research-article

Open access

On the Security of Smartphone Unlock PINs

Authors:

Philipp Markert,

Daniel V. Bailey,

Maximilian Golla,

Markus Dürmuth,

Adam J. AvivAuthors Info & Claims

ACM Transactions on Privacy and Security (TOPS), Volume 24, Issue 4

Article No.: 30, Pages 1 - 36

https://doi.org/10.1145/3473040

Published: 30 September 2021 Publication History

All formats PDF

Abstract

In this article, we provide the first comprehensive study of user-chosen four- and six-digit PINs (n=1705) collected on smartphones with participants being explicitly primed for device unlocking. We find that against a throttled attacker (with 10, 30, or 100 guesses, matching the smartphone unlock setting), using six-digit PINs instead of four-digit PINs provides little to no increase in security and surprisingly may even decrease security. We also study the effects of blocklists, where a set of “easy to guess” PINs is disallowed during selection. Two such blocklists are in use today by iOS, for four digits (274 PINs) as well as six digits (2,910 PINs). We extracted both blocklists and compared them with six other blocklists, three for each PIN length. In each case, we had a small (four-digit: 27 PINs; six-digit: 29 PINs), a large (four-digit: 2,740 PINs; six-digit: 291,000 PINs), and a placebo blocklist that always excluded the first-choice PIN. For four-digit PINs, we find that the relatively small blocklist in use today by iOS offers little to no benefit against a throttled guessing attack. Security gains are only observed when the blocklist is much larger. In the six-digit case, we were able to reach a similar security level with a smaller blocklist. As the user frustration increases with the blocklists size, developers should employ a blocklist that is as small as possible while ensuring the desired security. Based on our analysis, we recommend that for four-digit PINs a blocklist should contain the 1,000 most popular PINs to provide the best balance between usability and security and for six-digit PINs the 2,000 most popular PINs should be blocked.

References

[1]

Oleg Afonin. 2020. iPhone 5 and 5c Passcode Unlock with iOS Forensic Toolkit. Retrieved May 14, 2021 from https://blog.elcomsoft.com/2020/08/iphone-5-and-5c-passcode-unlock-with-ios-forensic-toolkit/

[2]

Devdatta Akhawe and Adrienne Porter Felt. 2013. Alice in warningland: A large-scale field study of browser security warning effectiveness. In Proceedings of the USENIX Security Symposium. USENIX, 257–272.

[3]

Daniel Amitay. 2011. Most Common iPhone Passcodes. Retrieved May 14, 2021 from http://danielamitay.com/blog/2011/6/13/most-common-iphone-passcodes.

[4]

Android Open Source Project. 2018. Full-Disk Encryption—Storing the Encrypted Key. Retrieved May 14, 2021 from https://source.android.com/security/encryption/full-disk#storing_the_encrypted_key.

[5]

Android Open Source Project. 2020. Android 11: GateKeeper. Retrieved May 14, 2021 from https://android.googlesource.com/platform/system/gatekeeper/+/refs/heads/android11-release/gatekeeper.cpp#268.

[6]

Apple, Inc.2021. Apple Platform Security. Retrieved May 14, 2021 from https://manuals.info.apple.com/MANUALS/1000/MA1902/en_US/apple-platform-security-guide.pdf.

[7]

Adam J. Aviv, Devon Budzitowski, and Ravi Kuber. 2015. Is bigger better? Comparing user-generated passwords on 3x3 vs. 4x4 grid sizes for android’s pattern unlock. In Proceedings of the Annual Computer Security Applications Conference. ACM, 301–310.

Digital Library

[8]

Adam J. Aviv, John T. Davin, Flynn Wolf, and Ravi Kuber. 2017. Towards baselines for shoulder surfing on mobile authentication. In Proceedings of the Annual Conference on Computer Security Applications. ACM, 486–498.

