
Congressman's phone password is 111111 - breadandcrumbel
https://gfycat.com/uncommonacclaimedboar
======
duxup
I tell this story a lot. But I think in the time of smartphones and such it
also represents the only real secure site I thought was truly secure from what
I knew of it. This was before smartphones were common, but I think it was
ahead of its time in that way.

I worked for a company that occasionally would service some of our hardware
onsite. One customer was a company that did a lot of work for the military and
they had "that site" that a few folks visited. Here was how that worked:

Nothing except your body and your clothes left the site, anything you brought
stayed onsite (laptops that we brought onsite were left behind / effectively
disposable, later you couldn't even bring those, they provided one). All that
stuff belonged to the military / whomever you interacted with at the site.

No electronics, cameras, etc that were not previously improved were allowed
and you were told you would not be leaving anytime soon if you had something
"unexpected or unauthorized".

It was highly suggested that nothing was in your rental car other than your
keys, the equipment you needed as they searched the car and the folks would
take what they wished.

If you realized you had something you didn't want to in the car it was highly
suggested you do not turn around if you are at all close to the location and
to drive up and immediately tell them you dorked up and brought something.
This was a fairly remote location so the probabbly knew you were coming before
you saw the gate and the guards didn't like surprises.

Upon arrival you parked, were blindfolded and driven from the gate to the
site, you never actually saw the outside of the site until you were in the
building. You were never alone at anytime. Trips to the bathroom while at the
site were monitored... in person by a guard with a rifle.

Now all that sounds ominous but everyone reported that the folks there were
very professional (not friendly but professional).

The point of that whole story was that even a while ago someone said "any
electronics" were a threat and decided that they had to go to extremes to
limit their access. Still today I think that was the closest to a "sure"
policy.

~~~
laurencei
If you knew the location of "the site" (because you drove to it) - what
benefit was the blindfold for the site?

~~~
nkrisc
The location of the site is pretty pointless and impossible to obscure
(everyone can find it in satellite imagery). However they can certainly
obscure more specific details about the site: what building houses what, where
access points are, physical security measures around those points, components
used in entries, etc.

------
ydnaclementine
I always thought that Android's 3x3 dot pattern draw password thing was
superior against these type of over the shoulder attack, as long as you turn
off the tracing effect. Without tracing and if you do it quickly, it just
looks like you’re dragging your thumb randomly all over the phone.

~~~
hanniabu
Is there a reason why the numbers aren't scrambled? This way you at least
wouldn't be able to tell the password unless you saw the actual numbers.

~~~
gambiting
I can't imagine a more annoying feature. My bank already does this where I
cannot use the keyboard to type in digits, I have to use their own on-screen
keyboard that's scrambled between every digit(!!!) and I can't imagine
anything like that anywhere near my phone. Either pin-based protection is good
enough for you, or if you need more security then switch to full a-Z password.

~~~
moviuro
Bank's security relies on reports of the past decade/century, and also, that
kind of setup can't be okay for the blind users... how the hell are they
supposed to interact with this monstruosity?...

------
breakerbox
If I were giving a security recommendation to famous people and congresspeople
I would recommend using a password like this. You might think it’s incredibly
insecure, but imagine this GIF contained that 6 digit number that the
congressman uses for all of his accounts. Suddenly, a ton of other services
and passwords are vulnerable to an attacker.

In reality a lot of iPhones now require authentication at the app level for
apps that have sensitive data.

To each his own, but knowing how public you are and how many people would want
your passcode, I think the best practice is to use something dumb like 6 of
the same keys.

~~~
stingraycharles
> In reality a lot of iPhones now require authentication at the app level for
> apps that have sensitive data.

I'm fairly certain that knowing my passcode would provide access to my email,
which can then be used to acquire access to plenty of critical services.

------
drtillberg
The problem isn't the password or the camera that captured it.

The problem is that the phone required a password in that scenario-- same
user, phone never left his vicinity, probably not a long interval between
uses. Being more selective about when to require a master password is a better
protection model IMHO.

~~~
ehsankia
Soli on the new Pixel 4 could easily allow that.

