Please hold…

Passwords. Combinations. Passcodes. Security answers. We all use them. We all know what they are… And yet very few understand them. What makes a good combination? Why is this common shortfall a doorway of opportunity that criminals exploit over and over? What is the value, in standards of time, of our most common strings of characters? Is there a better way? Before we go any further, let us assume you already understand the critical importance of locking all your devices.

Our mobile devices allow us to be nearly ubiquitous today. But how can we authentically be everywhere at the same time? We need our identity. The mobile “smartphone”, for example, has access control features that help a user identify and thereby authenticate a myriad of services simultaneously. Those services give us a unique, multi-level presence that combines the real world with the virtual to influence the world we live in. That influence has value, often in monetary terms, and is a very tempting target for theft. We must protect against theft every day, and for mobile devices, that protection starts with access control and time.

Have a few minutes?

Numeric combinations are very common for mobile devices. For example, a passcode for older Apple iPhones has often been four numbers. These codes are often referred to as a Personal Identification Number (PIN). An average computer designed for the purposes of brute force system entry, commonly referred to as “cracking”, can go through possible combinations of a four-digit PIN in 6 minutes and 34 seconds¹. A trained human being needs about 4 hours to do the same thing. In analogous terms, this is like shutting the door to the house on the way to work, but not locking it.

How about a few days?

Newer iPhones begin with a 6 digit setup screen². Contrast the above with the six number PIN. A computer will average just under 11 hours while a human needs a little over 17 days. The odds shift against the nefarious person trying to gain unauthorized access. The analogous door has a knob lock, but we can do better. Longer passwords involve a trade-off: security versus practicality.

In the 1950s, the telecommunication industry conducted psychological research and discovered that 7 numbers are near the limit of what a person can remember naturally. Assuming area codes are static, a typical phone number today has 7 digits. Most people can remember a phone number. The statistical odds of a 7 number PIN protecting a device, however, are not adequate. A computer can crack a 7 number string in a little over 4 ½ days¹. Clearly, we need the odds to improve. We need to add an analogous deadbolt to the door.

Years?

A combination that has proven to be very effective is what is known as an alpha-numeric string. If we change the 7 numbers to letters, the average time needed to crack the password has now lengthened to over 10 years. If we mix uppercase with lowercase letters, the odds drastically improve to the point that the average time needed is over 1300 years. To go one step further, if we use mixed case letters and numbers, our 7 character PIN would take a computer an average of over 4000 years to crack.

There are caveats to this: the letters should not be easily guessed, so avoid dictionary words. Number combinations repeated or in a sequence should be avoided, so do not use 0012345. Mixing letters and substituting numbers for letters is highly effective, allows one to accomplish a diverse password, and be able to remember it. There is a systematic technique known as “leet” that tech people have used since the 1980s. There are several (safe) websites dedicated to helping “translate” a word into leet. As long as you can remember the string, this helps to create a strong password that is not a dictionary word, has a complex set of mixed-case characters, and increases, well beyond several lifetimes, the time required to crack. Using leet, an example of a 7 character password might be the Oklahoma town of Guthrie: 9U7hR13 (this is only an example). Next, we will look at other options.

For future reference

There are techniques that industries have successfully used to protect beyond simple username and password controls. Adding an additional identity component, also referred to as a factor, is a highly effective option that financial institutions have used for over 20 years. In the last 5 years, the concept of multi-factor authentication has evolved to the point that it has been adopted by most major tech companies. Applications, such as Google Authenticator, are easily (and safely) downloaded from either Google Play or the App Store, depending on the device you use. These applications are very easy to set up and integrate well with email services, chat programs, and other services.

No matter how complex they are, passwords present an enduring problem. People forget often, so passwords tend to get written down. Those written passwords also tend to end up in places that are not very secure, like a sticky note under a keyboard. What if you could substitute a password requirement? Technology to replace passwords is available and growing in use cases. Encrypted tokens communicated over out-of-band, secure channels are possible. Multiple levels of encryption are becoming more complex as well. The future offers a bright opportunity to migrate systems away from the old username-password model that has been around for over 60 years. This is being driven by ever-increasing levels of risk.

As technology has spread around the world, the threat of fraudulent activity has increased exponentially. The risk of being targeted for a brute force attack is so significant in 2018 that Apple designed its newest iPhone to use a different access control method entirely: the biometric of facial recognition. The initial requirement of a passcode is still present and must be used to authorize turning on this more advanced biometric authentication method. The iPhone X constitutes less than 10% of even the most technologically savvy population (Singapore), and less than 5% of the US³. So while this offers a secure way to authenticate a user, the reality is that it will take time for biometrics to become widely accepted by the population. Longer still to make it a requirement. If the initial passcode is still required to configure biometrics, we find ourselves back where we began: responsible passwords.

Conclusion

The access control methodology of passcodes will continue to influence how most people authenticate their mobile devices. This article has identified ways to improve passcodes and access methodology. Using a combination of mixed case letters and non-repeating, non-sequential numbers can strengthen a password exponentially. At least seven or more characters will thwart even the most sophisticated resources. At a minimum, longer and more complex alpha-numeric strings have proven to protect devices and reduce the risk of valuable information being compromised. Adding additional factors, like random generated codes, encrypted tokens, or biometric information, raises device security to word class standards. By being “too much work”, we can reduce the attractiveness of our online identity. If the axiom “it’s not a matter of if, but when” is true, then our solution has a very unique advantage. It’s about time.

1. Source: Hackett, Robert, “How long it takes to break a password”, Fortune Magazine, 18 March 2016, http://fortune.com/2016/03/18/apple-fbi-iphone-passcode-hack.
2. The iOS 9 released in September 2015 included a default 6 digit PIN at setup.
3. “Market share of the iPhone X iOS in selected countries worldwide as of January 2018”, Statista, January 2018, https://www.statista.com/statistics/868005/market-share-iphone-x-ios-worldwide-country/