The Latest in IT Security

Earlier this week I read an extremely interesting and impressing blog item by Daniel Amitay: Most Common iPhone Passcodes.

Amitay has analyzed more than 200 000 passcodes used in an app with a similar passcode setup screen to iPhone. His findings are astonishing and scary.

Let me go through some of his findings. Keep in mind that there are 10 000 different passcodes that users have to choose from when they select their four digits code.

The 10 most commonly used codes are

1. 1234
2. 0000
3. 2580
4. 1111
5. 5555
6. 5683
7. 0852
8. 2222
9. 1212
10. 1998

If you look at a numeric keypad, all of these seem like "logical" codes to choose if one was interested in a code that was easy to remember and type. The only exception is No 5 (5683) until you spot that this equals the numerical representation of the word LOVE.

The surprising issue is the frequency that these codes were used. Amitay’s study shows that these 10 codes represent an astonishing 15% of all codes used. Statistically they should have been one tenth of a percent! This means that if you try these ten codes to unlock a mobile phone, you will succeed in approximately one in seven times.

I went a step further and checked the top 5 codes. In a perfectly random world, these should represent 0.05%. In the study, however, they represent more than 10%. I.e. by testing these top five passcodes on a locked phone, you will succeed one in ten times.

Amitay also looked at other types of code distribution. His findings indicate that people tend to use passcodes that represent important events in a person’s life, like year of birth. Any code starting with the numbers 193* – 201* has a much higher probability for being used than what should be expected providing a statistically random code representation.

One may persume that the average person is less careful in selecting a passcode for his/her telephone than for the card used for money withdrawals from bank automats (ATMs). However, it seems naïve to presuppose that at least similar code selection mechanism applies.

The caveat of this is: Don’t use passcodes that are too obvious to protect any of your systems. A person with bad intent may be able to access your valuables only be performing some educated, qualified guessing. Taking a few minutes memorizing a "random" code may be a good investment in time.