The Robservatory

Robservations on everything…

 

Two silly solutions for creating numeric passcodes

This morning, I was reading about Henrique Prange's friend's stolen iPhone, and the financial damage the thieves inflicted in only a few hours time—yikes! I've got six-digit codes on all my iOS devices, which suddenly felt like not nearly enough.

I also deleted all my iCloud info from the saved website passwords, as explained in Kirk McElhearn's article for Intego. There are some good recommendations there.

Then I set out to change my iOS passcodes…and me being me, I made it way more complicated than it needed to be. But first, a bit about passcodes on iOS…

About secure iOS passwords

The most secure password would be an alphanumeric password—even something as short as six characters would take multiple years to brute-force guess, according to this article on Daring Fireball. That's because each entry takes the Secure Enclave about 80 milliseconds to process, which is only 12.5 attempts per second.

However, I absolutely hate the keyboards on iOS devices, and I worry that I'd mistype my password—especially if I included upper case characters and symbols, as I should. Mistype it too many times, and I'd wind up locked out for a few minutes. Entering alphanumeric characters is also slower, especially with upper case and symbols.

So in the end, I settled on a more-than-six-digit all-numeric code. How many exactly? I'm not saying :).

Assume it was nine digits, though, which means a billion possible combinations. That may not seem all that much better than the million combinations you get with a six-digit code, but it really is much better…

At 12.5 attempts per second, that six-digit code would be broken in (worst case, i.e. it's found on the last try) 22 hours. A nine-digit code, on the other hand, would require 2.5 years in the worst-case scenario. That's a lot better than under a day.

If you go up to 10 digits—the same as phone numbers in the USA—the worst-case time climbs to 25 years. And if you can remember a phone number, you should be able to remember a 10-digit code.

But how to come up with those digits, for whatever length you choose? Sure, I could pick numbers that are meaningful to me, but then I'd have to remember what I picked, and what order I picked them in…and in theory, it could provide a tiny social engineering opening for someone to figure out my code. I decided random was better…and me being me, I used it as an excuse to muck around with the Mac to automate the creation of (relatively) totally random all-numeric passcodes.

I'm sure there are any number of online tools that will do this in a heartbeat, but I'm always looking for some excuse to do things the hard way, so I created not one but two different numeric password generators…

Using Excel

The first, which is the most full-featured, is a simple Excel (or Numbers) workbook: Just enter your target passcode length, and it returns a new passcode along with the estimated brute force attack time:

The spaces are added for readability and memorizability; they're not part of the passcode. If you want a new code, just press Command-Equals or F9, and another one will appear. I just kept recalculating until I found codes I liked for each of my iOS devices.

To use, download the workbook, unzip it, and open it in Excel or Numbers—I was impressed that the Numbers importer even handled the input cell validation (a number between 4 and 21).

Note that there's no upper limit on the length of a numeric iOS passcode that I could find, but I figured 21 was about the longest anyone might ever want to use. If you feel different, just edit the cell validation and add whatever digits you'd like to allow.

Using a shell script

Again, there are probably any number of existing shell scripts that will do this, but I like to write scripts on occasion to try to keep my (minimal) skills from completely vanishing. My script will accept a command line input for the length of the passcode, or you can enter it interactively. Here's how it looks used both ways:

$ passgen 17
431 017 417 237 296 01

$ passgen
Desired passcode length (4 to 21 digits) 17
062 103 518 369 462 01

Basic, but it works—and again, the spaces are added for readability and memorizability. Here's the code, which I'm not going to explain line by line, because it's boring and not overly complicated. (If you do actually have a question about it, post a comment and I'll try to answer.)

To use this, copy it from the code box above, paste it into your favorite pure text editor, save it somewhere on your user's executable path, make it executable (chmod 755 passgen), then run it as shown above. Nearly completely useless, but it was a fun learning exercise.

5 Comments

Add a Comment
  1. I read that same article and decided to switch to an alphanumeric passcode. I then somehow proceeded to mess it up and be locked out.

    I had the 1 min timeout, then 5 then a few 15s. I eventually got to an hour. I think I got to the point where if I got it wrong again, it would wipe itself. So I just took the plunge and restored.

    I didn’t lose any photos since both backup systems worked fine. The rest was restored from iCloud backup 3 days prior.

    If I ever do change to alphanumeric, I’m going to video tape myself entering it with my wife’s phone

Leave a Reply

Your email address will not be published. Required fields are marked *

The Robservatory © 2020 • Privacy Policy Built from the Frontier theme