This PIN Can Be Easily Guessed: Analyzing the Security of Smartphone Unlock PINs

In this paper, we provide the first comprehensive study of user-chosen 4- and 6-digit PINs (n = 1220) collected on smartphones with participants being explicitly primed for device unlocking. We find that against a throttled attacker (with 10, 30, or 100 guesses, matching the smartphone unlock setting), using 6-digit PINs instead of 4-digit PINs provides little to no increase in security, and surprisingly may even decrease security. We also study the effects of blacklists, where a set of "easy to guess" PINs is disallowed during selection. Two such blacklists are in use today by iOS, for 4-digits (274 PINs) as well as 6-digits (2910 PINs). We extracted both blacklists compared them with four other blacklists, including a small 4-digit (27 PINs), a large 4-digit (2740 PINs), and two placebo blacklists for 4- and 6-digit PINs that always excluded the first-choice PIN. We find that relatively small blacklists in use today by iOS offer little or no benefit against a throttled guessing attack. Security gains are only observed when the blacklists are much larger, which in turn comes at the cost of increased user frustration. Our analysis suggests that a blacklist at about 10 % of the PIN space may provide the best balance between usability and security.

[1]  Lee,et al.  When the Going Gets Tough, Do the Tough Ask for Help? Help Seeking and Power Motivation in Organizations. , 1997, Organizational behavior and human decision processes.

[2]  Melanie Volkamer,et al.  Exploring mental models underlying PIN management strategies , 2015, 2015 World Congress on Internet Security (WorldCIS).

[3]  Sonia Secher Wichmann,et al.  Self-Determination Theory: The Importance of Autonomy to Well-Being across Cultures. , 2011 .

[4]  Ross J. Anderson,et al.  A Birthday Present Every Eleven Wallets? The Security of Customer-Chosen Banking PINs , 2012, Financial Cryptography.

[5]  Konstantin Beznosov,et al.  Towards Understanding the Link Between Age and Smartphone Authentication , 2019, CHI.

[6]  Blase Ur,et al.  Usability and Security of Text Passwords on Mobile Devices , 2016, CHI.

[7]  Ray A. Perlner,et al.  Digital Identity Guidelines: Authentication and Lifecycle Management , 2017 .

[8]  Adam J. Aviv,et al.  Is Bigger Better? Comparing User-Generated Passwords on 3x3 vs. 4x4 Grid Sizes for Android's Pattern Unlock , 2015, ACSAC.

[9]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[10]  Antti Oulasvirta,et al.  Text Entry Method Affects Password Security , 2014, ArXiv.

[11]  Sunny Consolvo,et al.  Improving SSL Warnings: Comprehension and Adherence , 2015, CHI.

[12]  Michael Weber,et al.  Password entry usability and shoulder surfing susceptibility on different smartphone platforms , 2012, MUM.

[13]  Adam J. Aviv,et al.  Smudge Attacks on Smartphone Touch Screens , 2010, WOOT.

[14]  Heinrich Hußmann,et al.  Honey, I shrunk the keys: influences of mobile devices on password composition and authentication performance , 2014, NordiCHI.

[15]  Adam J. Aviv,et al.  Comparing Video Based Shoulder Surfing with Live Simulation , 2018, ACSAC.

[16]  Blase Ur,et al.  "What was that site doing with my Facebook password?": Designing Password-Reuse Notifications , 2018, CCS.

[17]  Ping Wang,et al.  Understanding Human-Chosen PINs: Characteristics, Distribution and Security , 2017, AsiaCCS.

[18]  Florian Alt,et al.  On quantifying the effective password space of grid-based unlock gestures , 2016, MUM.

[19]  Lujo Bauer,et al.  Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms , 2011, 2012 IEEE Symposium on Security and Privacy.

[20]  Lorrie Faith Cranor,et al.  Crying Wolf: An Empirical Study of SSL Warning Effectiveness , 2009, USENIX Security Symposium.

[21]  Blase Ur,et al.  Measuring Real-World Accuracies and Biases in Modeling Password Guessability , 2015, USENIX Security Symposium.

[22]  Markus Dürmuth,et al.  Quantifying the security of graphical passwords: the case of android unlock patterns , 2013, CCS.

[23]  Saif Mohammad,et al.  CROWDSOURCING A WORD–EMOTION ASSOCIATION LEXICON , 2013, Comput. Intell..

[24]  Adrienne Porter Felt,et al.  Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness , 2013, USENIX Security Symposium.

[25]  Alexander De Luca,et al.  It's a Hard Lock Life: A Field Study of Smartphone (Un)Locking Behavior and Risk Perception , 2014, SOUPS.

[26]  Marte Loge,et al.  On User Choice for Android Unlock Patterns , 2016 .

[27]  Elissa M. Redmiles,et al.  A Summary of Survey Methodology Best Practices for Security and Privacy Researchers , 2017 .

[28]  Konstantin Beznosov,et al.  On the Impact of Touch ID on iPhone Passcodes , 2015, SOUPS.

[29]  Blase Ur,et al.  A Spoonful of Sugar?: The Impact of Guidance and Feedback on Password-Creation Behavior , 2015, CHI.

[30]  Blase Ur,et al.  Design and Evaluation of a Data-Driven Password Meter , 2017, CHI.

[31]  Jun Ho Huh,et al.  PIN selection policies: Are they really effective? , 2012, Comput. Secur..

[32]  Maximilian Golla,et al.  On the Accuracy of Password Strength Meters , 2018, CCS.

[33]  D. Dittrich,et al.  The Menlo Report: Ethical Principles Guiding Information and Communication Technology Research , 2012 .

[34]  Brian C. Stanton,et al.  I Can't Type That! P@$$w0rd Entry on Mobile Devices , 2014, HCI.

[35]  Blase Ur,et al.  "I Added '!' at the End to Make It Secure": Observing Password Creation in the Lab , 2015, SOUPS.

[36]  Adam J. Aviv,et al.  Towards Baselines for Shoulder Surfing on Mobile Authentication , 2017, ACSAC.