On iOS at least, if you’re concerned about police breaking into your phone, you should be using a high entropy password, not a numeric PIN, and biometric auth is the best way to keep your convenience (and sanity) intact without compromising your security. This is because there is software that can break into a locked phone (even one that has biometrics disabled) by brute forcing the PIN, bypassing the 10 attempts limit if set, as well as not triggering iOS’s brute force protections, like forcing delays between attempts. If your password is sufficiently complex, then you’re more likely to be safe against such an attack.
I suspect the same is true on Android.
Such a search is supposed to require a warrant, but the tool itself doesn’t check for it, so you have to trust the individual LEOs in question to follow the law. And given that any 6 digit PIN can be brute forced in under 11 hours (40 ms per entry), this means that if you were arrested (even for a spurious charge) and held overnight, they could search your phone without you knowing.
With a password that has the same entropy as 10 random digits, assuming no further vulnerabilities allowing them to speed up the process, it could take up to 12 and a half years to brute force it. Make it alphanumeric (and still random) and it’s millions of years - infeasible within our lifetime - it’s basically a question of whether another vulnerability is already known or is discovered that enables bypassing the password entirely / much faster rates of entry.
If you’re in a situation where you expect to interact with law enforcement, then disable biometrics. Practice ahead of time to make sure you know how to do it on your phone.
Or they make a copy of your phone, alphanumeric password and all, and just sit on it for ten years until quantum computers make solving the password a piece of cake.
You should assume that any device confiscated by authorities will be copied and broken into eventually. Treat all data on said device as if it’s already compromised.
Copying an iPhone isn’t as straightforward as you seem to think. Copying data from a locked iPhone requires either an exploit or direct access to the SSD / memory chips on the device (basically, chip-off forensics, which likely requires bypassing the storage controllers), and I assume the same is true for Android devices.
I’m not saying such exploits don’t exist, but local police departments don’t have access to them. And they certainly don’t have the capability to directly access your device’s storage and then reassemble it without your knowledge.
Now, if your device is confiscated for long enough that it could be mailed off to a forensics lab for analysis? Sure, then it’s a possibility. But most likely if they want your data that badly they’ll either hold onto your device, compel you into sharing the info with them, or try to trick you into giving it to them. Hanging onto your data without a warrant for over a decade is a high risk, low reward activity.
Your data’s more vulnerable to this sort of attack in transit.
Also, don’t use regular passwords with random letters and numbers, they are really hard to remember and easier to crack if the password isn’t complex enough. Instead, use a passphrase with at least 5 words.
Is that safe though? After seeing that XKCD I also thought it would be a good idea but then read that using passphrases is even worse because brute force attacks often use dictionaries as well to test word combinations, so one should use scrambled characters, just long enough to resist brute force.
The XKCD comic uses the entropy of common words assuming an informed cracker is using the best tools at their disposal, that being a dictionary attack. That’s why the entroy per character of the passphrase is so low compared to that of the special character password, but the passphrase can be much longer because it’s easier to remember, so that’s what gives it its higher total entropy.
Thanks for the clarification. So I can surmise that length is everything then? Given that I use a password manager I’ll just stick to my long gibberish passwords in that case, but it’s good to keep passphrases in mind for use cases where I can’t copy/paste easily.
Oh yeah, long gibberish passwords are strong. Keepass will tell me I have 137 bits of entropy on my password for instance, and that’s proper secure.
The Tr0ub4dor or whatever example in the comic assumes again an informed hacker using long random words and common substitutions, so you don’t have the full 56+ possibilities per character, it’s constrained to a very limited set. This is a pretty common password construction
For instance when I was in IT some government agency required our company to adhere to some security requirements before we could handle their data. Everyone went from 3-letter usernames + identical passwords to having a long word + numbers + characters. HOWEVER because nobody can remember these fucking things, every single password was a home address with the exception of a handful of month or person names which I assume were birthdays or kids. How do I know these secret passwords? Well, because they STILL couldn’t remember them, we had to…
I’m so sorry.
…keep everybody’s password in our own encrypted excell spreadsheet, so if anybody forgot, the IT team could read them all in plaintext to get people logged in. One person was so bad at remembering that I had their password memorised myself, and when I stopped pretending to look it up they stopped asking. Idk if they were shamed into remembering it or they just kept it in their wallet or something.
Also we needed secure server racks and encrypted drives etc. The server rack was a doozy - the handle was an intentional weak point to prevent forcing the lock, so I accidentally ripped it clean off with my bare hands one morning when the lock was slightly stuck. It took a while to get that fixed and I was exremely lucky I managed to jimmy it open using the nub of the destroyed handle. I couldn’t close it again so it sure wasn’t secure once that happened.
