[priz3]

Article mentions brute forcing would take ~111 hrs. That looks like it's (10^4 * 40) / (60*60) which would be the maximum time needed to brute force.

Note for those not good at dividing hours by 24 in your head: 111 hrs is 4.65 days

[therealwill]

23.335% of pin codes can be guessed in under 10 attempts.

Source: http://www.datagenetics.com/blog/september32012/

[lucb1e]

From the article:

> Utterly staggering at the lack of imagination ... nearly 11% of the 3.4 million passwords are 1234 !!!

Not so staggering. Those people probably did not want a PIN to begin with. I know someone with the PIN 1234. Why does she have a PIN at all? Because the phone requires it to store Exchange credentials (if I remember correctly). I've suggested it changing it to 1111 because it's even faster to type, but she never got around to it.

I too have a pattern lock, the simplest one I could come up with. Easily broken. Why? It's required to store VPN credentials in Android.

And there is a second advantage: by trying a PIN, even a default one, you are gaining unauthorized access to an automated system. This is illegal by Dutch law, even if the only security was a warning message on the lock screen saying "Do not unlock."

[kalleboo]

For a while I had a my iPhone set to 0000 just so I wouldn't have to enter my strong 16 character Apple ID password every time I entered "find my friends".

Now that I have TouchID I can use a strong password for unlock since I don't have to enter it every 30 seconds

[wampus]

I believe it's up to the Exchange admin to require a PIN or remote wipe capability, so it will vary from site to site.

One workaround is to use IMAP, if available (also up to the admin), but you lose the calendar capability, which is arguably the killer feature of Exchange.

Another workaround is to increase the time your phone will require a password after inactivity to something large, like 30 minutes or an hour. You still have to enter a PIN once in a while, but it's more convenient and will still be effective in some cases when lost or stolen.

[gilgoomesh]

Based on that list, 18.61% of pin codes can be guessed before the 3 attempt lockout, no fancy power tricks required.

[jychang]

Yeah, a lot of people are hung up on the "takes 4 days to brute force" part.

I'd be willing to guess that most phones have a passcode that's like "1234", or between the numbers 1900 and 2100. 300 tries can easily get a vast majority of 4 digit passcodes, let alone 4 days' worth of tries.

[kalleboo]

You don't have to guess, the post you're replying to showed 11% of users had 1234 as their PIN, and has a detailed analysis of common patterns, such as birth years and PIN pad patterns (2580). You should read it, it's interesting.

[jammaloo]

That's right, so realistically the average case is somewhere around 55 hours.

I wonder how much that is reduced by starting off with more likely combinations, e.g. "1111", "1234", "9999".

[Veedrac]

> I wonder how much that is reduced by starting off with more likely combinations, e.g. "1111", "1234", "9999".

Doing a graphical integration on

http://www.datagenetics.com/blog/september32012/c.png

(source: http://www.datagenetics.com/blog/september32012/)

I get ~28 hours.

[MBCook]

And that's the benefit of something like TouchID. Since you rarely have to enter your full password (after restart or too many TouchID failures) it's much easier to use a longer or more complex password than 4 digits. Even a simple dictionary attack would take a very long time at one attempt every 40s.

[mgkimsal]

"rarely"?

Well, I'll say I don't have to punch in my 4 digit PIN much, perhaps that's what you meant. But the 'full password' - the Apple ID password - I have to put that in all the time. The touchID verification for apple store downloads seems to only hold for an hour or so, then I gotta punch in the full painful password again... :(

[jasonlotito]

That happens if you turn off your device. There might be a setting or option you might need to enable. After I've restarted, I enter the password once in the store, and after that, touch ID works.

[bobbles]

I believe the mechanisms are something like:

1) ask for password on phone reset

2) ask for password if it hasn't been used for an authentication for ~72 hours

something about people forgetting their passwords if they never got asked for them at all

[mgkimsal]

72 hours is crazy - do they expect people to be buying stuff all the time?

What's crappy about it is that they force a moderately complex password strength which is much harder to input on a touch screen keyboard. I'm constantly having to enter that - the 'touch id' for using the apple store, to me, is effectively uselesss. For unlocking the device, it's fine.

[rhizome]

In the US you can be compelled by law enforcement to provide your fingerprint. Not so with passwords and passcodes.

[kysol]

And that's based on phones that don't take 3 minutes to boot up.. Oh hi old phone :)