Passcodes Prove Predictable

mikejuk writes "Research reveals something we all suspected but couldn't prove — in a four digit pin the most popular first digit is one, the most popular second digit is two. Entropy only really kicks in on the third and fourth digits. What is more looking at the frequencies of four digit groups just 10 different passcodes would be enough to unlock one in seven iPhones!"

Easy to fix!

[Daetrin]

This is simple to fix! Everyone, make sure to start all your passcodes with "4" instead of "1" and this attack will be easily foiled!

Re:Easy to fix!

[DamnStupidElf]

Trolling people on facebook is like shooting dead fish in a barrel with a nuclear weapon.

Repost

[swb]

Isn't this a repost of the iPhone app developer who made the photo-graphing lock screen and kept anonymous stats of the "passcodes" people entered into his lock-screen-like lock screen?

Sample Set

[Swanktastic]

The sample set for this data is people who are dumb enough to type their unlock code into a fake login app which has been removed from the app store.

I wonder if this is representative of the population as a whole.

Re:Sample Set

[Opportunist]

Well, think about how stupid the average person is and realize that half of the people are even stupider.

Re:Physical security

[cbiltcliffe]

Here's a clue: don't let anyone mess with your phone when you're not there to stop them.

Really? Do you hear what you're saying?

Benford's Law

[Bobtree]

Since people are likely to use passcodes based on real-world numbers so they can be remembered, perhaps Benford's law applies.

http://en.wikipedia.org/wiki/Benford's_law

9991

[Control-Z]

The best code is 9991. If you're going to brute force it, most everyone would start at 0000 and it would take 9991 tries. If you're going to bruteforce descending from 9999 you'd get through 4 or 5 before you decided it was too much trouble. ;)

Re:9991

[Gideon+Wells]

Dear god, the horrible flash back. Old phone, my passcode was originally 99XX, my phone number was 99YY. For some odd reason I bowed down to mocking and changed it to some random thing I forgot, either 5xxx or 8xxxx.

I brute forced myself from 9999 to 9000, then I started from 0001 on up to the 5000s. In the mean time (around 3000) I went to my phone dealer and they tried tricking past it. What they and I didn't realize was they didn't fail. Their "trick" was deemed insecure and instead reset the passcode to your phone number instead of letting you right on in.

Nearing 6000, on a hunch, I tried my phone #. My keypad was destroyed from all the typing. The 3, 6, and 9 keys were near unresponsive after that.

Re:9991

[Caerdwyn]

But if the best code is 9991, then a thief should try it first, which would make it not the best code, which would make something else the best code, which would make some other code the one thieves would try first, which ...

But I surely cannot choose the wine in front of me.

Re:Pick a number between 1 and 10

[orgelspieler]

It's called the pigeonhole principle. If there are more pigeons than pigeonholes, at least one pigeonhole will have more than one pigeon.

If 11 people are asked to pick a number between one and 10, then at least two will pick the same number. If there are 10,001 users of a product with a 4-digit pin, at least two will pick the same number. There are sure to be two people with the same number of hairs on their head in any sufficiently large city.

This isn't about two people picking the same number, it's about several people picking from just a few numbers, thereby reducing the entropy of the passcode space.

Re:Benford's Law

Since people are likely to use passcodes based on real-world numbers so they can be remembered

Rather than using real numbers, people should try complex passcodes. My iPhone is locked with: 0000+9999i

Re:Why use 4 digits?

[Overzeetop]

It can go to at least 10 digits on the iPhone. It's a royal pain in the ass, but you can do it.

Re:Simple Way to Increase Security in This Case...

[Changa_MC]

The iphone offers exactly the level of security the user requests.
Iphone users can choose between just swiping, a PIN or a pass-phrase. A pass-phrase can be of arbitrary length, include numbers letters and punctuation. A PIN is a 4 digit number.
I had just swipe until my company started requiring security (government without clearance, everything I send or receive in email is legally a public record anyway). I put a real password at first, then I switched to a one-handed 4-digit pin once I realized that saved me pushing enter at the end!

Re:Entropy of passcode space

[elsurexiste]

I have said this once or twice in the past, but what the hell. :)

I did research on this subject and you, sir, nailed it. People don't choose numbers: they choose patterns, all the time. The most common passwords are, unsurprisingly, lines. A few are one or two repeating digits. People also have a fondness of diagonals and spirals, although this is noticeable when there are 16 or more buttons. That being said, I'm surprised that 5683 is so common.