A Shorter AND Safer Passcode for our Phones?
We’re currently living in what is hopefully a short time period of wearing face masks while in public spaces. Some of us are using surgical masks, others are displaying our creativity and personalities with homemade cloth masks (though the face mask I saw the other day that said “Juicy” on it, just left me confused and concerned), and a few of us are even wearing full on face shields like you are a bowl of egg rolls at the Smiling Cat Chinese Buffet (I was never big on buffets before this pandemic but I honestly can’t see myself seeking one out ever again after it — yeesh). They are uncomfortable, yet studies show that they can cut down on the transmission rate of viruses by a not insignificant factor.
They also are a pain in the butt when it comes to unlocking your smartphone with your face (yes I realize I used butt and face in the same sentence and there are plenty of jokes that could be made, but I’m not a middle schooler, geez). I first noticed this in late February as I traveled to Japan for work and found that I was constantly frustrated as I tried to keep my mask on and use my phone. While I’m thankful that my phone just didn’t take my word for it that I’m me despite 50% of my face being covered by a large white bulbous mound of material, the ease at which I could get information in a timely manner was significantly hampered. Added to the fact that the phone took a couple of failed face unlocks before it defaulted back to asking me for my passcode (in my case 11 numbers long), I was easily spending a good 20 to 30 seconds to get into my phone each time. While this doesn’t seem like a lot of time, when you’re trying to navigate the subway in a city like Tokyo, and not miss the train you need to get on, this is beyond frustrating.
This frustration actually had me contemplating turning off my phone’s face unlock feature or even changing my passcode to a shorter and easier to type in code.
Yet I knew they were the wrong response to this annoyance. The vast majority of the day, I was able to use my face to unlock my phone, and I knew that having a shorter and easier to type passcode also made it easier to guess and be gleaned by some random person watching me on the busy streets of Godzilla’s playground.
Not only could a shorter and simpler to type passcode be easier for a would-be street thief to get, turns out it would also make it significantly easier for a big time organization like the FBI to crack into — while I don’t believe that the majority of us need to be concerned about the FBI targeting us, just remember that the FBI aren’t the only people with those tools that can get into phones, and that the number of organizations out there with their tools is increasing. Its only a matter of time until everyday crooks have access to them as well. These tools were in the news just a few days ago when the FBI announced that they were able to get into the Pensacola Shooter’s iPhone after several months of trying an automated password guesser tool they have in their arsenal. These tools work by just brute force trying different passcodes over and over again until something works. The speed at which they work is highly affected by both the length and the complexity of the passcode. Check out this bit of information from Daring Fireball regarding how the length of your passcode can impact such tools:
You may recall from earlier this year that these guessers are thus very effective against short numeric passcodes. On average, a 4-digit passcode would take 7 minutes to guess (14 minutes at the maximum, if the last possible combination were the last to be guessed). A 6-digit passcode — the current default — would take on average 11 hours to crack, 22 hours tops.
A 6-character alphanumeric passphrase — A-Z, a-z, 0–9 — would take on average 72 years to guess. That’s just 6 characters. And that’s if it only contains letters and numbers, no punctuation characters or spaces — and if the person programming the automated guesser somehow knows or guesses that the passphrase contains only letters and numbers, and that it’s exactly 6 characters in length. (When your iOS device is locked by a numeric code, the unlock screen shows you how many digits the passcode contains; when your device is locked by a passphrase, the length is not revealed.)
All of this to say, a shorter passcode that is only numbers is not only easy for a tool to crack, but also easier for someone else to see and/or guess. But the really great thing is that it turns out that we can still have a fairly short password (even 6 digits in length) on our device if it contains both numbers and letters and still be extremely secure. Here’s how to do that on both iPhone/iPad and on Android devices:
iPhone/iPad
1) Open Settings
2) Scroll down to Face ID & Passcode (or Touch ID & Passcode)
3) Enter your current passcode
4) Select Change Passcode
5) Enter your current passcode
6) On the Enter your new passcode screen, select Passcode Options
7) Select Custom Alphanumeric Code
8) Type and confirm Password with both letters and numbers
Android
1) Open Settings
2) Scroll down to Security
3) Select Screen lock
4) Type in your current PIN
5) Select Password
6) Type and confirm Password with both letters and numbers
One word of caution: typing a password that’s more complex than 4 to 6 numbers is going to feel…wrong. At first. It will be uncomfortable and annoying and maybe even a little gross feeling. And that’s okay, it’s expected, but you’ll get used to it and you’ll take comfort knowing that you’ll be safer — like wearing a mask in public.
I remember that I used to be concerned about someone getting into my phone in order to make me look stupid by posting something as me on Facebook, our phones have become an extension of our brains these days. In them we store our passwords to all our other accounts, our email, our credit cards, private photos and communications with our loved ones, and banking details — just to name a few. It’s important that our devices are treated with the priority and importance that they represent. And while we don’t need to live in fear of compromise at every turn, we can all take relatively minor steps towards being more secure with our technology.
Stay safe out there.
