Users are encouraged to set a PIN code to lock mobile devices to secure data in case it is lost or stolen. However, users aren’t picking hard-to-guess combinations, according to a recent analysis of iPhone passcodes.
The 10 most common passcodes used by iPhone users accounted for 15 percent of all the passwords analyzed, Daniel Amitay, the developer behind the iPhone app Big Brother Camera Security, said on his Website June 13. The most common values were: 1234, 0000, 2580, 1111, 5555, 5683, 0852, 2222, 1212 and 1998.
Amitay’s Big Brother Camera Security app for the iPhone 4 automatically takes a picture of anyone using the iPhone 4 using the front-mounted camera. The idea is to let users see who might be using the smartphone without permission. In the latest update, Amitay added code to collect information about the passcodes users are selecting to protect the camera app.
“Formulaic passwords are never a good idea,” Amitay said, but his analysis found that most users selected easy-to-guess codes.
Out of the 204,508 codes the app sent back anonymously to Amitay, “1234” was the most commonly used, with 4.3 percent users. The second most common code was “0000,” picked by 2.6 percent of the users. Amitay believes that since the passcode setup screen and lock screens on Big Brother Camera Security are “nearly identical” to the actual iPhone passcode screen, there is a high correlation between the two.
“I can think of strong arguments why some people would choose different passcodes for an app than the one they use to lock their smartphone, but my hunch is that many people don’t bother,” wrote Graham Cluley, senior technology consultant at Sophos, on the NakedSecurity blog.
People choosing “1234,” “0000” and “1111” as their passcode “are doing the equivalent of locking up their cars with a piece of thin string,” wrote Cluley. “0852” and “2580” aren’t that much better, as the code is just going up and down the keypad.
All in all, 14.4 percent of passcodes are one of the 10 most common codes, Amitay found. The top four codes represent 10.8 percent of the codes collected.
“With a 15 percent success rate, about 1 in 7 iPhones would easily unlock,” Amitay said.
If a user enables the PIN codes, the phone will be wiped clean after 10 wrong attempts. Theoretically, there are 10,000 possible four-digit code combinations, so that means a thief usually has a 0.1 percent chance of guessing the correct code in 10 tries. If the user picks one of the common 10, or uses birth year or other easy-to-guess values, the likelihood of guessing the correct code becomes higher.
Years between 1990 and 2000 are all in the top 50, and 1980 to 1989 are in the top 100 passcodes. Amitay speculated the years corresponded to either the year of birth or graduation.
The code “5683” spells out the word “love,” Amitay noted.
To be really secure, users should turn off the simple four-digit code and use a real password, since it can be longer than four numbers, Cluley said. Users need to toggle off “Simple Passcode” under Settings/Genera/Passcode Lock. With Simple Passcode disabled, users can choose a longer and more complex password, which would do a better job of securing the smartphone, Cluley said.
There’s another reason to switch to a real password. Russian security firm ElcomSoft claims it has figured out a way to crack the simple passcodes to obtain encryption keys to unlock the data stored on the smartphone.
As of June 14, Apple had removed the app from the App Store for privacy concerns because the app was phoning data home. Amitay pointed out that all he was getting was just the numbers, with no identifying information, and the app wasn’t collecting the actual phone’s PIN code.
Featured Partners: Cybersecurity Software
Semperis
If your Active Directory isn’t secure, nothing is. Avoid single points of failure with comprehensive hybrid AD protection. Modernize your AD. Get lifecycle defense for identity-based attacks before, during, and after an attack, all supported by a dedicated incident response team.
ESET PROTECT Advanced
Protect your company computers, laptops and mobile devices with security products all managed via a cloud-based management console. The solution includes cloud sandboxing technology, preventing zero-day threats, and full disk encryption capability for enhanced data protection. ESET Protect Advanced complies with data regulation thanks to full disk encryption capabilities on Windows and macOS. Get started today!
Rippling IT
Strengthen cybersecurity and eliminate busywork with Rippling IT. Manage identity, access, devices, and inventory from one platform, powered by rich user data. Our unified IAM & MDM provides total visibility into your business security system, ensuring nothing slips through the cracks. With automated control, replace manual processes with dynamic policies and workflows. Centralize IT management, reduce costs, and simplify tasks for you and your team. See Rippling IT in action today!
ManageEngine Log360
Log360 is a SIEM solution that helps combat threats on premises, in the cloud, or in a hybrid environment. It also helps organizations adhere to several compliance mandates. You can customize the solution to cater to your unique use cases.
It offers real-time log collection, analysis, correlation, alerting and archiving abilities. You can monitor activities that occur in your Active Directory, network devices, employee workstations, file servers, Microsoft 365 and more.
Try free for 30 days!
Graylog
With Graylog, you get the key features you need to maintain a robust security posture. Graylog is a scalable, flexible log management and cybersecurity platform that combines SIEM, security analytics, industry-leading anomaly detection capabilities with machine learning. Built by practitioners for practitioners, Graylog Security flips the traditional SIEM application on its head by stripping out the complexity, alert noise, and high costs.