Passcodes and Good Practice
First in a series of articles about authentication.
First in a series of articles about authentication.
Back in the 90s, during my first EICAR presentation (of a paper on social engineering), I said something about password selection. (I can’t remember why exactly, but I still have the paper and presentation somewhere, so I may come back to that.) I was assured by several of the acknowledged security experts at the conference that passwords are such a flawed security precaution that they’d soon be phased out of existence and replaced by more effective methods. I think biometrics was the nostrum of choice at that time. Well, I’ve always been aware of the shortcomings of passwords, but I didn’t think they were going away that soon, and they haven’t. though in some cases authentication has been much improved, not only by implementations of password technology, but by introducing complementary measures such as multi-factor authentication*. I’ll probably talk about that more in a later article, but for now, let’s look at a specific subset of passwording: that is, the use of numeric passcodes on devices such as phones, ATM keyboards and so on.
This, by the way, is an expanded and updated version of an article (no longer accessible) on Kevin Townsend’s ITSecurity UK blog, where I and several other people in the security industry contributed articles where we spoke for ourselves rather than for an employer or customer.
Daniel Amitay used to market an app which, apparently, takes photos of anyone using your iPhone 4 or iPod Touch 4 without your permission. In an update, he added some code to capture the passcodes used for his app – not, so he says, the passcode for locking the device, though he did assume for research purposes that there would be a correlation between the two. (Not unlikely: we already know that people re-use passwords on many accounts, and passcodes are probably harder to remember and even more liable to re-use.) His original research is no longer available. However, he did share his data with me, as noted in one of my articles for Virus Bulletin and a research paper for EICAR.
So he captured 204,508 passcodes (completely anonymously, he says, and I’ve no reason to disbelieve him) and ran some analysis to see what passcodes people used most. This is similar to lots of research where known collections of exposed passwords have been analysed to see what the most commonly used are, though much of such research is carried out by examining dumps of captured passwords found exposed on the internet. You might think that it was a little ethically suspect to harvest those addresses from his own app. Well, that depends, I suppose, on what degree of privacy app users were expecting, but as long as there’s no way of tying the passcodes to a specific person or device, it’s hard to see that any real harm was done. But apparently he paid for it: the app was withdrawn from the App Store and as far as I know, was never reinstated. (He is still listed there as a developer, though, so presumably his other apps are considered OK.)
Still, it’s an interesting piece of research, in that it does give some indication of what passcodes people typically use (not only on iThings, of course). This article is at least ten years old: still, I’d be surprised if this list turned out to be completely invalid now.) And it’s as stereotyped as you’d expect in that 15% of all those passcodes were in the top 10:
1234
0000
2580
1111
5555
5683
0852
2222
1212
1998
For the probable logic behind some of the less obvious numbers, see my Virus Bulletin article here, though it’s a topic I’ll be going deeper into in the near future, as I wrote about it quite a lot. (Most of the links in that article no longer work, I’m afraid, but such is the way of the Internet.)
What does this mean in practice if Amitay is correct in his thinking about the correlation with the passcode lock? If you’re using one of those passcodes, it gives someone unauthorized ten chances to get control of your data before all data is wiped off the iPhone or iPod, so you might want to change it to something more imaginative. Or, better still, change the setting so that you can enter a more complex code.
The really interesting question, of course, as Graham Cluley kind of hinted in an article that’s no longer available, is whether it reflects what sequences people use in other contexts. Graham mentioned ATM PINs, but you might also wonder about other mobile devices, digital locks, padlocks, handheld authentication devices and so on. My guess is that some will change according to age group, type of keypad, and so on, but there’ll be significant correlation with the more obvious sequences.
I don’t know of any other research on common PIN/passcode sequences offhand, but there’s a moderately decent article offering advice on how to choose a PIN here. And I plan to come back to my own research shortly.
* That is, where the user is required to offer more than one means of identification. For instance, requiring the use of a hardware or software token in addition to a password.