Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Eating Humboldt Squid |
| Yet Another "People Plug in Strange USB Sticks" Story »
June 27, 2011
There's some great data on common iPhone passwords. I'm sure the results also apply to banking PINs.
Posted on June 27, 2011 at 6:15 AM
• 52 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
What happened in 1998? :?
My pins and voicemail passwords are the phone numbers of various ex-girlfriends or other people I knew well enough to have memorized their phone numbers.
I beg to differ with banking PINs.. at least in EU many banks assign a fixed PIN to the card. Offhand, I only know two companies that allow manual change of the PIN, and even there it isn't really well documented that it's possible and how to do it.
Here in France, you can't choose your banking PIN, it's randomly choosen and sent in a secure mail (it's printed inside a closed enveloppe using a pressure sensitive paper). I think it's by far the best solution, and it's well accepted.
wiredog: If one of your ex-girlfriends wants to steal your money or listen to your voicemail...
How about "bluetooth" passwords as well...
I guess some people will always use their birthday in some form for bank pins, or in some places their car registration number.
That sort of behaviour has even been ridiculed in some popular humor such as the Futurama episode (A fish full of dollars) where Fry reveals his PIN to be the price of a soda and cheese pizza at the place he worked in back in the 20th Century.
I have been using password safe for quite some time. Have you done any evaluations of similar tools for the iPhone?
I don't have one of these gadgets, so ... is the PIN really restricted to 4 digits?!? THERE's your problem right there!
In this country banks have supported ATM PINs up to 8 digits for more than a decade. This means that if you map a word into a PIN using the keyboard layout (like LOVE --> 5683 in the article) you can actually increase entropy rather than reduce it.
Umm, sorry, that's not quite clear. The set of 4 letter words, mapped to digit strings using a cell-phone keypad, has way fewer than 10,000 possibilities (about 2,600, actually, although many of these are very rare words) so security is weakened if you use that method to make it easier to memorise a 4 digit PIN.
Similarly, mapping 8 letter words to 8 digit PINs generates far, far fewer than 100 million PINs (about 46,000, although more if you include two word phrases.) However, it generates more than 10,000 PINs, and yet an 8 letter word is easier to memorise, so overall you get more strength at greater user convenience than a random (patternless) 4 digit PIN.
BTW, looking at the histograms, I don't see much evidence of word mapping. CCITT did a reasonably good job of flattening the frequency profile of key use, whilst keeping the letters-->digits pattern simple. Nevertheless, based on normal English language letter frequencies, 5 and 9 should be much less common than 3 and 6. (About 1/3 to 1/5 as common, actually.)
We don't see that in the histograms. They reveal the biases from '1234' and from use of 19XX dates, but it's otherwise pretty flat.
I'm disappointed that the people, including Bruce, that reported on this or reposted this article fail to even mention that there is potentially a problem with an app that records your passcode. The first time I read this article, the application author said he (completely anonymous, of course) recorded iphone pins, now he is saying its a pin of his application. Regardless of what pin it is, there is no need to record pins. Clearly the purpose of the app was to record data not provide "camera security"
I am not sure where or when the author said he recorded the iPhone passcode.
On the article he wrote: "In my last update to Big Brother Camera Security (Free), I added some code to record common user passcodes (completely anonymous, of course). Because Big Brother’s passcode setup screen and lock screen are nearly identical to those of the actual iPhone passcode lock, I figured that the collected information would closely correlate with actual iPhone passcodes."
So it seems fairly clear that this was set up to record the passcode people used to set up the app they had downloaded and installed. There may well be ethical issues around this but its not the same as capturing the actual phone passcode.
The fact users will use their phone code with this app is a different story altogether.
One issue I have with the figures is that they are skewed by an unknown amount, kind of making them useless unless the agree with an position you already hold.
