Apple’s much touted new feature in iOS 8 is the inability for lawful law enforcement requests to unlock their phone without the passcode.
In previous versions of iOS, law enforcement officials could obtain a phone and send it to Apple to get it unlocked, because of a change in how phones are encrypted, Apple can no longer do this.
But there is another way for law enforcement and attackers to still get in: guessing the passcode. To contrary belief, most passcodes are easily guessable for law enforcement or an attacker as people generally only use a small subset of criteria for their passcodes.
Do you fit in any of these categories?
- Your date of birth: A date of birth is the perfect length and easily rememberable.
- Your year of birth: If you are using a 4 digit simplified passcode, it is popular choice to use your year of birth as the passcode.
- A numeric pattern: This is a popular choice and one I’ve used before, creating a passcode based on the numeric keypad square. Examples include; 0000, 1111, 1234, 1379, 2468, 1357. It depends on the individual but numbers in patterns make a lot of logic sense for some people. I used a similar pattern in the old Nokia days.
- Anniversary date: Another popular choice is to use the date of a significant anniversary like a wedding anniversary.
- A child’s birthday: A popular choice amongst parents is to use the date of birth or year of birth of their first child (or favourite child, ha).
Before You Go Guessing
Remember that iPhone’s (and other Android devices) have the ability to allow you to wipe a phone after X amount of failed attempts. Don’t go wiping your own phone or friends phone, unless you have permission. Also keep in mind phones have a limit on the number of attempts you can make before the phone disables itself.
Putting the theory to the test…
With some basic information in hand, grab the phone of 5 of your friends and family of which you definitely do not know their passcode. Do not allow them to change it beforehand, otherwise they’ll deliberately change it to be something out-of-character.
Give yourself 3 attempts to guess the passcode. How many of those five could you have successfully guessed? I tried the same and the results were surprising, I was able to guess 3 out of the 5 users phone passcodes in 3 attempts or less.
While it would depend on the individual, the average user doesn’t actually think of the security implications that much when it comes to a phone passcode. Details such as a date or year of birth are really easy to obtain.
This is not to say that out of 5 of your friends and family you will guess three, it’s possible you might guess none or guess all 5, there is no constant here, it is all highly variable, but very interesting nonetheless.