Abstract
In this article, we provide the first comprehensive study of user-chosen four- and six-digit PINs (n=1705) collected on smartphones with participants being explicitly primed for device unlocking. We find that against a throttled attacker (with 10, 30, or 100 guesses, matching the smartphone unlock setting), using six-digit PINs instead of four-digit PINs provides little to no increase in security and surprisingly may even decrease security. We also study the effects of blocklists, where a set of “easy to guess” PINs is disallowed during selection. Two such blocklists are in use today by iOS, for four digits (274 PINs) as well as six digits (2,910 PINs). We extracted both blocklists and compared them with six other blocklists, three for each PIN length. In each case, we had a small (four-digit: 27 PINs; six-digit: 29 PINs), a large (four-digit: 2,740 PINs; six-digit: 291,000 PINs), and a placebo blocklist that always excluded the first-choice PIN. For four-digit PINs, we find that the relatively small blocklist in use today by iOS offers little to no benefit against a throttled guessing attack. Security gains are only observed when the blocklist is much larger. In the six-digit case, we were able to reach a similar security level with a smaller blocklist. As the user frustration increases with the blocklists size, developers should employ a blocklist that is as small as possible while ensuring the desired security. Based on our analysis, we recommend that for four-digit PINs a blocklist should contain the 1,000 most popular PINs to provide the best balance between usability and security and for six-digit PINs the 2,000 most popular PINs should be blocked.
- Oleg Afonin. 2020. iPhone 5 and 5c Passcode Unlock with iOS Forensic Toolkit. Retrieved May 14, 2021 from https://blog.elcomsoft.com/2020/08/iphone-5-and-5c-passcode-unlock-with-ios-forensic-toolkit/Google Scholar
- Devdatta Akhawe and Adrienne Porter Felt. 2013. Alice in warningland: A large-scale field study of browser security warning effectiveness. In Proceedings of the USENIX Security Symposium. USENIX, 257–272.Google Scholar
- Daniel Amitay. 2011. Most Common iPhone Passcodes. Retrieved May 14, 2021 from http://danielamitay.com/blog/2011/6/13/most-common-iphone-passcodes.Google Scholar
- Android Open Source Project. 2018. Full-Disk Encryption—Storing the Encrypted Key. Retrieved May 14, 2021 from https://source.android.com/security/encryption/full-disk#storing_the_encrypted_key.Google Scholar
- Android Open Source Project. 2020. Android 11: GateKeeper. Retrieved May 14, 2021 from https://android.googlesource.com/platform/system/gatekeeper/+/refs/heads/android11-release/gatekeeper.cpp#268.Google Scholar
- Apple, Inc.2021. Apple Platform Security. Retrieved May 14, 2021 from https://manuals.info.apple.com/MANUALS/1000/MA1902/en_US/apple-platform-security-guide.pdf.Google Scholar
- Adam J. Aviv, Devon Budzitowski, and Ravi Kuber. 2015. Is bigger better? Comparing user-generated passwords on 3x3 vs. 4x4 grid sizes for android’s pattern unlock. In Proceedings of the Annual Computer Security Applications Conference. ACM, 301–310.Google ScholarDigital Library
- Adam J. Aviv, John T. Davin, Flynn Wolf, and Ravi Kuber. 2017. Towards baselines for shoulder surfing on mobile authentication. In Proceedings of the Annual Conference on Computer Security Applications. ACM, 486–498.Google ScholarDigital Library
- Adam J. Aviv, Katherine Gibson, Evan Mossop, Matt Blaze, and Jonathan M. Smith. 2010. Smudge attacks on smartphone touch screens. In Proceedings of the USENIX Workshop on Offensive Technologies. USENIX, 1–7.Google Scholar
- Adam J. Aviv, Flynn Wolf, and Ravi Kuber. 2018. Comparing video based shoulder surfing with live simulation and towards baselines for shoulder surfing on mobile authentication. In Proceedings of the Annual Conference on Computer Security Applications. ACM, 453–466.Google ScholarDigital Library
- Farid Binbeshr, Miss Laiha Mat Kiah, Lip Yee Por, and A. A. Zaidan. 2021. A systematic review of pin-entry methods resistant to shoulder-surfing attacks. Comput. Secur. 101 (Feb. 2021).Google Scholar
- Joseph Bonneau. 2012. The science of guessing: analyzing an anonymized corpus of 70 million passwords. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 538–552.Google ScholarDigital Library
- Joseph Bonneau, Sören Preibusch, and Ross Anderson. 2012. A birthday present every eleven wallets? the security of customer-chosen banking PINs. In Financial Cryptography and Data Security. Springer, 25–40.Google Scholar
- Thomas Brewster. 2018. Mysterious $15,000 “GrayKey” Promises To Unlock iPhone X For The Feds. Retrieved May 14, 2021 from https://www.forbes.com/sites/thomasbrewster/2018/03/05/apple-iphone-x-graykey-hack/.Google Scholar
- Thomas Brewster. 2018. The Feds Can Now (Probably) Unlock Every iPhone Model In Existence. Retrieved May 14, 2021 from https://www.forbes.com/sites/thomasbrewster/2018/02/26/government-can-access-any-apple-iphone-cellebrite/.Google Scholar
- Maria Casimiro, Joe Segel, Lewei Li, Yigeng Wang, and Lorrie Faith Cranor. 2020. A quest for inspiration: How users create and reuse PINs. In Who Are You?! Adventures in Authentication Workshop. 1–7.Google Scholar
- Ivan Cherapau, Ildar Muslukhov, Nalin Asanka, and Konstantin Beznosov. 2015. On the impact of touch ID on iPhone passcodes. In Proceedings of the Symposium on Usable Privacy and Security. USENIX, 257–276.Google Scholar
- Justin Engler and Paul Vines. 2013. Electromechanical PIN Cracking with Robotic Reconfigurable Button Basher (and C3BO). Retrieved May 14, 2021 from https://doi.org/10.5446/38941.Google Scholar
- Adrienne Porter Felt, Alex Ainslie, Robert W. Reeder, Sunny Consolvo, Somas Thyagaraja, Alan Bettes, Helen Harris, and Jeff Grimes. 2015. Improving SSL warnings: Comprehension and adherence. In Proceedings of the ACM Conference on Human Factors in Computing Systems. ACM, 2893–2902.Google ScholarDigital Library
- Maximilian Golla, Dennis Detering, and Markus Dürmuth. 2017. EmojiAuth: Quantifying the security of emoji-based authentication. In Proceedings of the Workshop on Usable Security. ISOC.Google ScholarCross Ref
- Maximilian Golla and Markus Dürmuth. 2018. On the accuracy of password strength meters. In Proceedings of the ACM Conference on Computer and Communications Security. ACM, 1567–1582.Google ScholarDigital Library
- Maximilian Golla, Jan Rimkus, Adam J. Aviv, and Markus Dürmuth. 2019. Work in progress: on the in-accuracy and influence of android pattern strength meters. In Proceedings of the Workshop on Usable Security and Privacy. ISOC.Google ScholarCross Ref
- Maximilian Golla, Miranda Wei, Juliette Hainline, Lydia Filipe, Markus Dürmuth, Elissa Redmiles, and Blase Ur. 2018. “What was that site doing with my facebook password?” Designing password-reuse notification. In Proceedings of the ACM Conference on Computer and Communications Security. ACM, 1549–1566.Google Scholar
- Jeremi M. Gosney (“epixoip”). 2016. How LinkedIn’s Password Sloppiness Hurts Us All. Retrieved May 14, 2021 from https://arstechnica.com/?post_type=post&p=892339.Google Scholar
- Paul A. Grassi, James L. Fenton, and William E. Burr. 2017. Digital Identity Guidelines—Authentication and Lifecycle Management: NIST Special Publication 800-63B.Google Scholar
- Kristen K. Greene, Melissa A. Gallagher, Brian C. Stanton, and Paul Y. Lee. 2014. I can’t type that! P@$$w0rd entry on mobile devices. In Human Aspects of Information Security, Privacy, and Trust. Springer, 160–171.Google Scholar
- Gregor Haas, Seetal Potluri, and Aydin Aysu. 2021. iTimed: Cache attacks on the apple a10 fusion SoC. Cryptology ePrint Archive Report 2021/464 (April 2021), 1–16.Google Scholar
- Marian Harbach, Emanuel von Zezschwitz, Andreas Fichtner, Alexander De Luca, and Matthew Smith. 2014. It’s a hard lock life: A field study of smartphone (Un)Locking behavior and risk perception. In Proceedings of the Symposium on Usable Privacy and Security. USENIX, 213–230.Google Scholar
- Andrew Horton (“urbanadventurer”) and Community. 2020. Android-PIN-Bruteforce – Bruteforcing the Lockscreen PIN. Retrieved May 14, 2021 from https://github.com/urbanadventurer/Android-PIN-Bruteforce.Google Scholar
- Troy Hunt. 2020. Pwned Passwords. Retrieved May 14, 2021 https://haveibeenpwned.com/Passwords.Google Scholar
- Patrick Kelley, Saranga Kom, Michelle L. Mazurek, et al. 2012. Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 523–537.Google ScholarDigital Library
- Hassan Khan, Jason Ceci, Jonah Stegman, Adam J. Aviv, Rozita Dara, and Ravi Kuber. 2020. Widely reused and shared, infrequently updated, and sometimes inherited: A holistic view of PIN authentication in digital lives and beyond. In Proceedings of the Annual Computer Security Applications Conference. ACM, 249–262.Google ScholarDigital Library
- Hyoungshick Kim and Jun Ho Huh. 2012. PIN selection policies: Are they really effective?Comput. Secur. 31, 4 (Jun. 2012), 484–496.Google ScholarDigital Library
- Oleksiy Lisovets, David Knichel, Thorben Moos, and Amir Moradi. 2021. Let’s take it offline: Boosting brute-force attacks on iPhone’s user authentication through SCA. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2021, 3 (Jun. 2021), 1–24.Google Scholar
- Marte Løge, Markus Dürmuth, and Lillian Røstad. 2016. On user choice for android unlock patterns. In Proceedings of the European Workshop on Usable Security. ISOC.Google ScholarCross Ref
- Philipp Markert, Daniel V. Bailey, Maximilian Golla, Markus Dürmuth, and Adam J. Aviv. 2020. This PIN can be easily guessed: Analyzing the security of smartphone unlock PINs. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 286–303.Google Scholar
- William Melicher, Darya Kurilova, Sean M. Segreti, Pranshu Kalvani, Richard Shay, Blase Ur, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Michelle L. Mazurek. 2016. Usability and security of text passwords on mobile devices. In Proceedings of the ACM Conference on Human Factors in Computing Systems. ACM, 527–539.Google Scholar
- Saif M. Mohammad and Peter D. Turney. 2013. Crowdsourcing a word-emotion association lexicon. Comput. Intell. 29, 3 (2013), 436–465.Google ScholarCross Ref
- Collins W. Munyendo, Miles Grant, Philipp Markert, Timothy J. Forman, and Adam J. Aviv. 2021. Using a blocklist to improve the security of user selection of android patterns. In Proceedings of the Symposium on Usable Privacy and Security. USENIX, 1–19.Google Scholar
- Ellen Nakashima and Reed Albergotti. 2021. Australian Firm Azimuth Unlocked the San Bernardino Shooter’s iPhone for the FBI. Retrieved May 14, 2021 from https://www.washingtonpost.com/technology/2021/04/14/azimuth-san-bernardino-apple-iphone-fbi/.Google Scholar
- Lily Hay Newman. 2019. Google’s Making it Easier to Encrypt Even Cheap Android Phones. Retrieved May 14, 2021 from https://www.wired.com/story/android-encryption-cheap-smartphones/.Google Scholar
- Lina Qiu, Alexander De Luca, Ildar Muslukhov, and Konstantin Beznosov. 2019. Towards understanding the link between age and smartphone authentication. In Proceedings of the ACM Conference on Human Factors in Computing Systems. ACM, 163:1–163:10.Google ScholarDigital Library
- Elissa M. Redmiles, Yasemin Acar, Sascha Fahl, and Michelle L. Mazurek. 2017. A Summary of Survey Methodology Best Practices for Security and Privacy Researchers. Technical Report CS-TR-5055. UM Computer Science Department.Google Scholar
- Thomas Reed. 2018. GrayKey iPhone Unlocker Poses Serious Security Concerns. Retrieved May 2021 from https://blog.malwarebytes.com/?p=22342.Google Scholar
- Karen Renaud and Melanie Volkamer. 2015. Exploring mental models underlying PIN management strategies. In Proceedings of the World Congress on Internet Security. IEEE, 19–21.Google ScholarCross Ref
- Florian Schaub, Ruben Deyhle, and Michael Weber. 2012. Password entry usability and shoulder surfing susceptibility on different smartphone platforms. In Proceedings of the International Conference on Mobile and Ubiquitous Multimedia. ACM, 13:1–13:10.Google ScholarDigital Library
- Richard Shay, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Alain Forget, Saranga Komanduri, Michelle L. Mazurek, William Melicher, Sean M. Segreti, and Blase Ur. 2015. A spoonful of sugar?: The impact of guidance and feedback on password-creation behavior. In Proceedings of the ACM Conference on Human Factors in Computing Systems. ACM, 2903–2912.Google ScholarDigital Library
- Sergei Skorobogatov. 2017. The bumpy road towards iphone 5c NAND mirroring. In Proceedings of the Hardware Security Conference & Training (HardwearIO’17). 1–55.Google Scholar
- Emily Stark. 2019. The URLephant. In Proceedings of the USENIX Enigma Conference. USENIX.Google Scholar
- Joshua Sunshine, Serge Egelman, Hazim Almuhimedi, Neha Atri, and Lorrie Faith Cranor. 2009. Crying wolf: An empirical study of SSL warning effectiveness. In Proceedings of the USENIX Security Symposium. USENIX, 399–416.Google Scholar
- Joshua Tan, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2020. Practical recommendations for stronger, more usable passwords combining minimum-strength, minimum-length, and blocklist requirements. In Proceedings of the ACM Conference on Computer and Communications Security. ACM, 1407–1426.Google ScholarDigital Library
- Sebastian Uellenbeck, Markus Dürmuth, Christopher Wolf, and Thorsten Holz. 2016. Quantifying the security of graphical passwords: The case of android unlock patterns. In Proceedings of the ACM Conference on Computer and Communications Security. ACM, 161–172.Google Scholar
- Blase Ur, Felicia Alfieri, Maung Aung, Lujo Bauer, Nicolas Christin, Jessica Colnago, Lorrie Faith Cranor, Henry Dixon, Pardis Emami Naeini, Hana Habib, Noah Johnson, and William Melicher. 2017. Design and evaluation of a data-driven password meter. In Proceedings of the ACM Conference on Human Factors in Computing Systems. ACM, 3775–3786.Google ScholarDigital Library
- Blase Ur, Fumiko Noma, Jonathan Bees, Sean M. Segreti, Richard Shay, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2015. “I added ‘!’ at the end to make it secure”: Observing password creation in the lab. In Proceedings of the Symposium on Usable Privacy and Security. USENIX, 123–140.Google Scholar
- Blase Ur, Sean M. Segreti, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Saranga Komanduri, Darya Kurilova, Michelle L. Mazurek, William Melicher, and Richard Shay. 2015. Measuring real-world accuracies and biases in modeling password guessability. In Proceedings of the USENIX Security Symposium. USENIX, 463–481.Google Scholar
- U.S. Department of Homeland Security. 2012. The Menlo Report. Retrieved May 14, 2021 from https://www.caida.org/publications/papers/2012/menlo_report_actual_formatted/.Google Scholar
- Emanuel von Zezschwitz, Alexander De Luca, and Heinrich Hussmann. 2014. Honey, i shrunk the keys: Influences of mobile devices on password composition and authentication performance. In Proceedings of the Nordic Conference on Human-Computer Interaction. ACM, 461–470.Google ScholarDigital Library
- Emanuel von Zezschwitz, Malin Eiband, Daniel Buschek, Sascha Oberhuber, Alexander De Luca, Florian Alt, and Heinrich Hussmann. 2016. On quantifying the effective passsword space of grid-based unlock gestures. In Proceedings of the Conference on Mobile and Ubiquitous Multimedia. ACM, 201–212.Google ScholarDigital Library
- Ding Wang, Qianchen Gu, Xinyi Huang, and Ping Wang. 2017. Understanding human-chosen PINs: Characteristics, distribution and security. In Proceedings of the ACM Asia Conference on Computer and Communications Security. ACM, 372–385.Google ScholarDigital Library
- Gareth Watts (“gwatts”) and Community. 2015. Pinfinder—iOS Screen Time & Restrictions Passcode Finder. Retrieved May 14, 2021 from https://github.com/gwatts/pinfinder.Google Scholar
- Chris Welch. 2018. Apple Releases iOS 11.4.1 and Blocks Passcode Cracking Tools Used by Police. Retrieved May 14, 2021 from https://www.theverge.com/2018/7/9/17549538/.Google Scholar
- Sonia Secher Wichmann. 2011. Self-determination theory: The importance of autonomy to well-being across cultures. J. Humanist. Counsel. 50, 1 (Mar. 2011), 16–26.Google ScholarCross Ref
- Yulong Yang, Janne Lindqvist, and Antti Oulasvirta. 2014. Text entry method affects password security. In Learning from Authoritative Security Experiment Results. USENIX, 11–20.Google Scholar
Index Terms
- On the Security of Smartphone Unlock PINs
Recommendations
On the memorability of system-generated pins: can chunking help?
SOUPS '15: Proceedings of the Eleventh USENIX Conference on Usable Privacy and SecurityTo ensure that users do not choose weak personal identification numbers (PINs), many banks give out system-generated random PINs. 4-digit is the most commonly used PIN length, but 6-digit system-generated PINs are also becoming popular. The increased ...
Challenge Set Designs and User Guidelines for Usable and Secured Recognition-Based Graphical Passwords
TRUSTCOM '14: Proceedings of the 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and CommunicationsGraphical passwords are a promising alternative to alphanumeric passwords for user authentication. Recognition-based schemes are commonly used. This paper aims to find the best ways to improve the usability and security of recognition-based graphical ...
Password entry usability and shoulder surfing susceptibility on different smartphone platforms
MUM '12: Proceedings of the 11th International Conference on Mobile and Ubiquitous MultimediaVirtual keyboards of different smartphone platforms seem quite similar at first glance, but the transformation from a physical to a virtual keyboard on a small-scale display results in user experience variations that cause significant differences in ...
Comments