Users are encouraged to set a PIN code to lock mobile devices to secure data in case it is lost or stolen. However, users aren’t picking hard-to-guess combinations, according to a recent analysis of iPhone passcodes.
The 10 most common passcodes used by iPhone users accounted for 15 percent of all the passwords analyzed, Daniel Amitay, the developer behind the iPhone app Big Brother Camera Security, said on his Website June 13. The most common values were: 1234, 0000, 2580, 1111, 5555, 5683, 0852, 2222, 1212 and 1998.
Amitay’s Big Brother Camera Security app for the iPhone 4 automatically takes a picture of anyone using the iPhone 4 using the front-mounted camera. The idea is to let users see who might be using the smartphone without permission. In the latest update, Amitay added code to collect information about the passcodes users are selecting to protect the camera app.
“Formulaic passwords are never a good idea,” Amitay said, but his analysis found that most users selected easy-to-guess codes.
Out of the 204,508 codes the app sent back anonymously to Amitay, “1234” was the most commonly used, with 4.3 percent users. The second most common code was “0000,” picked by 2.6 percent of the users. Amitay believes that since the passcode setup screen and lock screens on Big Brother Camera Security are “nearly identical” to the actual iPhone passcode screen, there is a high correlation between the two.
“I can think of strong arguments why some people would choose different passcodes for an app than the one they use to lock their smartphone, but my hunch is that many people don’t bother,” wrote Graham Cluley, senior technology consultant at Sophos, on the NakedSecurity blog.
People choosing “1234,” “0000” and “1111” as their passcode “are doing the equivalent of locking up their cars with a piece of thin string,” wrote Cluley. “0852” and “2580” aren’t that much better, as the code is just going up and down the keypad.
All in all, 14.4 percent of passcodes are one of the 10 most common codes, Amitay found. The top four codes represent 10.8 percent of the codes collected.
“With a 15 percent success rate, about 1 in 7 iPhones would easily unlock,” Amitay said.
If a user enables the PIN codes, the phone will be wiped clean after 10 wrong attempts. Theoretically, there are 10,000 possible four-digit code combinations, so that means a thief usually has a 0.1 percent chance of guessing the correct code in 10 tries. If the user picks one of the common 10, or uses birth year or other easy-to-guess values, the likelihood of guessing the correct code becomes higher.
Years between 1990 and 2000 are all in the top 50, and 1980 to 1989 are in the top 100 passcodes. Amitay speculated the years corresponded to either the year of birth or graduation.
The code “5683” spells out the word “love,” Amitay noted.
To be really secure, users should turn off the simple four-digit code and use a real password, since it can be longer than four numbers, Cluley said. Users need to toggle off “Simple Passcode” under Settings/Genera/Passcode Lock. With Simple Passcode disabled, users can choose a longer and more complex password, which would do a better job of securing the smartphone, Cluley said.
There’s another reason to switch to a real password. Russian security firm ElcomSoft claims it has figured out a way to crack the simple passcodes to obtain encryption keys to unlock the data stored on the smartphone.
As of June 14, Apple had removed the app from the App Store for privacy concerns because the app was phoning data home. Amitay pointed out that all he was getting was just the numbers, with no identifying information, and the app wasn’t collecting the actual phone’s PIN code.
Featured Partners: Cybersecurity Software
ESET PROTECT Advanced
Protect your company computers, laptops and mobile devices with security products all managed via a cloud-based management console. The solution includes cloud sandboxing technology, preventing zero-day threats, and full disk encryption capability for enhanced data protection. ESET Protect Advanced complies with data regulation thanks to full disk encryption capabilities on Windows and macOS. Get started today!
NINJIO Cybersecurity Awareness Training
Get exclusive savings on NINJIO training cybersecurity awareness training today. Create a culture of Cybersecurity Awareness with special discounts to try NINJIO.
Managed Threat Complete
Managed Threat Complete enables security teams to proactively mitigate risk and eliminate advanced threats across the modern attack surface. Check out our Investigations Product Tour and immerse yourself in our XDR solution, the core technology behind our Managed Threat Complete offer. You’ll get an inside look at how Rapid7 helps you find and eliminate threats faster, leveraging investigations, alert correlation, our dedicated SOC, Customer Advisors, a robust Detections Library, and more.
Graylog
With Graylog, you get the key features you need to maintain a robust security posture. Graylog is a scalable, flexible log management and cybersecurity platform that combines SIEM, security analytics, industry-leading anomaly detection capabilities with machine learning. Built by practitioners for practitioners, Graylog Security flips the traditional SIEM application on its head by stripping out the complexity, alert noise, and high costs.
NordLayer
The importance of cybersecurity rises with the growing numbers of cyber-attacks and malicious activities businesses face every second. Securing the data and constantly mitigating external threats like malware, phishing, or unfiltered websites is a challenge that is easier to overcome with advanced solutions. NordLayer is designed and developed with Secure Access Service Edge (SASE) architecture and the Zero Trust model to adhere to the most comprehensive and contemporary security landscape.