iPhone Passcode Weakness

iPhone slide to unlock
iPhone slide to unlock

Whilst researching for a new iPhone data recovery service I found some surprising weaknesses in the default iPhone passcode system. Although nothing new, I’d never really considered the implications in much detail before.

It is common knowledge that iPhones are a valuable target for thieves. The phones are worth hundreds on the black market, but have you considered how much more valuable your data could be to criminals?

There are e-mail accounts, social media accounts and phone numbers, all of which add up to your online identity. If somebody had access to it all then at the very least they could work their way through your address book attempting to rip off your friends and family. Other more elaborate scams would also be possible.

Lots of people use a passcode to prevent unauthorised use of their iPhone. The problem is that the simple 4 digit passcode which Apple offers by default is really only worthwhile to stop friends and family using your phone. Anyone more determined to access your data can download software which can figure out the iPhone passcode within minutes.

I had heard about this, but didn’t expect it to be quite so easy. I tested it out on my own iPhone and within 2-3 minutes my passcode was displayed on the screen.

I won’t go into any great detail about how to do it. It’s all there online, but fortunately there are a few things you can do to protect yourself from this sort of attack.

The first thing is to turn off the “Simple Passcode” option under Settings > General.

Then you should use a longer passcode. Every extra digit adds thousands or millions more potential codes that would need to be tried, similar to the Exponential Wheat and Chessboard Problem.

  • 4 digits (0-9) – 0000 = 10,000 possibilities
  • 6 digits (0-9) – 000000 = 1,000,000 possibilities (9,900% Increase)
  • 8 digits (0-9) – 00000000 = 100,000,000 possibilities (999,900% Increase)

To really make things difficult for a would-be hacker you should use an alphanumeric code, mixing numbers and letters.

  • 4 character (A-Z, a-z, 0-9) – AAAA – 14,776,336 possibilities (147,663% Increase)
  • 6 character (A-Z, a-z, 0-9) – AAAAAA – 56,800,235,584 possibilities (568,000,000% Increase)
  • 8 character (A-Z, a-z, 0-9) – AAAAAAAA – 218,340,105,584,896 possibilities* (2,183,000,000,000% Increase)
    *11 times the number of red blood cells in the human body apparently

There is no way somebody could reasonably attempt all 218 trillion possible passwords, so they would use what’s known as a dictionary attack. A dictionary attack uses a modified dictionary of known words, so instead of trying all potential codes, they only try likely passcodes. Make sure your password is not a dictionary word to get the most benefit from your passcode. Add in some punctuation and then you’ve really got a decent code.

Kindle 4 Review Non-Touch

I’ve finally got on the ebook bandwagon, and as usual I’m wondering why I resisted for so long. I have just been e-mailed by Argos to write a product review for the Kindle, but decided to write it here rather than give them rights to use my words:

…For any content that you submit, you grant Home Retail Group a perpetual, irrevocable, royalty-free, transferable right and license to use, copy, modify, delete in its entirety, adapt, publish, translate, create derivative works from and/or sell and/or distribute such content and/or incorporate such content into any form, medium or technology throughout the world without compensation to you. – Argos T&Cs

Nice.

What I Think

The Kindle has totally revolutionised the way I read. I find I’m reading far more than I used to, and finally getting round to reading some of the many books which are freely available and out of copyright.

The Kindle is extremely small and light, and feels surprisingly well made. There are physical buttons on both sides to allow page turning for either left or right handers.

Looking up words, highlighting and marking sections is simple and intuitive. I no longer skim over words I don’t know.

Issues

A minor gripe is the choice of on-screen keyboard, which is A-Z rather than QWERTY. Some non-technical users will struggle to type on any keyboard arrangement, however most people are familiar with the standard keyboard layout. In practice I find I hardly ever have to use it anyway, so it’s hardly a deal breaker. I would still recommend the Kindle to anyone.

Some free eBooks have some strange formatting issues, but the excellent Calibre software handles conversion from almost any format into something I can read on the Kindle. I see no logic in complaining about free books!

Dispatches: Watching The Detectives – Solution

Like anyone else watching Dispatches on Channel 4 tonight, I was absolutely shocked at the ease in which anyone can get hold of my personal and private information. Information such as National Insurance Number, bank account details, itemised phone bills, medical history; details which I would struggle to get access to myself.

I won’t rehash what was covered in the show, as it makes quite shocking viewing, and I wouldn’t do it justice. You should watch it for yourself. What I will offer is a solution.

The Fix

It’s simple really, and should only cost a few pennies to implement:

Send me an e-mail alert whenever my personal data is accessed on a private database. Simple.

An example: I’m on the phone to the bank. As they pull up my info, my phone will ping to let me know my data’s been accessed. If however I’m sat in Starbucks sipping coffee and my phone goes off, I can instantly see who has requested which info, and make my own mind up if I need to look into it.

Here’s some pseudo code for it:

if data requested -> send e-mail alert with date & time of access, recipient of data & details of the data requested

This wouldn’t need to change any current workflow or database access rights, and would simply ping away in the background whenever personal details are requested. I’m sure there would be loads of new job vacancies created, when those getting backhanders for handing out our private data are kicked out or jailed for misconduct.

We could even go one step further, where requests for information would be held back until you give it the all clear, but I can see how that could be more troublesome to legitimate users.

As long as there are databases full of our personal information, there will be people trying to access that information for profit. If we bring that out into the open, then nobody can lose. The data is still accessible when required, but nobody can access it without being tracked and accountable. 

How To Get Ahead? Content Is Not King

Cat Zipped

I work in a niche industry, which has 312 million results in google. We are a small company, and don’t feature prominently amongst those 312 million pages. When researching some of our competition, I have noticed something strange in the results.

Forums & Review Sites

It seems that one tactic these sites are using to generate links is to simply create them for themselves. Some start up industry review sites, with their own sites featuring prominently (read exclusively) in the results, links and adverts. Others create and administer forums which moderate and edit the information, again making sure all roads lead to their own door.

Trading As…

Another strange thing is to have loads of different company names, each with their own websites. These websites are so different that potential customers are likely to be comparing the services of what are essentially loads of the same company. For example, three of the top ten results are the same company using different names, but you wouldn’t necessarily realise that.

Is It Wrong?

I don’t actually know. I’m not sure they are actually doing much wrong here. I certainly wouldn’t be comfortable with it myself, but I’m an honest sort of guy. What they are definitely not doing is creating good content. Whenever I write something on our website or blog, I make sure that it is first accurate, and second useful. If there is an opportunity to suggest one of our services, I will do so, but the content needs to stand up alone. I’m sure this means I’m missing out on some hard sell stuff here, but overall I think it keeps us trustworthy, and helps us stand out from the crowd of shouty fear mongers.

By not playing these games we often lurk around near the back of the search results, feeding from long-tail searches, where most people will never find us. Don’t worry, It’s not a problem, just an observation. I already mentioned that we are small so the long tail stuff is plenty. We already have a great service & reputation, so I don’t want to sacrifice it by chasing rankings.