Security theatre, the lot of it. We spent six figures nationwide getting ready for that contract and the work they gave us was about four figures worth.
The entire corporate world is like this. If you wonder why your data keeps getting breached, this is why.
It calls them “passwords,” but personally I don’t consider a 6 digit number to be a password. And according to this article on GrayKey, 6 digit “passcodes” became the norm back in 2015. I haven’t seen any stats showing that people on average use more secure passcodes now, and making the passcode required more frequently isn’t going to encourage anyone to use one that’s more secure.
The article just says “disable biometrics” which is bad advice for the average person, as it will result in them using a 6 digit passcode. This is a knee-jerk reaction at best, and the resulting advice is devoid of nuance, made by someone who clearly doesn’t understand the threat discussed in the article, and would benefit literally nobody who might feasibly take it.
My advice is echoed by the article above, but it’s based off having an understanding of the problem area and suggesting a solution that doesn’t just address one thing. Anyone giving advice on the topic should consider:
known threats and reasonably likely unknown threats
the mitigations to those threats
how the technology works for both the threats and the mitigations
the legal landscape in your jurisdiction - for us, the US - both in practice and in theory
people’s attitudes toward security, namely their willingness to suffer inconveniences for its sake
how all of the above interact, and how likely someone is to take the advice given in a way that improves their security overall
The author of this article considered none of the above.
I still don’t get where are you seeing this advice in the article. No one is recommending “6 digit passcodes”. AFAIK all contemporary phones use mixed character passwords these days. I just setup a second hand s22 and it asked me to create a full password as primary authentication with all of the brute force strength hints etc.
As I said in my first comment, I’m more familiar with iOS, where 6 digit passcodes are the default.
That said, do you genuinely think the average person would use a random 10+ alphanumeric character passcode to unlock their phone after taking the advice of this article and disabling biometric auth?
Yep. On Android there’s also a Lockdown mode that you can enter through the power menu when you need to turn off biometrics for the next unlock. Set a strong password. Use biometrics when you need to keep out a casual intruder, and password when you need to keep out a major intruder.
If you’re always concerned about sophisticated attackers, then you should also:
Disable biometrics unlock whenever your device is about to leave your possession or you’re going to sleep
Protect against shoulder-surfing / surveillance attacks that can capture you entering your password, e.g., by being aware of your surroundings and only entering your password or viewing sensitive information when you‘re certain your screen (and thumb locations) can’t be observed or by obscuring a view of your phone with your shirt or a blanket (like Snowden)
Take the time to learn more about security in general and in relation to the specific threats that concern you
Terrible article. Even worse advice.
On iOS at least, if you’re concerned about police breaking into your phone, you should be using a high entropy password, not a numeric PIN, and biometric auth is the best way to keep your convenience (and sanity) intact without compromising your security. This is because there is software that can break into a locked phone (even one that has biometrics disabled) by brute forcing the PIN, bypassing the 10 attempts limit if set, as well as not triggering iOS’s brute force protections, like forcing delays between attempts. If your password is sufficiently complex, then you’re more likely to be safe against such an attack.
I suspect the same is true on Android.
Such a search is supposed to require a warrant, but the tool itself doesn’t check for it, so you have to trust the individual LEOs in question to follow the law. And given that any 6 digit PIN can be brute forced in under 11 hours (40 ms per entry), this means that if you were arrested (even for a spurious charge) and held overnight, they could search your phone without you knowing.
With a password that has the same entropy as 10 random digits, assuming no further vulnerabilities allowing them to speed up the process, it could take up to 12 and a half years to brute force it. Make it alphanumeric (and still random) and it’s millions of years - infeasible within our lifetime - it’s basically a question of whether another vulnerability is already known or is discovered that enables bypassing the password entirely / much faster rates of entry.
If you’re in a situation where you expect to interact with law enforcement, then disable biometrics. Practice ahead of time to make sure you know how to do it on your phone.
Or they make a copy of your phone, alphanumeric password and all, and just sit on it for ten years until quantum computers make solving the password a piece of cake.
You should assume that any device confiscated by authorities will be copied and broken into eventually. Treat all data on said device as if it’s already compromised.
Copying an iPhone isn’t as straightforward as you seem to think. Copying data from a locked iPhone requires either an exploit or direct access to the SSD / memory chips on the device (basically, chip-off forensics, which likely requires bypassing the storage controllers), and I assume the same is true for Android devices.
I’m not saying such exploits don’t exist, but local police departments don’t have access to them. And they certainly don’t have the capability to directly access your device’s storage and then reassemble it without your knowledge.
Now, if your device is confiscated for long enough that it could be mailed off to a forensics lab for analysis? Sure, then it’s a possibility. But most likely if they want your data that badly they’ll either hold onto your device, compel you into sharing the info with them, or try to trick you into giving it to them. Hanging onto your data without a warrant for over a decade is a high risk, low reward activity.
