Security starts with the passwords and pincodes you use as the gateway to your valuable information. An easy to figure out code like “1234″ or even those that just go up and down the number pad should never be used. If you think it’s easy to remember, odds are so do hackers, so make sure to mix it up.
An iOS developer collected the four-digit passcodes used to lock his iPhone app and found that 14.4 percent of users were using one of the 10 common codes.
Users are encouraged to set a PIN code to lock mobile devices to secure data in case it is lost or stolen. However, users aren’t picking hard-to-guess combinations, according to a recent analysis of iPhone passcodes.
The 10 most common passcodes used by iPhone users accounted for 15 percent of all the passwords analyzed, Daniel Amitay, the developer behind the iPhone app Big Brother Camera Security, said on his Website June 13. The most common values were: 1234, 0000, 2580, 1111, 5555, 5683, 0852, 2222, 1212 and 1998.
Amitay’s Big Brother Camera Security app for the iPhone 4 automatically takes a picture of anyone using the iPhone 4 using the front-mounted camera. The idea is to let users see who might be using the smartphone without permission. In the latest update, Amitay added code to collect information about the passcodes users are selecting to protect the camera app.
“Formulaic passwords are never a good idea,” Amitay said, but his analysis found that most users selected easy-to-guess codes.
Out of the 204,508 codes the app sent back anonymously to Amitay, “1234″ was the most commonly used, with 4.3 percent users. The second most common code was “0000,” picked by 2.6 percent of the users. Amitay believes that since the passcode setup screen and lock screens on Big Brother Camera Security are “nearly identical” to the actual iPhone passcode screen, there is a high correlation between the two.
“I can think of strong arguments why some people would choose different passcodes for an app than the one they use to lock their smartphone, but my hunch is that many people don’t bother,” wrote Graham Cluley, senior technology consultant at Sophos, on the NakedSecurity blog.
People choosing “1234,” “0000″ and “1111″ as their passcode “are doing the equivalent of locking up their cars with a piece of thin string,” wrote Cluley. “0852″ and “2580″ aren’t that much better, as the code is just going up and down the keypad.
All in all, 14.4 percent of passcodes are one of the 10 most common codes, Amitay found. The top four codes represent 10.8 percent of the codes collected.
“With a 15 percent success rate, about 1 in 7 iPhones would easily unlock,” Amitay said.
If a user enables the PIN codes, the phone will be wiped clean after 10 wrong attempts. Theoretically, there are 10,000 possible four-digit code combinations, so that means a thief usually has a 0.1 percent chance of guessing the correct code in 10 tries. If the user picks one of the common 10, or uses birth year or other easy-to-guess values, the likelihood of guessing the correct code becomes higher.
Years between 1990 and 2000 are all in the top 50, and 1980 to 1989 are in the top 100 passcodes. Amitay speculated the years corresponded to either the year of birth or graduation.
The code “5683″ spells out the word “love,” Amitay noted.
To be really secure, users should turn off the simple four-digit code and use a real password, since it can be longer than four numbers, Cluley said. Users need to toggle off “Simple Passcode” under Settings/Genera/Passcode Lock. With Simple Passcode disabled, users can choose a longer and more complex password, which would do a better job of securing the smartphone, Cluley said.
There’s another reason to switch to a real password. Russian security firm ElcomSoft claims it has figured out a way to crack the simple passcodes to obtain encryption keys to unlock the data stored on the smartphone.
As of June 14, Apple had removed the app from the App Store for privacy concerns because the app was phoning data home. Amitay pointed out that all he was getting was just the numbers, with no identifying information, and the app wasn’t collecting the actual phone’s PIN code.