~~~
jedieaston
Or fingerprint readers, which most phones have had for years. It's possible
that the DoD standards for the phone he has requires that biometrics be
disabled.

------
diafygi
I wonder what AI tech is being developed around detecting pin code entry on
phones using passive CCTV networks.

If you process the feeds for public transit security cameras, I wouldn't be
surprised if you can read the pin codes for a huge swath of the population. It
would also reduce the need for law enforcement to try to get a suspect to tell
them their passcode. Just look up that time they rode the subway 3 weeks ago
and watch them enter it.

~~~
Maximus9000
I often notice this at gas pumps. There are always cameras at gas pumps. If
you pay at the pump, then you enter your pin. I shield mine very carefully,
but I watch other people and they just punch in their pin without shielding.
It's weird because people often shield their pin at a checkout counter because
the clerk is right there (sort of) watching. Maybe these people feel at gas
pumps, no one is watching... but the CCTV definitely is watching.

~~~
mdszy
And as someone who has worked as a cashier, it is BLATANTLY obvious when
someone's pin is 1111 or 1234. No matter how hard they try to shield it.

------
rvz
That is a iPhone X like device, which only has Face ID or a PIN.

A PIN is more secure than a fingerprint and Face ID. But at least use a
combination of either one with a PIN to make it more secure.

Since the device was already on and it directly showed the PIN screen, Face ID
is disabled and instead he chooses to only use a very very weak PIN.

Oh dear.

~~~
thrower123
I'd be curious if Apple had anonymous telemetry that showed what people were
picking for their phone unlock PINs. Everyone I've ever seen set one does this
same type of thing, either all one number, or they draw a line through the
middle. The more advanced maybe use a date like their birthday that they can
actually remember.

It's just security theater.

~~~
bristleworm
No, PINs are not transmitted to Apple.

"What this process appears to show is that Apple never sees, handles, or
stores your device passcode or password in unencrypted form, and it never
passes the passcode or password over anything but secure transport. It
requires only your Apple ID account name and password, sent over HTTPS, as the
first stage of logging into iCloud, but not for the later stages."

Excerpt from: [https://tidbits.com/2019/09/26/why-apple-asks-for-your-
passc...](https://tidbits.com/2019/09/26/why-apple-asks-for-your-passcode-or-
password-with-a-new-login-and-why-its-safe/)

------
onychomys
So who is that? I'm not up on my random member of congress identification
skills.

~~~
therealrootuser
This. I just went through every picture in the latest available Congressional
Pictorial Directory, and I wasn't able to make a 100% sure identification, but
my best guess was Rep. Andy Barr (Kentucky).

------
jdlyga
Remind me to change the combination on my luggage

~~~
rbobby
Me too!!

------
wayneftw
I don't lock my phone at all. Never have. However, with the new iPhones that
don't have a home button, I believe that Apple is forcing you to either use
face unlock or a passcode. There is no choice to just leave it unlocked.

So, as soon as my iPhone 6s stops working, I will have to choose to: 1) Give
in and use my face to unlock. 2) Use a dumb passcode like 000000. 3) Upgrade
to the newest iPhone that still has a home button (I think iPhone 8) or 4)
Become and Android user.

~~~
abstractbeliefs
Why is it that you choose not to?

I think it would be helpful to understand your use case and how you balance
your personal tolerance for risk and consequences so we can better consider
users like yourself.

~~~
_jal
(Not the OP.)

I have an older phone that is basically a home remote for various things.
There is no reason for it to lock, it would be annoying.

~~~
Jill_the_Pill
Also not the OP, also have an older phone.

I am of an older tech generation who sees this type of security as
antithetical to anonymity.

------
boonez123
Looks like 777777 to me.

~~~
chooseaname
Exactly. This appears to be an iPhone, so it would be all 7s.

~~~
samanator
What does it being an Iphone have to do with the orientation of the numberpad?

~~~
nacs
The number-pad unlock is higher/centered-vertically on the iPhone unlike
Androids which tend to have it on the lower half of the screen.