For example, I tend to use trivial passwords / passcodes on things & sites I think are trivial. If I need to set up an account to leave comments on a blog, then I *will* use things like "passw0rd" as the password simply because I dont actually care if anyone cracks it. This is radically different from my internet banking & webmail credentials.
Likewise, if I have a phone app that asks for a passcode, I am *not* going to use the main ones (such as the SIM codes) but rather I will chose to use something that is trivially memorable.
So in this instance, while my phone unlock code *might* well be 4823, I wouldnt think twice about using 1234 for the app.
Until the "research" can factor in this attitude, any of its findings are meaningless.
"So in this instance, while my phone unlock code *might* well be 4823, I wouldnt think twice about using 1234 for the app."
I am not an iPhone user but even though you have a point it would not surprise me if other users will use their main iPhone PIN for that application so that they have less to memorize.
Considering that this developer has included some functionality that provides him a copy of the PIN. Even though it does not have to correspond to the users main PIN, that does not sound particularly reassuring.
IMHO, no wonder Apple removed the application:
"I am not an iPhone user but even though you have a point it would not surprise me if other users will use their main iPhone PIN for that application so that they have less to memorize."
It wouldnt surprise me either but my point was using figures like this to give authority doesnt work. The numbers are meaningless and we are left with the idea that there are probably a lot of people who use trivially easy to guess passwords.
I am always wary of using numbers like this to create a sense of authority where it doesnt really exist. All we have here is something we already knew - an undetermined number of people will choose passphrases that are easy to guess. Any extrapolation from this data is just an appeal to out own prejudiced viewpoint.
"Up the train system, move the switch forward. "Enter the password" displayed. Enter "1234" on the driver's keyboard and press Ok! "
From the manual for a drivers of Moscow subway to "81-740" train model.
Off-topic: If this doesn't make you realize you're living in a police state...
TSA stands by officers after pat-down of elderly woman in Florida
FWIW: On the iPhone one can disable "simple passcodes" and require a full password/passphrase to unlock. [General->Passcode Lock->Simple Passcode].
I live in the US. My banking pin used to be 6 digits. My bank was acquired the first time and, upon receiving a new card, I was required to go into the bank to activate the card. I typed in my 6 digit pin and the employee said that I might have trouble using my card, but allowed me to use a long pin.
Fast forward a few years and my bank is acquired again. I have to repeat the process. This time, the card activation machine won't accept pins longer than 4 digits. The bank's reasoning? Pins longer than 4 digits make the card unusable for international transactions.
I don't know whether that's true or not, but now I'm stuck with a 4 digit pin.
@Roger & @Yellow:
I've never encountered an ATM in Latin America that would accept more than 4 digits for the PIN. I've used hundreds of different ATMs over the past 10 years in various countries.
Its frustrating and risky, so I watch my account balances and transactions carefully, use different PINs for each card, and don't carry all of my cards with me all of the time. For our iPhones, I configure them to wipe after 5 failed logons. Its annoying when one of the kids wipes a phone, but I'd rather spend a couple hours restoring from the most recent backup then letting some thief or government agent access our data.
@Roger - the iPhone pin used to be restricted to 4 digit numbers but can (since iOS4 was introduced 18 months(?) ago) be a longer letter/digit combo. You have to change the setting in "general settings > passcode lock > and disable "simple passcode"
My PIN is 2011 however since I am Anon this wont help anyone - except Bruce who has my email address. However, I trust Bruce :)
Although I don't have an iPhone myself, I always advise owners five basic things:
- Move from a simple to a more complex passcode (general settings > passcode lock > disable simple passcode)
- Enable Auto-Lock (settings > general > auto-lock)
- Make regular backups and configure to wipe all data after n failed attempts.
- Use an app like Keeper to store other passwords.
- Don't install any applications you haven't verified as reasonably trustworthy.
Might not stop a determined attacker, but will give all others a serious run for their money.