Digital Library

[9]

Adam J. Aviv, Katherine Gibson, Evan Mossop, Matt Blaze, and Jonathan M. Smith. 2010. Smudge attacks on smartphone touch screens. In Proceedings of the USENIX Workshop on Offensive Technologies. USENIX, 1–7.

[10]

Adam J. Aviv, Flynn Wolf, and Ravi Kuber. 2018. Comparing video based shoulder surfing with live simulation and towards baselines for shoulder surfing on mobile authentication. In Proceedings of the Annual Conference on Computer Security Applications. ACM, 453–466.

Digital Library

[11]

Farid Binbeshr, Miss Laiha Mat Kiah, Lip Yee Por, and A. A. Zaidan. 2021. A systematic review of pin-entry methods resistant to shoulder-surfing attacks. Comput. Secur. 101 (Feb. 2021).

[12]

Joseph Bonneau. 2012. The science of guessing: analyzing an anonymized corpus of 70 million passwords. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 538–552.

Digital Library

[13]

Joseph Bonneau, Sören Preibusch, and Ross Anderson. 2012. A birthday present every eleven wallets? the security of customer-chosen banking PINs. In Financial Cryptography and Data Security. Springer, 25–40.

[14]

Thomas Brewster. 2018. Mysterious $15,000 “GrayKey” Promises To Unlock iPhone X For The Feds. Retrieved May 14, 2021 from https://www.forbes.com/sites/thomasbrewster/2018/03/05/apple-iphone-x-graykey-hack/.

[15]

Thomas Brewster. 2018. The Feds Can Now (Probably) Unlock Every iPhone Model In Existence. Retrieved May 14, 2021 from https://www.forbes.com/sites/thomasbrewster/2018/02/26/government-can-access-any-apple-iphone-cellebrite/.

[16]

Maria Casimiro, Joe Segel, Lewei Li, Yigeng Wang, and Lorrie Faith Cranor. 2020. A quest for inspiration: How users create and reuse PINs. In Who Are You?! Adventures in Authentication Workshop. 1–7.

[17]

Ivan Cherapau, Ildar Muslukhov, Nalin Asanka, and Konstantin Beznosov. 2015. On the impact of touch ID on iPhone passcodes. In Proceedings of the Symposium on Usable Privacy and Security. USENIX, 257–276.

[18]

Justin Engler and Paul Vines. 2013. Electromechanical PIN Cracking with Robotic Reconfigurable Button Basher (and C3BO). Retrieved May 14, 2021 from https://doi.org/10.5446/38941.

[19]

Adrienne Porter Felt, Alex Ainslie, Robert W. Reeder, Sunny Consolvo, Somas Thyagaraja, Alan Bettes, Helen Harris, and Jeff Grimes. 2015. Improving SSL warnings: Comprehension and adherence. In Proceedings of the ACM Conference on Human Factors in Computing Systems. ACM, 2893–2902.

Digital Library

[20]

Maximilian Golla, Dennis Detering, and Markus Dürmuth. 2017. EmojiAuth: Quantifying the security of emoji-based authentication. In Proceedings of the Workshop on Usable Security. ISOC.

[21]

Maximilian Golla and Markus Dürmuth. 2018. On the accuracy of password strength meters. In Proceedings of the ACM Conference on Computer and Communications Security. ACM, 1567–1582.

Digital Library

[22]

Maximilian Golla, Jan Rimkus, Adam J. Aviv, and Markus Dürmuth. 2019. Work in progress: on the in-accuracy and influence of android pattern strength meters. In Proceedings of the Workshop on Usable Security and Privacy. ISOC.

[23]

Maximilian Golla, Miranda Wei, Juliette Hainline, Lydia Filipe, Markus Dürmuth, Elissa Redmiles, and Blase Ur. 2018. “What was that site doing with my facebook password?” Designing password-reuse notification. In Proceedings of the ACM Conference on Computer and Communications Security. ACM, 1549–1566.

[24]

Jeremi M. Gosney (“epixoip”). 2016. How LinkedIn’s Password Sloppiness Hurts Us All. Retrieved May 14, 2021 from https://arstechnica.com/?post_type=post&p=892339.

[25]

Paul A. Grassi, James L. Fenton, and William E. Burr. 2017. Digital Identity Guidelines—Authentication and Lifecycle Management: NIST Special Publication 800-63B.

[26]

Kristen K. Greene, Melissa A. Gallagher, Brian C. Stanton, and Paul Y. Lee. 2014. I can’t type that! P@$$w0rd entry on mobile devices. In Human Aspects of Information Security, Privacy, and Trust. Springer, 160–171.

[27]

Gregor Haas, Seetal Potluri, and Aydin Aysu. 2021. iTimed: Cache attacks on the apple a10 fusion SoC. Cryptology ePrint Archive Report 2021/464 (April 2021), 1–16.

[28]

Marian Harbach, Emanuel von Zezschwitz, Andreas Fichtner, Alexander De Luca, and Matthew Smith. 2014. It’s a hard lock life: A field study of smartphone (Un)Locking behavior and risk perception. In Proceedings of the Symposium on Usable Privacy and Security. USENIX, 213–230.

[29]

Andrew Horton (“urbanadventurer”) and Community. 2020. Android-PIN-Bruteforce – Bruteforcing the Lockscreen PIN. Retrieved May 14, 2021 from https://github.com/urbanadventurer/Android-PIN-Bruteforce.

[30]

Troy Hunt. 2020. Pwned Passwords. Retrieved May 14, 2021 https://haveibeenpwned.com/Passwords.

[31]

Patrick Kelley, Saranga Kom, Michelle L. Mazurek, et al. 2012. Guess again (and again and again): Measuring password strength by simulating password-cracking algorithms. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 523–537.

Digital Library

[32]

Hassan Khan, Jason Ceci, Jonah Stegman, Adam J. Aviv, Rozita Dara, and Ravi Kuber. 2020. Widely reused and shared, infrequently updated, and sometimes inherited: A holistic view of PIN authentication in digital lives and beyond. In Proceedings of the Annual Computer Security Applications Conference. ACM, 249–262.

Digital Library

[33]

Hyoungshick Kim and Jun Ho Huh. 2012. PIN selection policies: Are they really effective?Comput. Secur. 31, 4 (Jun. 2012), 484–496.

Digital Library

[34]

Oleksiy Lisovets, David Knichel, Thorben Moos, and Amir Moradi. 2021. Let’s take it offline: Boosting brute-force attacks on iPhone’s user authentication through SCA. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2021, 3 (Jun. 2021), 1–24.

[35]

Marte Løge, Markus Dürmuth, and Lillian Røstad. 2016. On user choice for android unlock patterns. In Proceedings of the European Workshop on Usable Security. ISOC.

[36]

Philipp Markert, Daniel V. Bailey, Maximilian Golla, Markus Dürmuth, and Adam J. Aviv. 2020. This PIN can be easily guessed: Analyzing the security of smartphone unlock PINs. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 286–303.

[37]

William Melicher, Darya Kurilova, Sean M. Segreti, Pranshu Kalvani, Richard Shay, Blase Ur, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, and Michelle L. Mazurek. 2016. Usability and security of text passwords on mobile devices. In Proceedings of the ACM Conference on Human Factors in Computing Systems. ACM, 527–539.

[38]

Saif M. Mohammad and Peter D. Turney. 2013. Crowdsourcing a word-emotion association lexicon. Comput. Intell. 29, 3 (2013), 436–465.

[39]

Collins W. Munyendo, Miles Grant, Philipp Markert, Timothy J. Forman, and Adam J. Aviv. 2021. Using a blocklist to improve the security of user selection of android patterns. In Proceedings of the Symposium on Usable Privacy and Security. USENIX, 1–19.

[40]

Ellen Nakashima and Reed Albergotti. 2021. Australian Firm Azimuth Unlocked the San Bernardino Shooter’s iPhone for the FBI. Retrieved May 14, 2021 from https://www.washingtonpost.com/technology/2021/04/14/azimuth-san-bernardino-apple-iphone-fbi/.

[41]

Lily Hay Newman. 2019. Google’s Making it Easier to Encrypt Even Cheap Android Phones. Retrieved May 14, 2021 from https://www.wired.com/story/android-encryption-cheap-smartphones/.

[42]

Lina Qiu, Alexander De Luca, Ildar Muslukhov, and Konstantin Beznosov. 2019. Towards understanding the link between age and smartphone authentication. In Proceedings of the ACM Conference on Human Factors in Computing Systems. ACM, 163:1–163:10.

Digital Library

[43]

Elissa M. Redmiles, Yasemin Acar, Sascha Fahl, and Michelle L. Mazurek. 2017. A Summary of Survey Methodology Best Practices for Security and Privacy Researchers. Technical Report CS-TR-5055. UM Computer Science Department.

[44]

Thomas Reed. 2018. GrayKey iPhone Unlocker Poses Serious Security Concerns. Retrieved May 2021 from https://blog.malwarebytes.com/?p=22342.

[45]

Karen Renaud and Melanie Volkamer. 2015. Exploring mental models underlying PIN management strategies. In Proceedings of the World Congress on Internet Security. IEEE, 19–21.

[46]

Florian Schaub, Ruben Deyhle, and Michael Weber. 2012. Password entry usability and shoulder surfing susceptibility on different smartphone platforms. In Proceedings of the International Conference on Mobile and Ubiquitous Multimedia. ACM, 13:1–13:10.

Digital Library

[47]

Richard Shay, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Alain Forget, Saranga Komanduri, Michelle L. Mazurek, William Melicher, Sean M. Segreti, and Blase Ur. 2015. A spoonful of sugar?: The impact of guidance and feedback on password-creation behavior. In Proceedings of the ACM Conference on Human Factors in Computing Systems. ACM, 2903–2912.

Digital Library

[48]

Sergei Skorobogatov. 2017. The bumpy road towards iphone 5c NAND mirroring. In Proceedings of the Hardware Security Conference & Training (HardwearIO’17). 1–55.

[49]

Emily Stark. 2019. The URLephant. In Proceedings of the USENIX Enigma Conference. USENIX.

[50]

Joshua Sunshine, Serge Egelman, Hazim Almuhimedi, Neha Atri, and Lorrie Faith Cranor. 2009. Crying wolf: An empirical study of SSL warning effectiveness. In Proceedings of the USENIX Security Symposium. USENIX, 399–416.

[51]

Joshua Tan, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2020. Practical recommendations for stronger, more usable passwords combining minimum-strength, minimum-length, and blocklist requirements. In Proceedings of the ACM Conference on Computer and Communications Security. ACM, 1407–1426.

Digital Library

[52]

Sebastian Uellenbeck, Markus Dürmuth, Christopher Wolf, and Thorsten Holz. 2016. Quantifying the security of graphical passwords: The case of android unlock patterns. In Proceedings of the ACM Conference on Computer and Communications Security. ACM, 161–172.

[53]

Blase Ur, Felicia Alfieri, Maung Aung, Lujo Bauer, Nicolas Christin, Jessica Colnago, Lorrie Faith Cranor, Henry Dixon, Pardis Emami Naeini, Hana Habib, Noah Johnson, and William Melicher. 2017. Design and evaluation of a data-driven password meter. In Proceedings of the ACM Conference on Human Factors in Computing Systems. ACM, 3775–3786.

Digital Library

[54]

Blase Ur, Fumiko Noma, Jonathan Bees, Sean M. Segreti, Richard Shay, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2015. “I added ‘!’ at the end to make it secure”: Observing password creation in the lab. In Proceedings of the Symposium on Usable Privacy and Security. USENIX, 123–140.

[55]

Blase Ur, Sean M. Segreti, Lujo Bauer, Nicolas Christin, Lorrie Faith Cranor, Saranga Komanduri, Darya Kurilova, Michelle L. Mazurek, William Melicher, and Richard Shay. 2015. Measuring real-world accuracies and biases in modeling password guessability. In Proceedings of the USENIX Security Symposium. USENIX, 463–481.

[56]

U.S. Department of Homeland Security. 2012. The Menlo Report. Retrieved May 14, 2021 from https://www.caida.org/publications/papers/2012/menlo_report_actual_formatted/.

[57]

Emanuel von Zezschwitz, Alexander De Luca, and Heinrich Hussmann. 2014. Honey, i shrunk the keys: Influences of mobile devices on password composition and authentication performance. In Proceedings of the Nordic Conference on Human-Computer Interaction. ACM, 461–470.

Digital Library

[58]

Emanuel von Zezschwitz, Malin Eiband, Daniel Buschek, Sascha Oberhuber, Alexander De Luca, Florian Alt, and Heinrich Hussmann. 2016. On quantifying the effective passsword space of grid-based unlock gestures. In Proceedings of the Conference on Mobile and Ubiquitous Multimedia. ACM, 201–212.

Digital Library

[59]

Ding Wang, Qianchen Gu, Xinyi Huang, and Ping Wang. 2017. Understanding human-chosen PINs: Characteristics, distribution and security. In Proceedings of the ACM Asia Conference on Computer and Communications Security. ACM, 372–385.

Digital Library

[60]

Gareth Watts (“gwatts”) and Community. 2015. Pinfinder—iOS Screen Time & Restrictions Passcode Finder. Retrieved May 14, 2021 from https://github.com/gwatts/pinfinder.

[61]

Chris Welch. 2018. Apple Releases iOS 11.4.1 and Blocks Passcode Cracking Tools Used by Police. Retrieved May 14, 2021 from https://www.theverge.com/2018/7/9/17549538/.

[62]

Sonia Secher Wichmann. 2011. Self-determination theory: The importance of autonomy to well-being across cultures. J. Humanist. Counsel. 50, 1 (Mar. 2011), 16–26.

[63]

Yulong Yang, Janne Lindqvist, and Antti Oulasvirta. 2014. Text entry method affects password security. In Learning from Authoritative Security Experiment Results. USENIX, 11–20.

Cited By

He DLiu ZZhu SChan SGuizani M(2024)Special Characters Usage and Its Effect on Password SecurityIEEE Internet of Things Journal10.1109/JIOT.2024.336732311:11(19440-19453)Online publication date: 1-Jun-2024
https://doi.org/10.1109/JIOT.2024.3367323
Zuha AJoshi ADeshpande SMohalik ANaik RBanahatti V(2024)Graphical Passwords for Emergent Users: A Four-Day Recall Comparative Study on PIN, Passfaces and CelebritiesProceedings of the 14th Indian Conference on Human-Computer Interaction10.1007/978-981-97-4335-3_4(75-97)Online publication date: 3-Aug-2024
https://doi.org/10.1007/978-981-97-4335-3_4
Nhinda GShava F(2023)Cybersecurity Practices of Rural Underserved Communities in Africa: A Case Study from Northern Namibia2023 International Conference on Artificial Intelligence, Big Data, Computing and Data Communication Systems (icABCD)10.1109/icABCD59051.2023.10220449(1-7)Online publication date: 3-Aug-2023
https://doi.org/10.1109/icABCD59051.2023.10220449
Show More Cited By

Index Terms

On the Security of Smartphone Unlock PINs
1. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Usability in security and privacy
  2. Security services
    1. Authentication

Recommendations

On the memorability of system-generated pins: can chunking help?
SOUPS '15: Proceedings of the Eleventh USENIX Conference on Usable Privacy and Security

To ensure that users do not choose weak personal identification numbers (PINs), many banks give out system-generated random PINs. 4-digit is the most commonly used PIN length, but 6-digit system-generated PINs are also becoming popular. The increased ...
Challenge Set Designs and User Guidelines for Usable and Secured Recognition-Based Graphical Passwords
TRUSTCOM '14: Proceedings of the 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications

Graphical passwords are a promising alternative to alphanumeric passwords for user authentication. Recognition-based schemes are commonly used. This paper aims to find the best ways to improve the usability and security of recognition-based graphical ...
Password entry usability and shoulder surfing susceptibility on different smartphone platforms
MUM '12: Proceedings of the 11th International Conference on Mobile and Ubiquitous Multimedia

Virtual keyboards of different smartphone platforms seem quite similar at first glance, but the transformation from a physical to a virtual keyboard on a small-scale display results in user experience variations that cause significant differences in ...

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Privacy and Security

ACM Transactions on Privacy and Security Volume 24, Issue 4

November 2021

295 pages

ISSN:2471-2566

EISSN:2471-2574

DOI:10.1145/3476876

Editor:
Ninghui Li
Purdue University, USA

Issue’s Table of Contents

Copyright © 2021 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 September 2021

Accepted: 01 June 2021

Revised: 01 May 2021

Received: 01 January 2021

Published in TOPS Volume 24, Issue 4

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Funding Sources

Research Training Group Human Centered Systems Security
Deutsche Forschungsgemeinschaft
National Science Foundation

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
3,031
Total Downloads

Downloads (Last 12 months)747
Downloads (Last 6 weeks)86

Reflects downloads up to 09 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

He DLiu ZZhu SChan SGuizani M(2024)Special Characters Usage and Its Effect on Password SecurityIEEE Internet of Things Journal10.1109/JIOT.2024.336732311:11(19440-19453)Online publication date: 1-Jun-2024
https://doi.org/10.1109/JIOT.2024.3367323
Zuha AJoshi ADeshpande SMohalik ANaik RBanahatti V(2024)Graphical Passwords for Emergent Users: A Four-Day Recall Comparative Study on PIN, Passfaces and CelebritiesProceedings of the 14th Indian Conference on Human-Computer Interaction10.1007/978-981-97-4335-3_4(75-97)Online publication date: 3-Aug-2024
https://doi.org/10.1007/978-981-97-4335-3_4
Nhinda GShava F(2023)Cybersecurity Practices of Rural Underserved Communities in Africa: A Case Study from Northern Namibia2023 International Conference on Artificial Intelligence, Big Data, Computing and Data Communication Systems (icABCD)10.1109/icABCD59051.2023.10220449(1-7)Online publication date: 3-Aug-2023
https://doi.org/10.1109/icABCD59051.2023.10220449
Shi HZhang WZhang ZDing D(2023)Vulnerability Analysis of Chinese Digital Passwords Related to ATM PIN Using Deep LearningIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.318850520:4(2825-2835)Online publication date: 1-Jul-2023
https://dl.acm.org/doi/10.1109/TDSC.2022.3188505
Nerini MFavarelli EChiani M(2023)Machine Learning for PIN Side-Channel Attacks Based on Smartphone Motion SensorsIEEE Access10.1109/ACCESS.2023.325328811(23008-23018)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3253288
Wu XMunyendo CCosic EFlynn GLegault OAviv A(2022)User Perceptions of Five-Word PasswordsProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3567981(605-618)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1145/3564625.3567981
Andriotis PKirby MTakasu A(2022)Bu-Dash: a universal and dynamic graphical password scheme (extended version)International Journal of Information Security10.1007/s10207-022-00642-222:2(381-401)Online publication date: 4-Dec-2022
https://dl.acm.org/doi/10.1007/s10207-022-00642-2

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Media

Figures

Other

Tables

View Issue’s Table of Contents