

iPhone 4-digit passcodes more secure when containing only 3 unique digits - tobtoh
http://mindyourdecisions.com/blog/2011/01/27/game-theory-and-probability-of-iphone-passwords/

======
thought_alarm
Pro tip: Turn off the "Simple Password" option, then enter a new password that
consists of only numbers. The password prompt will then still be the nice
10-digit keypad rather than the full keyboard, but the passcode can be any
length.

~~~
Empedocles99
The phone leaks password data? It tells an attacker that the password contains
only numerics?

~~~
foobarbazetc
[http://mindyourdecisions.com/blog/wp-
content/uploads/2011/01...](http://mindyourdecisions.com/blog/wp-
content/uploads/2011/01/iphone_passcode.jpg)

So yes, it "leaks password data". ;)

------
eridius
I'm not sure why this is an issue at all. The same surface you use to enter
your password you also use to interact with the device. So unless your
interaction consists solely of unlocking the phone, then putting it away
again, the screen is going to be absolutely covered with fingerprints and
smudges and smears and there won't be any way to tell which ones are from the
password and which are from actual usage.

I just took a look at my own iPhone, and it bears this out. On the bottom half
of the screen, there are a series of fingerprints and a giant smudge. If you
were to try and guess my password from the clear prints, you'd end up pressing
the wrong digits entirely.

------
corin_
HN title is not the original title, and it is incorrect. This is not "3-digit
passwords", rather "4-digit passwords containing only three unique digits".

 _Assuming it will get changed at some point making me look foolish, HN title
at time of posting is "3-digit iPhone password is more secure than 4-digits".
Original title from the source is "Game theory and probability of iPhone
passwords"._

~~~
hardy263
It's not incorrect. At the bottom of the blog post, they explore different
ways to "trick" people trying to look at the fingerprints

 _If that weren’t enough, my friend actually brainstormed a couple of other
ways to improve the password.

like using three digits but tapping a phantom fourth number once the code is
entered…. so there are four “tap prints” but only three which are relevant!_

~~~
corin_
But that's still using three _unique_ digits. 1123 uses only three digits, but
that doesn't make it a three-digit number, it's still a four-digit number.

~~~
tobtoh
You're right Corin - the title is a little misleading with hindsight. However,
I was trying to reflect the angle that made the page interesting (ie that it's
counter-intuitive that using less unique digits is more secure) whilst still
trying to fit it within character limits.

~~~
corin_
If you are still able to edit the title (can't remember when HN stops letting
you do that), a more suitible one might be something along the lines of
"iPhone 4-digit passcodes more secure when containing only 3 unique digits".

~~~
tobtoh
Done - thanks for the suggestion Corin!

------
strictfp
Back in the nineties, while visiting a research facility on an airforce base,
i saw a solution to the fingerprint problem. The electronic keypad simply
randomized the positions of the digits before each login attempt. Not very
convenient considering that you cant't use your muscle memory, but pretty much
hack-resistant.

~~~
minikomi
Depending on the company, ATMs in Japan do this too (not sure about other
countries!)

------
corin_
Of course, if the fingerprints are really such an easy way to see which four
digits are commonly pressed, perhaps the best option would be to use only
three unique digits, and then pick another digit that you always tap just
after unlocking the phone. Obviously the digits disappear, but say your code
was 1123, just hit where the 6 was (just below the 3) as soon as it's
unlocked. Then to anyone trying to guess from fingerprints, they would be
trying to guess combinations of 1, 2, 3 and 6.

If they were to then guess that only 3 of the 4 digits were used, with one
being repeated, the possibilities are vastly increased by not knowing which
digit is repeated OR which digit is not actually used. Off the top of my head
I think it would be 36x4 (36 being the number of combinations using 3 unique
digits, multiplied by four for each digit that could be un-used), meaning 144.

If you were to do the same trick, so after entering your 4-digit code
containing 3 unique digits, you then hit two different fake digits (same two
every time you unlock)... you would have 36x9 combinations, totally 324.

To take this to its (il)logical conclusion, you could fake-press all the
digits that you're not using, but at that point you're clearly going too far
and should consider just wiping off fingerprints instead.

Then again, is there really a real life use for any of this logic at all? I
think not. 36 combinations rather than 24? Hell, even 324 instead of 24. Is it
interesting to calculate, sure. Is it worth caring about when actually
creating your passcode, not really, ultimately it will cause a minor annoyance
to anyone who wants to guess the code, as they will take a little longer to
get there.