------
someonehere
I worked for a well known company today, many years ago when it was smaller.
When the IT team created new accounts for employees, it was the standard
Pa$$word password for everyone. It was up to the user to change their
password. They had no password rotating rules or requirements.

Anyway, many years later after I started, IT hires a person who wants to do
good while in IT. This person discovers the CEO is still using the day one
password he was given. The IT person decides to email the CTO, the director of
IT, and the head of HR warning them the CEO is still using his default
password.

I’m not clear what exactly the wording was, but the IT person skipping over
the chain of command was bad enough it got them fired.

~~~
shoo
> IT person skipping over the chain of command was bad enough it got them
> fired.

Isn't this roughly the opposite of what you want in an org? Otherwise there
can be the failure mode of only good news getting reported up, so the folks
running the company base their decisions on finely cultivated bullshit and are
completely isolated from reality.

~~~
someonehere
Management in IT was big on chain of command at that time. If the director of
IT was insecure and wanted to filter bad news through him before going further
up. Because this person went to the director’s boss, it angered the director.

------
vuln
Maybe the phone is attached to a MDM that requires a PIN.

~~~
angry_octet
There are lots of orgs with dumb MDM policies, but I doubt Congress is
enforcing that one. MDMs usually prevent simple passwords like that (though
not equally simple ones like 989898...).

~~~
vuln
It looks like they require a PIN but disallow repeating characters. Here's the
Security Technical Implementation Guide[0].

[0][https://www.stigviewer.com/stig/apple_ios_8_interim_security...](https://www.stigviewer.com/stig/apple_ios_8_interim_security_configuration_guide/2014-09-16/finding/V-54243)

~~~
angry_octet
That's DoD but Congress is different. Hard to find my on house.gov though.

DoD and ASD still don't like biometrics, in ASDs case because the want to see
how it works: [https://www.cyber.gov.au/publications/security-
configuration...](https://www.cyber.gov.au/publications/security-
configuration-guide-apple-ios-12-devices)

Biometrics like iris scanners and palm prints are used everywhere for high
security govt installations, but I guess they have been tested by spooks.

------
dorfsmay
The one thing I miss from CyanogenMod: keyboard key orders scrambled for each
use.

I wish LineageOS and stock Android added that feature.

------
manigandham
Isn’t the real problem here that this was caught on video? Otherwise it’s just
as secure as any other code.

~~~
philshem
If you obtained this phone without seeing the video, a singular oil smudge on
the number 1 surely gives it away.

~~~
manigandham
It's a touchscreen phone, not a keypad. Everything would be smudged.

------
ceejayoz
Aaaaaaand that's why these things aren't allowed in the SCIFs.

~~~
pjc50
Bringing the phones into the "secure" CIF was just the icing on the cake of a
straightforward attempt to disrupt the inquiry. It's a bit of direct action,
almost like a sit-in. Presumably it's a crime, but not the sort that anyone is
likely to be charged with if they have power.

~~~
derision
Nothing classified was being discussed in the SCIF during that hearing
according to a statement by one of the congressmen.

~~~
ceejayoz
That probably doesn't really matter.

I'd get in trouble breaking into the Oval Office even if they put all the
secret papers away.

------
rezmeplease
this really illustrates how we live in a society

------
securingsincity
I'm not an iPhone user but I thought that Apple warned you about this kind of
password. It was covered quite a bit when Kanye was caught with a 000000
password when meeting with Trump.

[https://www.cnet.com/news/kanye-west-meets-with-trump-
reveal...](https://www.cnet.com/news/kanye-west-meets-with-trump-reveals-
iphone-passcode-is-000000/)

~~~
ceejayoz
I don't think _any_ PIN is gonna survive the "we've got video of you entering
it" attack.

------
slg
And yesterday over a dozen members of Congress barged into one of the
Congressional versions of this site without authorization and while recording
video, audio, and taking photos on their personal smartphones.

Here is a Twitter thread about why that is such a problem:

[https://twitter.com/MiekeEoyang/status/1187032800572125191](https://twitter.com/MiekeEoyang/status/1187032800572125191)

~~~
dang
Please don't take HN threads into political flamewar.