As for the pin on my bank card, that one is rotated on set intervals (we can change it over here). For bank transactions, anything below dual factor authentication with one-time pads is unacceptable. And yes, pin is broken and dual factor can be defeated too, but it's either that or doing all money transactions at the local bank only, and for which we are charged. And a major hastle whenever abroad.
Completely off-topic, but scary:
"TSA employees at Logan International Airport believe they have identified a cancer cluster in their ranks, according to documents obtained under the Freedom of Information Act and released by the Electronic Privacy Information Center. They have requested dosimetry to counter 'TSA's improperly non-monitored radiation threat.' So far, at least, they have not received it.
The documents also reveal a paper from Johns Hopkins that essentially questions whether it is even safe to stand near an operating scanner, let alone inside one. Also, the National Institute of Standards and Technology says that the Dept. of Homeland Security 'mischaracterized' their work by telling USA Today that NIST affirmed the safety of the scanners when in fact NIST does not do product safety testing and never tested a scanner for safety."
Looking over the fence into my colleagues cubicle I see android allows you to "doodle" over your keypad, more or less transforming a chosen pin 'code' into a figure or gesture.
I wonder how long before we do away with the alphanumerical code and let you use your signature to unlock your device. Oh wait I foresee problems there too...
I suppose I'll just stick with my favorite 4 digit primes. :/
To be fair ... *come on, people*, there's only just so much keyspace in four lousy digits. A modern PC would take, what, a millisecond to brute-force that, given direct access? I consider it pathetic that we're still expected to seriously believe that a four-digit PIN makes us secure.
I have heard a story, which possibly may be apocryphal, that we are saddled with four-digit PINs because the engineer who originally invented the ATM asked his wife how long the card security codes should be, and she was quite unshakably certain that she could never POSSIBLY remember a number longer than four digits.
I pick PINs at random (once I used the last two digits of the number plates of the next two cars to pass me.) I remember them via dates in the 20th century. E.g. if the PIN was 6303 -> (1963, 1903) -> "Kennedy was shot by the Wright brothers."
"However, I trust Bruce"
But do you trust all the hackers trying to break into his site to make a name for themselves? :-)
I never changed the bank pin I was given. I'm paranoid about forgetting it when I need to get money out of the ATM. It's bad enough frequently when I go to the ATM near me it's out of order. One time a Wells Fargo ATM ate my card on a Friday night, and I had no money for the whole weekend. It ate the card because the card was just inserted as it was shutting down for maintenance or something. Wells help line said there was nothing they could do until Monday. Well, screw that! They're lucky I didn't blow up the ATM, I was so pissed.
Meanwhile, off-topic, THIS is brilliant and shows how hard hackers will work to break into your company:
Hackers pierce network with jerry-rigged mouse
Remember that the way a serious thief gets your PIN (be it for your iPhone or cash card) is by putting a knife to your throat and saying "What is your PIN?".
"I have heard a story, which possibly may be apocryphal, that we are saddled with four-digit PINs because the engineer who originally invented the ATM asked his wife how long the card security codes should be, and she was quite unshakably certain that she could never POSSIBLY remember a number longer than four."
It's 100% true. The inventor tells all to the BBC, of course.
Swiss bank cards allow PIN change and come with six digit PIN codes (sent under separate cover and printed without human intervention.....)
You can change the PIN to 4-6 in length (IIRC).
So, in theory, 5 may be the magic length as an attacker would assume either 4 or 6 numbers in length.
I prefer to keep the randomly-created one for my use - it has no meaning to me so is therefore only vulnerable to a) me giving it away or b) brute force.
What is being seen now in Switzerland is an increase in skimming attacks on the ATM themselves - leading to some interesting developments in the anti-skim measures. Yes, we're now into the 21st century and Utopian society is under threat!! ;-)
Although the derivation of most of the top 10 is pretty obvious, one has got me stumped... why is 5683 so popular??
@ Richard Steven Hack on TSA
Yeah. That made me sick just reading it. They intend to herd, treat and use us like cattle. That seems to be the gist of it. And like all assets, we must be carefully developed, monitored and managed. I can't quite put into words why, but this part got to me most:
"The video... shows the girl protesting the search by a female security officer at first, though she complies quietly while it is underway."
Maybe my blood boiled because they were needlessly traumatizing a child. Maybe it was the conditioning aspect of it: the child was forced into submission to damaging, nonsense rules. The kid probably should get used to that... but doesn't deserve to...
It's not unbelievable: it's merely F***ED UP!
"To be fair ... *come on, people*, there's only just so much keyspace in four lousy digits. A modern PC would take, what, a millisecond to brute-force that, given direct access? "
Indeed but what device allows you to connect your pc and run through > 500 combinations before signalling an error?
As an example, if the person has their iPhone set to wipe after 5 tries (eg, @Kurt) then all you have done is wiped the phone. In this instance anything more than a 1 digit PIN stops the attacker having a reliable chance of success.
Ditto with ATMs. If you can hook up a computer and brute force it without any lockouts then, yes, you can get past the combination but that is true of anything and points to a failure in the security design rather than the principle of the PIN.
With my ATM card, after THREE incorrect attempts, the machine keeps my card and I have to go and ask the bank for it back. While not perfect, the chance of you guessing my 4 digit (self selected PIN) in 3 goes is minimal. I have credit cards which are slightly more relaxed and have a 20 minute lock out after the third attempt but this means it will still take over 50 hours to hit the 50% point and have a good chance of getting access (assuming there isnt an secondary control I havent discovered yet).
Relying on length and keyspace alone to protect an authentication method is truly flawed. Computing gets more powerful and humans are forgetful. What needs a supercomputer today will be trivial for phones in 10 years time so any systems designed to protect against brute force in that manner has a limited lifespan.
The better solution is to design against brute force attacks in general - limiting attempts is very, very effective.
@RSH / @Nick P
It really does defy belief. The TSA response is shocking and the fact they appear to be immune to any form of humanity is scary while being predictable.
America - Land of the Free, Home of the Brave. Maybe not so much any more.
Great data, but the act of gathering this kind of stats is so controversial this guy software's now at risks of being marked as malware.
"...one has got me stumped... why is 5683 so popular??"
It is LOVE spelled out on the small letters underneath each digit on a telephone keypad -- something which would be well known to most teenage users of SMS / text messaging!
(Strictly speaking, it might also be LOUD, JOVE, or one of a couple of French or Spanish words, but I think we all know which one it is.)
The engineer's wife almost certainly had memorized the 7- or 10-digit telephone numbers of her mother and all her relatives, but she claimed she "couldn't possibly" memorize a bank card PIN longer than 4 digits?
Or they can just allow numbers, letters and symbols like GRC's one-time password scheme:
Additionally, banks can force the use of one-time PIN's with dedicated hardware. I've seen very convenient implementations of these. One looks like a small pocket calculator. During payment, the user swipes the card across the device, enters their permanent PIN, and the device generates a one-time PIN for the current transaction. This is a nice way to keep existing infrastructure while protecting user's low-entropy PIN's. It's also multi-factor in the sense that copying these devices is harder than skimming/copying a mag stripe.
To keep track of my PINS, I have a separate "phone list" in another section of my wallet. I have bogus phone numbers (using my local area code so they aren't too unusual) that incorporate the PIN into a portion of the phone number known only to myself :) I also use a "name" that can "I" can easily associate with the appropriate institution (you wouldn't understand the association unless I explained it to you).
It's an easy way to have the PIN written down, but not in an easily identifiable format. You could also reverse the PIN and bury it within a phone number.
I was actually once randomly assigned the PIN 0000!? Evidently, if this is random somebody's gotta get that PIN, but then for the random thief trying randomly this might be one of the first codes he tries.
I once had access to a hashed database of PINs (no salt!) of various lengths (4+). PINs were user selected. As the data came from another group's project within our company (they left a server open and unprotected outside the corp firewall and ignored our request to fix it), we broke in and analyzed the user PIN data as a demonstration.
The PIN data was very similar to this, with lots of patterns/repeats both numeric and spatial (to the keypad - plus, square, diamond). Histograms of birth years were also present. 1234 was the most common PIN, by far (5% of all PINs).
The most interesting artifact was a spike in the year 1947. It drove me crazy trying to figure out why 1947 - a similar spike in the user population born in '47 made no sense.
I mentioned it to some co-workers who are South Asian - they pointed out that was the year of Indian Independence. Skew solved.
The android phones' 'doodle' passwords trade a large amount of security for convenience and style. They are shown in bright green when the user traces them, making them easy to see from a distance. Also, remembering a polygon is naturally much easier than remembering a number for any malicious overlookers.
Without having tried to remember them, I can draw you the phone pass-doodles for my five closest friends' android phones. I am not usually able to memorize several four-digit numbers without some effort.
(The Galaxy series is worse... they use the same twelve-circle pattern, but on a very large screen.)
@ Dirk Praet
Hell yeah! It's not the device I saw in the past but it looks and works just like it. It still requires trust in the PC. It can't truly authenticate a transaction. But, it does allow the use of a simple PIN while protecting it from compromise. That was the point I was making.
For real security, one must have a device that displays the transaction details before signing them. My transaction appliance is one. I swear you posted something similar your government did with PKI a while back for authentication. The point is it has to have a trusted path: display must present accurate data, user input must be protected, and user must authorize exactly what they see. That's what my design did. A similar design will be needed to raise all of the low hanging fruit above most attackers reach.
The results agree with several previous similar publications. The way a user thinks is the same, whether it is an iPhone, an application or a bank card. The results reflect the way the human mind works when asked to select a "random" number, irrespetive of technology involved.
In view of this, I suggest that the idea of customer selected PINs is a disaster area, all banks should abandon it and PCI should recommend against it. Banning customer selected PINs is more important than several other PCI PIN related requirements.
I suggest that it would be worth while to check the correlation between customer selected PINs and phantom withdrawals and who takes the loss - the bank or the customer.
@ Roger - ah yes that definitely explain it- thanks. It also leads me to realise the potential for someone to carry out a study of the correalation between common passwords and gender.
I naively thought the advantage of the Apple model with all apps under the control of Apple would be security: Apple can screen all apps for security like not having look-alike login screens harvesting PIN codes.
In practice, apple only removes the harvesting app when the author publicly explains what he does.
@Furcewrarve ---- seriously?
Maybe I'm just a "vanilla" sort of guy when it comes to these things, but I'm not sure the phrase "herpes penis photos" is going to drive very many hits to your site.
Of course, you're just a piece of software and you'll never read this.
@ Nick P
"For real security, one must have a device that displays the transaction details before signing them"
Although what we've got here is already substantially superior to the really poor authentication methods I've seen at other banks, I agree that the PoC you and Clive were brainstorming about the other time in essence is the preferred way to go. Chances are however slim that this will materialise before current systems have been breached AND court battles lost by banks enough times to move on.
Fortunately, we are not as litigious a society as the US and the chance of any court over here ruling in favour of the bank such as in the Ocean Bank vs. Tapco case is close to nil. Ever since the financial crisis when local banks had to be bailed out by billions in tax payer euros, and contrary to the US, they're on a very short leash and really can't afford any additional public outrage over matters like this at the risk of coming under even heavier scrutiny and regulation. We may not have a government, but some things still work a tiny bit like they actually should.
@ Dirk Praet
That explains why your banks are using better systems. I'd say, if anything, you people do have a government. The results show it clearly. In the US, the big corporations and aristocrats have a government. They lease out some of it to the people, but the best parts stay with them.
@ Nick P
Your link expired
Can you quote it?
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.