That said, it's only not worth caring about in terms of the number of
combinations. If you use only 3 unique digits, yet always tap the same fourth
decoy-digit, while the combinations may only go from 24 to 144, there is a
chance that the theif/whoever would fail to guess the plan, and therefore not
think to try more than the 24 combinations.

~~~
bdhe
This discussion reminds me an awful lot about side-channel attacks against
cryptosystems and the steps taken to make crypto implementations secure
against leaking information. In particular, one of the simplest defenses is to
make sure that the code path executed is independent of input which is like
fake-pressing all the digits every time you enter your PIN.

------
kefs
WhisperCore [1], developed by Moxie Marlinspike [2], solves this problem for
Android users...

[1] <http://www.whispersys.com/screenlock.html>

[2] <http://news.ycombinator.com/item?id=2609037>

~~~
roblund
This is an interesting product. It seems to only be officially supported on
the Nexus One and Nexus S (and Android 2.3) at the moment, but it sounds like
more devices are in the works.

Their WhisperCore product has two alternative screenlocks that basically use
additional (thumb) smudges to remove evidence.

Sounds like WhisperCore also uses AES-256 for device encryption. Which is
killer. I can't wait to see how this product develops over the next couple
months.

------
itcmcgrath
Is it just me, or is it almost equally possible that you would see the
'double' tap print on the digit that is repeated anyway?

This would then reduce the possibilities to 12 instead of 24 resulting in a
less secure code.

I think the other solution presented in the comments of the post offer a far
superior result: Randomize the position of the digits displayed each time.
This way you cannot relate a tap print to either a digit or a relationship to
another.

If you really want it even more secure (unable to tell if the user has used a
digit more than once), randomize the positions after each entry.

Of course, these solutions have a downside in that you will enter the code
slightly slower and thus slightly increase the risk of 'over the shoulder'
attack vectors.

------
carterac
An intuitive way of calculating the permutations w/o the multinomial co-
efficient:

For a 3 digit passcode, there must be 1 pair of repeated digits somewhere in
the 4 number sequence e.g. 1_1_, 11__, _11_ etc.. so 2 x 3 = 6 different
pairs. This pair of repeated digits is any one of the 3 unique numbers e.g.
11__ or 22__ or 33__. For any pair of repeated digits, there are just 2
options left for how the other 2 digits must be arranged in the sequence of 4
e.g. xx12 or xx21. So 6 x 3 x 2 = 36.

For a 2 digit passcode, there are 2^4 = 16 permutations, except since there
must be at least 1 of each digit present, you have to subtract the 2
permutations with 4 repeated digits e.g. 0000 or 1111. So 16 - 2 = 14.

------
digitailor
Even worse than the iPhone prints are the smears left from the gesture locks
on Android. You can see the whole thing quite clearly. I've been able to
unlock several people's phones just by tracing the smear left on their screen.
There's no ordering problem either.

~~~
minikomi
The gesture system, for me at least, is also far easier to pick up visually by
glancing .. it's much easier to obscure which numbers you are tapping.

~~~
ahpeeyem
I found it easier to pick up visually as well, and thus more difficult to hide
from anyone who may be trying to see it.

On the other hand it's really hard to describe your gesture to someone if
you're lending them your phone, unlike a PIN which is easy to relay verbally;
you really need to demonstrate the gesture.

~~~
andrewaylett
I map the points to numbers and give them that -- it winds up being exactly
the same as telling people a PIN.

------
tedunangst
The math is cool, but if you really care about the security of your passcode,
get an anti-glare cover for 99c. No fingerprints, much more secure.

------
benjoffe
I mentioned this on HN in far fewer words a few weeks back:
<http://news.ycombinator.com/item?id=2610235>

I was thinking about making a blog post about it but couldn't see much more
information to add, it seems this blogger couldn't either ;p

------
PaulHoule
This reminds me of a crank who wrote a letter to the Manchester Union Leader
who thought the NH lottery was fixed because about half the numbers that 'hit'
(out of 4 digits) had a repeated digit.

Unfortunately, a few facts about combinatorics rarely calm those kind of
people down.

------
choko
I wipe my phone across my shirt or pants after unlocking it so the
fingerprints don't stick around. The cleaning has become just as much a part
of muscle memory as entering the PIN, so it's not something I'm likely to
forget.

~~~
delinka
I do this, too. I have naturally oily skin but I can't tolerate messy, oily
markings on the smooth glass screen.

------
DannoHung
Why doesn't the keypad rearrange itself every time?

~~~
roblund
This is a pretty good idea. I can see it being irritating at first, but I bet
if it was paired with a swipe motion like that on Android it would actually
work pretty well.

------
nostromo
It'd be simple to fix this with a randomized keypad layout option.

