benford's Law. People expect things to be more "random" than they really are.

Eugenics time!

[fuzzyfuzzyfungus]

Clearly, with the size and complexity of the human neural network, and the amount of gooey analog stuff going on in there, humans should be physically capable of generating reasonably high quality entropy for cryptographic purposes. In the same vein, the occasional appearance of atypical or well-trained subjects demonstrates our theoretical capacity for storing reasonably large keys.

Unfortunately, the African savanna environments of ~500,000 years ago had a dearth of predators that culled according to weakness of RNG, rather than weakness of body. To ensure the future of computer security, it seems obvious that we must supply this unfortunate evolutionary deficit.

Son of a bitch!

[Overzeetop]

Damn it, now I'm going to have to change all of my PINs.

Re:Son of a bitch!

[Normal+Dan]

Just do what I do. Put a * or two in your pin. Most people don't realize those are valid characters too. (note: they aren't)

Re:Son of a bitch!

[Zocalo]

Consider yourself lucky! I'm going to need to get some new luggage...

Re:Son of a bitch!

[Garridan]

Well, you can use * in some banking systems, but wildcard matching really doesn't add as much security as the developers expected.

Re:Son of a bitch!

[ewibble]

they should make it a requirement to have at least 1 * in your 4 digit pin that would solve the problem 8-).

Re:Stupid Green Lantern movie!

[tom17]

Me too! But I couldn't get ZZ9 Plural Z Alpha into 4 digits :(

In other News

[lupine]

9 out of 10 iphone users don't know how to lock their phones or have never bothered to setup a passcode.

Re:In other News

[bkaul01]

That's not necessarily an oversight on their part. I don't usually have a passcode enabled on my (non-i)phone, since it's almost always in one of three places: in my pocket, in my hand, or on my headboard. It's just a hassle to type in every single time I unlock the phone, and an unnecessary one as long as I maintain sole access to the device. The slight risk that someone could mug me and steal it is one I'll just live with.

On the other hand, the passcode I do use when I occasionally enable one (e.g. phone sitting around on the table where other people could pick it up) certainly doesn't fit the 1-2-x-x pattern in the story.

Re:In other News

[93+Escort+Wagon]

That's not necessarily an oversight on their part. I don't usually have a passcode enabled on my (non-i)phone, since it's almost always in one of three places: in my pocket, in my hand, or on my headboard. It's just a hassle to type in every single time I unlock the phone, and an unnecessary one as long as I maintain sole access to the device. The slight risk that someone could mug me and steal it is one I'll just live with.

I stopped password-protecting my Android phone the second time it dialed 911 - stupid "Emergency Call" button...

Re:In other News

[Overzeetop]

You know, I tried it for a while. For me, it's just way too much effort. I don't have teen age friend who like to hijack my Facebook statuses. Or the nuclear launch codes.

Benford's Law

[Bobtree]

Since people are likely to use passcodes based on real-world numbers so they can be remembered, perhaps Benford's law applies.

http://en.wikipedia.org/wiki/Benford's_law

Re:Stupid Green Lantern movie!

[BLToday]

You're still safe with that pin since the movie is a flop and it's definitely not going mainstream.

9991

[Control-Z]

The best code is 9991. If you're going to brute force it, most everyone would start at 0000 and it would take 9991 tries. If you're going to bruteforce descending from 9999 you'd get through 4 or 5 before you decided it was too much trouble. ;)

Re:9991

[Gideon+Wells]

Dear god, the horrible flash back. Old phone, my passcode was originally 99XX, my phone number was 99YY. For some odd reason I bowed down to mocking and changed it to some random thing I forgot, either 5xxx or 8xxxx.

I brute forced myself from 9999 to 9000, then I started from 0001 on up to the 5000s. In the mean time (around 3000) I went to my phone dealer and they tried tricking past it. What they and I didn't realize was they didn't fail. Their "trick" was deemed insecure and instead reset the passcode to your phone number instead of letting you right on in.

Nearing 6000, on a hunch, I tried my phone #. My keypad was destroyed from all the typing. The 3, 6, and 9 keys were near unresponsive after that.

Re:9991

[Pope]

Naw, it'll be in the house next to the house with no numbers. And the PIN will be 9992!

Re:9991

[BeanThere]

But if the best code is 9991, then a thief should try it first, which would make it not the best code, which would make something else the best code, which would make some other code the one thieves would try first, which ...

