beschizza at June 3rd, 2014 10:52 — #1
nixiebunny at June 3rd, 2014 11:21 — #2
The last time I tried to guess my nephew's PIN, the phone locked itself out for a minute after a few failed attempts.
jandrese at June 3rd, 2014 11:26 — #3
iPhones automatically lock if you put in too many incorrect password attempts. You have to wait a few minutes before you can try again. The automatic wipe feature is a bit dangerous too, as it is a pretty effective DOS attack against your phone, especially if you have small children running around the house. You could be restoring from backup quite a lot.
kimmo at June 3rd, 2014 11:28 — #4
Been a while since I did any stats, but my gut feeling is the dot swipe pattern I use is an order or two of magnitude tougher...
...Scratch that, duh - it's totally not : /
matisse at June 3rd, 2014 11:29 — #5
Given the sort of information many of us put in our phones these days, and the access the phone (and other personal computers) have to our info, treating them with a lot of care seems reasonable, and so having an ever-increasing delay between password attempts, and a lock-out after a number of failed attempts (10 on the iPhone) seems very reasonable.
How many "password attempts" would you want on you purse or wallet filled with cash, bank statements, a list of all your friends and family, etc. ?
fuzzyfungus at June 3rd, 2014 11:37 — #6
You are lucky that relentless demand for sleeker and thinner devices has made it nearly impossible to find a phone that still includes theft-deterrent explosive charges...
jim_campbell at June 3rd, 2014 11:37 — #7
Yeah I always wondered tht about these password hacking articles. I've been locked out of my own websites for messing up the password a few times.. How could they get past that?
mitch_m1 at June 3rd, 2014 11:38 — #8
I guessed the restrictions password for the tablets we use at work in one try by looking at the lock screen password that everyone is given and thinking about the IT guy's thought process. It comes in handy.
I've never owned an computer type phone. Do you need to access the data on it using the phone itself or could you just mount the file system on a different device?
nixiebunny at June 3rd, 2014 11:41 — #9
Some people store useful data on their phones. The worst is if you have a list of passwords to your various online accounts somewhere findable. I occasionally check email with it, but it doesn't have my email history. The only password stuff I keep on it is lock combos, and those are only helpful if you are at the place with the lock.
kvanh at June 3rd, 2014 11:45 — #10
my iphone password has a character with an umlat in it. i don't risk that for passwords that aren't iphone only, but i've only had problems once (iOS 7 beta had a bug that wouldn't allow selection of the unicode characters.)
fuzzyfungus at June 3rd, 2014 11:46 — #11
One twist on password guessing (aside from just 'nibbling' at a rate well below the lockout threshold and hoping to still score enough hits to take on a weak password) is the attackers who aren't focused on any specific account; but simply on accounts in general:
On any remotely competent system, bouncing passwords off a single account will lock it out quickly, but choosing a high plausibility password and bouncing account names, paired with that password, off the system, it will take longer to be locked out(a single IP can, in the case of an institution, have dozens to thousands of users behind it, so anyone who doesn't want customer support hell can't be too aggressive in setting per-IP lockouts, and anyone with a botnet or the like can get more IPs) and you'll probably obtain some accounts that way.
The other big one is password reuse: the dumbest outfit you've ever been forced to set up an account with gets cracked, anyone who reuses a password gets those credentials bounced off the sites they most plausibly might also use.
fuzzyfungus at June 3rd, 2014 11:49 — #12
Website passwords are at the (generally awful) discretion of the operator (Ebay doesn't allow spaces); but modern OSes should be OK. If iOS does, I assume OSX does, and I know that NT-derived flavors have supported unicode characters for ages.
kimmo at June 3rd, 2014 11:56 — #13
Some mobs let you use spaces in passwords?
capnjimbo at June 3rd, 2014 12:06 — #14
I have that same robot on my luggage...
tropo at June 3rd, 2014 12:08 — #15
I've been locked out of my own websites for messing up the password a few times.. How could they get past that?
There's always the time honored tradition of going around the interface entirely. Some of the biggest password breaches in history were accomplished by finding a way to steal the database of hashed passwords. Once you've got that in hand, you can crack passwords at whatever speed your hardware will run at.
entity447b at June 3rd, 2014 12:10 — #16
I would guess that the entry control where you swipe a shape on a grid is a bit more resilient against this kind of brute force method... but I've really no idea
nixiebunny at June 3rd, 2014 12:15 — #17
Swiping a shape is essentially the same; the sequence doesn't have finger-lifts along the way. A prudent password sniffer would select one method or the other, based on the phone OS.
tribune at June 3rd, 2014 12:17 — #18
It gets beyond a few minutes between attempts after enough failed tries - my daughter deciding her iPod really needed a new password and not writing it down taught me that.
jeblucas at June 3rd, 2014 12:33 — #19
The more you fail, the longer that timer gets--it's a creeping exponential. This method doesn't work on iOS because of this--eventually the little robot has to wait days, weeks, months before guessing again.
kreios at June 3rd, 2014 12:38 — #20
On iOS 7 it is 1 minute after 6 tries, 5 minutes on try 7, 15 minutes on try 8, 30 minutes on try 9, 1 hour at try 10. I didn't go past that.
next page →