Robot will crack your phone's PIN in hours

[Permalink]

The last time I tried to guess my nephew’s PIN, the phone locked itself out for a minute after a few failed attempts.

iPhones automatically lock if you put in too many incorrect password attempts. You have to wait a few minutes before you can try again. The automatic wipe feature is a bit dangerous too, as it is a pretty effective DOS attack against your phone, especially if you have small children running around the house. You could be restoring from backup quite a lot.

1 Like

Been a while since I did any stats, but my gut feeling is the dot swipe pattern I use is an order or two of magnitude tougher…

…Scratch that, duh - it’s totally not : /

Given the sort of information many of us put in our phones these days, and the access the phone (and other personal computers) have to our info, treating them with a lot of care seems reasonable, and so having an ever-increasing delay between password attempts, and a lock-out after a number of failed attempts (10 on the iPhone) seems very reasonable.

How many “password attempts” would you want on you purse or wallet filled with cash, bank statements, a list of all your friends and family, etc. ?

1 Like

You are lucky that relentless demand for sleeker and thinner devices has made it nearly impossible to find a phone that still includes theft-deterrent explosive charges…

2 Likes

Yeah I always wondered tht about these password hacking articles. I’ve been locked out of my own websites for messing up the password a few times… How could they get past that?

I guessed the restrictions password for the tablets we use at work in one try by looking at the lock screen password that everyone is given and thinking about the IT guy’s thought process. It comes in handy.

I’ve never owned an computer type phone. Do you need to access the data on it using the phone itself or could you just mount the file system on a different device?

Some people store useful data on their phones. The worst is if you have a list of passwords to your various online accounts somewhere findable. I occasionally check email with it, but it doesn’t have my email history. The only password stuff I keep on it is lock combos, and those are only helpful if you are at the place with the lock.

my iphone password has a character with an umlat in it. i don’t risk that for passwords that aren’t iphone only, but i’ve only had problems once (iOS 7 beta had a bug that wouldn’t allow selection of the unicode characters.)

One twist on password guessing (aside from just ‘nibbling’ at a rate well below the lockout threshold and hoping to still score enough hits to take on a weak password) is the attackers who aren’t focused on any specific account; but simply on accounts in general:

On any remotely competent system, bouncing passwords off a single account will lock it out quickly, but choosing a high plausibility password and bouncing account names, paired with that password, off the system, it will take longer to be locked out(a single IP can, in the case of an institution, have dozens to thousands of users behind it, so anyone who doesn’t want customer support hell can’t be too aggressive in setting per-IP lockouts, and anyone with a botnet or the like can get more IPs) and you’ll probably obtain some accounts that way.

The other big one is password reuse: the dumbest outfit you’ve ever been forced to set up an account with gets cracked, anyone who reuses a password gets those credentials bounced off the sites they most plausibly might also use.

1 Like

Website passwords are at the (generally awful) discretion of the operator (Ebay doesn’t allow spaces); but modern OSes should be OK. If iOS does, I assume OSX does, and I know that NT-derived flavors have supported unicode characters for ages.

Some mobs let you use spaces in passwords?

TIL.

I have that same robot on my luggage…

1 Like

I’ve been locked out of my own websites for messing up the password a few times… How could they get past that?

There’s always the time honored tradition of going around the interface entirely. Some of the biggest password breaches in history were accomplished by finding a way to steal the database of hashed passwords. Once you’ve got that in hand, you can crack passwords at whatever speed your hardware will run at.

1 Like

I would guess that the entry control where you swipe a shape on a grid is a bit more resilient against this kind of brute force method… but I’ve really no idea

Swiping a shape is essentially the same; the sequence doesn’t have finger-lifts along the way. A prudent password sniffer would select one method or the other, based on the phone OS.

It gets beyond a few minutes between attempts after enough failed tries - my daughter deciding her iPod really needed a new password and not writing it down taught me that.

The more you fail, the longer that timer gets–it’s a creeping exponential. This method doesn’t work on iOS because of this–eventually the little robot has to wait days, weeks, months before guessing again.

On iOS 7 it is 1 minute after 6 tries, 5 minutes on try 7, 15 minutes on try 8, 30 minutes on try 9, 1 hour at try 10. I didn’t go past that.