Re:9991

[Caerdwyn]

But if the best code is 9991, then a thief should try it first, which would make it not the best code, which would make something else the best code, which would make some other code the one thieves would try first, which ...

But I surely cannot choose the wine in front of me.

Re:9991

[Kittenman]

Isn't that Beethoven's code for his luggage? (First 4 notes of the 5th symphony.,.)

Re:9991

[Pope]

Best. Response. Ever.

Ok let's make the password rules so long and hard

[Joe_Dragon]

that the office needs posts it to keep track of them.

Re:An explanation

[Divide+By+Zero]

Can we extrapolate and conclude that PINs starting with zero are over half the PINs out there?

Not me

[xkuehn]

No-one can guess my Slashdot password!

Re:Stupid Green Lantern movie!

[Gideon+Wells]

Z = 26, 2+6 = 8
P = 16, 2+6 = 7
Z = 8
A = 1

8781 works?

Disregard that

[xkuehn]

I suck.

Re:My code is always...

[Lucky75]

Nobody ever suspects the zero

Re:Ok let's make the password rules so long and ha

[geekoid]

That's a failure in training.

IT's is trivially easy to get a strong password. Poeple jsut don't know how to think about it.
Example:
First Pet, Hobby. Vowels are umbers.

So for me:
T0by_G4m3r
For uniqueness, add and indicator unique to what it is you ar elogging into.
So:
T0by_G4m3r_a_J0b

No, that is't the combo use.

Spaceballs moment

[waddgodd]

DH "So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage! " ...
CS: "It worked, sir, we have the combination"
PS: "that's great, we can now take every last breath of fresh air off Druidia, what was the combination?"
CS: "12345"
PS: "12345?"
CS: "yes"
PS: "that's amazing, I have the same combination on my luggage"

Who knew that Mel Brooks was so visionary?

PINs are next to useless.

[Inquisitor911]

4-digit PINS are nearly useless. I use a 16-digit pin-code plus 256-bit AES encryption of all of my sensitive data.

No more sticky bit passcodes

[wintercolby]

I guess 1777 is now just plain out the window as a good passcode.

Benford's Law

[EverlastingPhelps]

It is called Benford's Law, and it has been known for over 100 years. It isn't just pass codes, it is almost all large sets of numbers.

Because it's a PIA perhaps?

[Radical+Moderate]

I have an android, not an iphone, but assuming security is implemented the same way, it's ridiculous. there's no way to set a timeout, so after every call the phone secures itself. If I want to make multiple calls, I have to enter the damn PIN between each one.

Dear developers, please leave the phone unlocked for 10 minutes after I enter my PIN, or better yet let me choose how long to set it.

Re:Ok let's make the password rules so long and ha

[Pope]

Cool, now I have to think of a new one every 3 months :P

It's the last 4 of your number

[Bardwick]

I would bet that most are the last 4 digits of your phone number or social security number. Knowing that, you can probably get into my garage.

Simple Way to Increase Security in This Case...

[eepok]

Offer something besides numbers in the code. Look, it's an option of 4 characters from a 10-character set. If you want people to be more secure in their own daily uses, allow them to use a larger character set. Give the option to use letters (26 characters) and even symbols. It won't fix the problem, but it will decrease its prevalence.

Re:Simple Way to Increase Security in This Case...

[Changa_MC]

The iphone offers exactly the level of security the user requests.
Iphone users can choose between just swiping, a PIN or a pass-phrase. A pass-phrase can be of arbitrary length, include numbers letters and punctuation. A PIN is a 4 digit number.
I had just swipe until my company started requiring security (government without clearance, everything I send or receive in email is legally a public record anyway). I put a real password at first, then I switched to a one-handed 4-digit pin once I realized that saved me pushing enter at the end!

Passwords: not so trivial [Re:Ok let's make th...]

[Geoffrey.landis]

Yes, and if people only ever needed one password and didn't need to change it that would be fine.

However, the very first rule of strong passwords is to never use the same password on two different systems. So "it's trivially easy to get a strong password" is useless; you need to say "it's trivially easy to get fifty strong passwords and remember which password gets into which system."

(I actually have more than fifty passwords, but let's call it fifty for now.)

But a lot of systems these days also require you to change them every 90 days or so, and not re-use any of your last ten passwords, so what you really really meant to say is "it's trivially easy to get five hundred strong passwords, and remember which password gets into which system, and which one is the current password and which ones were old passwords that aren't used anymore."

And that's not so trivial.

Re:Why use 4 digits?

[Overzeetop]

It can go to at least 10 digits on the iPhone. It's a royal pain in the ass, but you can do it.

I would have expected the second digit to be 9

[AJH16]

Interesting that the second digit is frequently 2. I would have really expected it to be a 9 and would have expected it to switch to 2 and 0 for first and second over the next few decades.

Re:An explanation

[bberens]

Zero is not the "first" digit available on pinpads. It's generally the last as most readers would view the pin-pad as reading from top-left to bottom-right. I would guess zero is among the least used digits based on Benford's law. It does raise the interesting question of whether or not cultures that read right-to-left would see 3 as being the most common digit... assuming the pin-pad is not updated to have 1 be the top-right key.

Re:Ok let's make the password rules so long and ha

[Kamiza+Ikioi]

First Pet, Hobby. Vowels are umbers.

True, but then you give everyone else in the company the method for determining everyone else's password. Because, as sure as there are bad password guessers, there are people that will copy your exact method, even if you tell them to create their own. These are usually the people in the most sensitive areas.

Most company data thefts are inside jobs. And given enough time of just socializing, you could get a good idea to salt a password cracking program for very high accuracy.

Re:Passwords: not so trivial [Re:Ok let's make th.

[Pope]

The Error dialog from my current job, after I had accidentally tried to re-use an old password: Change Password Your password must be at least 8 characters, cannot repeat any of your previous 7 passwords and must be at least 9 days old. Please type a different password. Type a password which meets these requirements in both text boxes.

1234?

[antdude]

... "That's amazing. I've got the same combination on my luggage."

Least Favorite is Probably 7.

[DarthVain]

As it is the closest button to the "Emergency Call" button, and anyone who has tried to unlock their iPhone with one hand will tell you, that you end up hitting it pretty often which is annoying. Also the name also makes me think it is about to auto dial 911, which always freaks me out.

Re:Stupid Green Lantern movie!

[tom17]

You're doing it wrong...

First you need to re-arrange the descriptors to allow for galactic drift constants giving you:

ZZZ9 Plural Alpha

Expand out to the full non-abbreviated address:

(Zed Zed Zed) Nine, Plural Alpha

Finally, you need to use the Veltvogle Six concatetheorems thusly (a quick recap, where Sector is defined as (S1 S2 S3), the normalized sector is (S1/S2/(S1/S3)).):

(Zed/Zed/(Zed/Zed))*Nine, Plural - Alpha

To expand into more palatable notation for humankind, it is possible to do the simple character substitution in a similar manner to what you mentioned above by simply adding the character numbers together, thusly arriving at a handy, concise, four digit number which can also be easily represented in 2 digits for common use.

Re:New passcode: 9867

[elsurexiste]

It's the least likely to be used!

Don't post my passcode like that!

Not bad, but...

[NotAnIndividual]

1 in 7's not bad, but from my experience as an iOS developer in a large company, the current year (or last year) works 2/3 of the time. A 4-digit passcode is not security, its a minor deterrent to your friends using your phone to post embarrassing things in your accounts.

Not!

[youn]

mine is 3726... oops, there goes my account control :)

Keep In Mind

[Wovel]

These are the codes people entered into a lock screen "alarm" app. Most people likely did not enter their real code in it. Maybe some people felt a lock app that you could get around with the home button was a good idea and actually used it...

Benfords Law

[Slashdotgirl]

This is not surprising because in mathematics there is a law called Benford’s law after one of its main founders, Frank Benford, who discovered it in 1935 as a physicist at General Electric. The law tells how often each number (from 1 to 9) appears as the first significant digit in a very diverse range of data sets.

So in other words there is nothing unusual about this because the four digit pin number is just a another data set. This law tends to be more accurate when values are distributed across multiple orders of magnitude. Because the 4 digit pin number spans several orders of magnitude, the 4 digit pin number is therefore following Benford's law.

Warm regards
Slashdotgirl

Re:Stupid Green Lantern movie!

[tom17]

So no-one got it. Damn it was a waste of my time working that out lol. Oh well :)