Your data’s more vulnerable to this sort of attack in transit.
Also, don’t use regular passwords with random letters and numbers, they are really hard to remember and easier to crack if the password isn’t complex enough. Instead, use a passphrase with at least 5 words.
Is that safe though? After seeing that XKCD I also thought it would be a good idea but then read that using passphrases is even worse because brute force attacks often use dictionaries as well to test word combinations, so one should use scrambled characters, just long enough to resist brute force.
The XKCD comic uses the entropy of common words assuming an informed cracker is using the best tools at their disposal, that being a dictionary attack. That’s why the entroy per character of the passphrase is so low compared to that of the special character password, but the passphrase can be much longer because it’s easier to remember, so that’s what gives it its higher total entropy.
Explain XKCD goes into more detail about how the calculation was done: https://www.explainxkcd.com/wiki/index.php/936:_Password_Strength
Thanks for the clarification. So I can surmise that length is everything then? Given that I use a password manager I’ll just stick to my long gibberish passwords in that case, but it’s good to keep passphrases in mind for use cases where I can’t copy/paste easily.
Oh yeah, long gibberish passwords are strong. Keepass will tell me I have 137 bits of entropy on my password for instance, and that’s proper secure.
The Tr0ub4dor or whatever example in the comic assumes again an informed hacker using long random words and common substitutions, so you don’t have the full 56+ possibilities per character, it’s constrained to a very limited set. This is a pretty common password construction
For instance when I was in IT some government agency required our company to adhere to some security requirements before we could handle their data. Everyone went from 3-letter usernames + identical passwords to having a long word + numbers + characters. HOWEVER because nobody can remember these fucking things, every single password was a home address with the exception of a handful of month or person names which I assume were birthdays or kids. How do I know these secret passwords? Well, because they STILL couldn’t remember them, we had to…
I’m so sorry.
…keep everybody’s password in our own encrypted excell spreadsheet, so if anybody forgot, the IT team could read them all in plaintext to get people logged in. One person was so bad at remembering that I had their password memorised myself, and when I stopped pretending to look it up they stopped asking. Idk if they were shamed into remembering it or they just kept it in their wallet or something.
Also we needed secure server racks and encrypted drives etc. The server rack was a doozy - the handle was an intentional weak point to prevent forcing the lock, so I accidentally ripped it clean off with my bare hands one morning when the lock was slightly stuck. It took a while to get that fixed and I was exremely lucky I managed to jimmy it open using the nub of the destroyed handle. I couldn’t close it again so it sure wasn’t secure once that happened.
Security theatre, the lot of it. We spent six figures nationwide getting ready for that contract and the work they gave us was about four figures worth.
The entire corporate world is like this. If you wonder why your data keeps getting breached, this is why.
Article doesn’t even mention PIN. Where are you getting this “advice”?
It calls them “passwords,” but personally I don’t consider a 6 digit number to be a password. And according to this article on GrayKey, 6 digit “passcodes” became the norm back in 2015. I haven’t seen any stats showing that people on average use more secure passcodes now, and making the passcode required more frequently isn’t going to encourage anyone to use one that’s more secure.
The article just says “disable biometrics” which is bad advice for the average person, as it will result in them using a 6 digit passcode. This is a knee-jerk reaction at best, and the resulting advice is devoid of nuance, made by someone who clearly doesn’t understand the threat discussed in the article, and would benefit literally nobody who might feasibly take it.
My advice is echoed by the article above, but it’s based off having an understanding of the problem area and suggesting a solution that doesn’t just address one thing. Anyone giving advice on the topic should consider:
The author of this article considered none of the above.
I still don’t get where are you seeing this advice in the article. No one is recommending “6 digit passcodes”. AFAIK all contemporary phones use mixed character passwords these days. I just setup a second hand s22 and it asked me to create a full password as primary authentication with all of the brute force strength hints etc.
Your perception might be a bit outdated here.
As I said in my first comment, I’m more familiar with iOS, where 6 digit passcodes are the default.
That said, do you genuinely think the average person would use a random 10+ alphanumeric character passcode to unlock their phone after taking the advice of this article and disabling biometric auth?
Yes the contemporary phones literally bug and warn you if you don’t. Password is much easier to remember than 6 digits too imo.
He’s not wrong though. Brute forcing number only pin takes little effort.
Yep. On Android there’s also a Lockdown mode that you can enter through the power menu when you need to turn off biometrics for the next unlock. Set a strong password. Use biometrics when you need to keep out a casual intruder, and password when you need to keep out a major intruder.
100%.
If you’re always concerned about sophisticated attackers, then you should also: