Hacker News new | comments | show | ask | jobs | submit login
iPhone 4-digit passcodes more secure when containing only 3 unique digits (mindyourdecisions.com)
81 points by tobtoh 1953 days ago | hide | past | web | 37 comments | favorite

Pro tip: Turn off the "Simple Password" option, then enter a new password that consists of only numbers. The password prompt will then still be the nice 10-digit keypad rather than the full keyboard, but the passcode can be any length.

The phone leaks password data? It tells an attacker that the password contains only numerics?

Yes. If you have digits only, you get a freetext field, but with the digits only keypad.

Even more fun: if you give a four-digit passcode for the non-simple passcode, it turns on the 'simple passcode' option again, which means that you can't have a four-digit passcode without telling the length of the code.

Yes but unlike simple password, it doesn't give away the length, and your numeric password can be as long as you'd like.

I'm not sure why this is an issue at all. The same surface you use to enter your password you also use to interact with the device. So unless your interaction consists solely of unlocking the phone, then putting it away again, the screen is going to be absolutely covered with fingerprints and smudges and smears and there won't be any way to tell which ones are from the password and which are from actual usage.

I just took a look at my own iPhone, and it bears this out. On the bottom half of the screen, there are a series of fingerprints and a giant smudge. If you were to try and guess my password from the clear prints, you'd end up pressing the wrong digits entirely.

HN title is not the original title, and it is incorrect. This is not "3-digit passwords", rather "4-digit passwords containing only three unique digits".

Assuming it will get changed at some point making me look foolish, HN title at time of posting is "3-digit iPhone password is more secure than 4-digits". Original title from the source is "Game theory and probability of iPhone passwords".

It's not incorrect. At the bottom of the blog post, they explore different ways to "trick" people trying to look at the fingerprints

If that weren’t enough, my friend actually brainstormed a couple of other ways to improve the password.

like using three digits but tapping a phantom fourth number once the code is entered…. so there are four “tap prints” but only three which are relevant!

But that's still using three unique digits. 1123 uses only three digits, but that doesn't make it a three-digit number, it's still a four-digit number.

You're right Corin - the title is a little misleading with hindsight. However, I was trying to reflect the angle that made the page interesting (ie that it's counter-intuitive that using less unique digits is more secure) whilst still trying to fit it within character limits.

If you are still able to edit the title (can't remember when HN stops letting you do that), a more suitible one might be something along the lines of "iPhone 4-digit passcodes more secure when containing only 3 unique digits".

Done - thanks for the suggestion Corin!

Back in the nineties, while visiting a research facility on an airforce base, i saw a solution to the fingerprint problem. The electronic keypad simply randomized the positions of the digits before each login attempt. Not very convenient considering that you cant't use your muscle memory, but pretty much hack-resistant.

Depending on the company, ATMs in Japan do this too (not sure about other countries!)

Of course, if the fingerprints are really such an easy way to see which four digits are commonly pressed, perhaps the best option would be to use only three unique digits, and then pick another digit that you always tap just after unlocking the phone. Obviously the digits disappear, but say your code was 1123, just hit where the 6 was (just below the 3) as soon as it's unlocked. Then to anyone trying to guess from fingerprints, they would be trying to guess combinations of 1, 2, 3 and 6.

If they were to then guess that only 3 of the 4 digits were used, with one being repeated, the possibilities are vastly increased by not knowing which digit is repeated OR which digit is not actually used. Off the top of my head I think it would be 36x4 (36 being the number of combinations using 3 unique digits, multiplied by four for each digit that could be un-used), meaning 144.

If you were to do the same trick, so after entering your 4-digit code containing 3 unique digits, you then hit two different fake digits (same two every time you unlock)... you would have 36x9 combinations, totally 324.

To take this to its (il)logical conclusion, you could fake-press all the digits that you're not using, but at that point you're clearly going too far and should consider just wiping off fingerprints instead.

Then again, is there really a real life use for any of this logic at all? I think not. 36 combinations rather than 24? Hell, even 324 instead of 24. Is it interesting to calculate, sure. Is it worth caring about when actually creating your passcode, not really, ultimately it will cause a minor annoyance to anyone who wants to guess the code, as they will take a little longer to get there.

That said, it's only not worth caring about in terms of the number of combinations. If you use only 3 unique digits, yet always tap the same fourth decoy-digit, while the combinations may only go from 24 to 144, there is a chance that the theif/whoever would fail to guess the plan, and therefore not think to try more than the 24 combinations.

This discussion reminds me an awful lot about side-channel attacks against cryptosystems and the steps taken to make crypto implementations secure against leaking information. In particular, one of the simplest defenses is to make sure that the code path executed is independent of input which is like fake-pressing all the digits every time you enter your PIN.

Also, in your method, instead of guessing where 6 was to hit right after unlocking, you could also just use the backspace on the key pad. So to type in 1234, you could type in random key backspace random key backspace 1 2 3 4

WhisperCore [1], developed by Moxie Marlinspike [2], solves this problem for Android users...

[1] http://www.whispersys.com/screenlock.html

[2] http://news.ycombinator.com/item?id=2609037

This is an interesting product. It seems to only be officially supported on the Nexus One and Nexus S (and Android 2.3) at the moment, but it sounds like more devices are in the works.

Their WhisperCore product has two alternative screenlocks that basically use additional (thumb) smudges to remove evidence.

Sounds like WhisperCore also uses AES-256 for device encryption. Which is killer. I can't wait to see how this product develops over the next couple months.

Even worse than the iPhone prints are the smears left from the gesture locks on Android. You can see the whole thing quite clearly. I've been able to unlock several people's phones just by tracing the smear left on their screen. There's no ordering problem either.

The gesture system, for me at least, is also far easier to pick up visually by glancing .. it's much easier to obscure which numbers you are tapping.

I found it easier to pick up visually as well, and thus more difficult to hide from anyone who may be trying to see it.

On the other hand it's really hard to describe your gesture to someone if you're lending them your phone, unlike a PIN which is easy to relay verbally; you really need to demonstrate the gesture.

I map the points to numbers and give them that -- it winds up being exactly the same as telling people a PIN.

But on the other hand, I can do it (I think) quicker than entering a PIN code, and without looking at my phone. Always a tradeoff...

Only half my gesture lock is visible like that.

I do change it from time to time which may have played a part in that though.

Fortunately you can use PINs with arbitrary length on Android, too.

Prior to 2.2 you couldn't, and there are a ton of Android devices out there that will never see that update.

Is it just me, or is it almost equally possible that you would see the 'double' tap print on the digit that is repeated anyway?

This would then reduce the possibilities to 12 instead of 24 resulting in a less secure code.

I think the other solution presented in the comments of the post offer a far superior result: Randomize the position of the digits displayed each time. This way you cannot relate a tap print to either a digit or a relationship to another.

If you really want it even more secure (unable to tell if the user has used a digit more than once), randomize the positions after each entry.

Of course, these solutions have a downside in that you will enter the code slightly slower and thus slightly increase the risk of 'over the shoulder' attack vectors.

An intuitive way of calculating the permutations w/o the multinomial co-efficient:

For a 3 digit passcode, there must be 1 pair of repeated digits somewhere in the 4 number sequence e.g. 1_1_, 11__, _11_ etc.. so 2 x 3 = 6 different pairs. This pair of repeated digits is any one of the 3 unique numbers e.g. 11__ or 22__ or 33__. For any pair of repeated digits, there are just 2 options left for how the other 2 digits must be arranged in the sequence of 4 e.g. xx12 or xx21. So 6 x 3 x 2 = 36.

For a 2 digit passcode, there are 2^4 = 16 permutations, except since there must be at least 1 of each digit present, you have to subtract the 2 permutations with 4 repeated digits e.g. 0000 or 1111. So 16 - 2 = 14.

The math is cool, but if you really care about the security of your passcode, get an anti-glare cover for 99c. No fingerprints, much more secure.

I mentioned this on HN in far fewer words a few weeks back: http://news.ycombinator.com/item?id=2610235

I was thinking about making a blog post about it but couldn't see much more information to add, it seems this blogger couldn't either ;p

This reminds me of a crank who wrote a letter to the Manchester Union Leader who thought the NH lottery was fixed because about half the numbers that 'hit' (out of 4 digits) had a repeated digit.

Unfortunately, a few facts about combinatorics rarely calm those kind of people down.

I wipe my phone across my shirt or pants after unlocking it so the fingerprints don't stick around. The cleaning has become just as much a part of muscle memory as entering the PIN, so it's not something I'm likely to forget.

I do this, too. I have naturally oily skin but I can't tolerate messy, oily markings on the smooth glass screen.

Why doesn't the keypad rearrange itself every time?

This is a pretty good idea. I can see it being irritating at first, but I bet if it was paired with a swipe motion like that on Android it would actually work pretty well.

It'd be simple to fix this with a randomized keypad layout option.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact