Feorlen's Other Blog

Let’s start with something simple: phone passcodes. I’m going to assume that anyone reading this knows they should have a passcode on a mobile device. But what are the options?

The standard 4-digit pin that is ostensibly protecting your important stuff (phone, ATM, whatever) is really no more than a nuisance to anyone seriously wanting to get in. It will keep a random thief from immediately reading all your email and posting selfies to Facebook, but anybody who’s smart will turn off the phone and take it away from cell coverage for further investigation.

There are only 10,000 combinations and in some cases (like mobile phones!) there are programs out there that just try all of them. Still, it’s better than nothing, so even if you can barely remember your own phone number you should at least try. Just pick a non-horrible one and find out what you need to do in the event you forget it [iOS.]

Decent modern phones also offer more complex passwords, but then you have a more complex thing to remember. Plus, typing a good, strong password on a phone is a major pain. Android phones also let you choose a pattern you draw on the screen with your finger, which might be easier for some people to remember. (My husband says his is “pretty complex.”) On iOS, if you choose a longer password but make it only numeric you get a bit of a compromise: a potential attacker can see that it’s only digits (the numeric keypad is displayed) but doesn’t know how many digits it might be.

I currently use a 4-digit passcode, but I’m starting to experiment with a longer numeric one – I enabled it for a short time and it wasn’t too horrible (and I’m a “might not remember own phone number” person.) It would mean that the handful of people who occasionally have legitimate access to my devices would have to learn something new (or get their own to play games on) but it would be overall more secure. This is particularly true if you suspect your electronics might be inspected at a border crossing, like some of my more activist friends.

And that leads me to a short discussion of the fingerprint sensor on the latest iPhone: I have this phone but I’m not using Touch ID right now. I’m still contemplating it, based on the uncertainty of some legal theories. I admit that for the vast majority of people this is way out there, and if you are a person who otherwise would have no security on your phone, the last thing I want to do is discourage you from using the fingerprint authentication. It’s so much better than a 4-digit passcode in basically every other way, and easy to use.

As things go in the legal world, until there is a case that decides the implications of biometric authentication, the situation is open to interpretation. I’ll leave it to lawyers to explain the details, but basically there is a question if it is legal (in the US, at least) to force you to give up your biometric information (something you are, your fingerprint) where it wouldn’t be if you were required to give up a password (something you know.) If Touch ID allowed me to also have a passcode, even a lousy 4-digit one, I’d be all over it. But as I’m a part-time member of the tinfoil hat club larger security community, for the moment I will continue contemplating. (Here’s an article discussing some of the concerns.)

So now that I’ve gotten through all that, I’ll admit I’m a bit of a slacker for not choosing a longer passcode. I promise to work on that.

Some more resources:
Understanding iOS passcode security
An Overview of Android Lock Screen Security Options [Beginners’ Guide]