We detached this subthread from
[https://news.ycombinator.com/item?id=21344785](https://news.ycombinator.com/item?id=21344785)
and marked it off-topic.

~~~
slg
Just trying to be a better HN citizen, so is there something specific I did
wrong here that crossed a line or is it just a "know it when I see it"
situation? I didn't reference anything partisan and was simply relating a
recent political event to both the general topic of poor congressional
cybersecurity and the specific topic that duxup was talking about regarding
securing a site from electronic devices. It was the response to my comment
that was sparking a partisan flamewar.

~~~
dang
I hear you and appreciate your wish to be a good community member!

Here's how we look at this. The value of an HN comment is the expected value
of its future subthread, i.e. itself plus the sum of the probability
distribution of the responses it may receive.

In this case the EV of your post was negative: first because it brought in a
partisan stunt that was still hot from the news of the moment; second by
framing it one-sidedly ("barged into...without authorization...such a
problem"); third by linking to a political source that one side is
overwhelmingly likely to agree with and the other side to be unimpressed or
offended by.

You're right that the flamewar was more in the responses to your comment than
in your comment itself, but that's true of most flamewars. Flames get hotter
as they spread. From a fire prevention (i.e. moderation) point of view, the
issue isn't where the fire burned hottest but where it started.

By the way, there are some deeper, interesting issues with this 'expected
value' model of internet comments. It implies that commenters are in some
sense responsible for the behavior of others and not just what they they
themselves post. That's weird. And it implies something about needing to
predict the future—also weird. Yet it is the model that works by far the best
in practice. I feel like this points us all in the direction of learning new
things.

~~~
slg
Thanks, I appreciate the thorough explanation. I agree that the "expected
value" idea is an interesting one and I see how when viewed through that prism
that the language I used and that linked source used can be seen as biased and
more likely to incite a more partisan response.

Although I am still not sure I agree with the general guideline of not
bringing up something like that incident as I believe it was on topic to both
the post and the comment I replied to. My comment might have been the one to
inspire a flamewar type response, but it wasn't the only comment that
mentioned that incident in general. That said, I will try to be more mindful
of that in the future.

------
rerpha
and they say millennials are on their phones too much!

------
dbg31415
These are the people who are grilling Zuck?

Our communications, privacy, and security, are in good hands! Ugh.

~~~
ceejayoz
Zuck didn't exactly give off an aura of competence at said hearings.

~~~
ChicagoBoy11
and it won't matter at all!

------
_pmf_
Still safer than using an off-brand or Smasung fingerprint sensor.

~~~
agumonkey
are they so easy to pwn ?

~~~
html5web
Check this [https://www.cnn.com/2019/10/18/tech/samsung-fingerprint-
read...](https://www.cnn.com/2019/10/18/tech/samsung-fingerprint-reader-
trnd/index.html)

------
roenxi
111111 is perfectly acceptable for a phone password. His password was just
broadcast to the entire world; at least using 111111 means that he doesn't
have any illusions about how secure it is.

Phone passwords are for protecting things from your family.

~~~
authoritarian
>Phone passwords are for protecting things from your family.

That's a bit of a sad, unusual sentiment

~~~
roenxi
Well I can expend that to friends as well if you like. Who do you think your
password is protecting you from? Are you frequently at odds with law
enforcement?

Most people aren't; it isn't a feature to protect people from governments (I
wish we had more features that did). Encryption is a good thing in a general
sense but for most users they are more likely to lock themselves out of their
own data than protect themselves from anything outside their close friends and
family.

------
tomatotomato37
Yup, not sure why we expect good security practices out of a group who's
average age is 60

~~~
EvanAnderson
In my 20+ years in IT I haven't found much correlation between age and
security practices, personally.

~~~
moviuro
Can confirm: nobody cares about good OPSEC, be they at the bottom of the
ladder, or in a bank's top management.

