Kanye West did something incredibly unwise during his visit to the White House this week that had nothing to do with making the media and a famously impatient President Trump sit through a 10-minute expletive-laced monologue.
Pulling out an iPhone XS to show the assembled throng a picture of the hydrogen-powered aircraft that “our president should be flying in,” West casually unlocked it using the passcode ‘000000’.
Famous people occasionally make security mistakes like this in public, and every time the reaction is the same – ridicule mixed with surprise.
Ridicule because 000000 seems like the sort of passcode anyone could guess, and surprise that West allowed himself to be filmed revealing this naive weakness.
Others are simply bemused that West didn’t use Face ID or Touch ID.
First, let’s get some perspective – 000000 is a bad passcode, but the worst choice available to iPhone users is to use no passcode at all, and at least he’s not doing that.
And while Kanye’s password is almost the worst choice he could have made (that honour goes to 123456) that still doesn’t mean that guessing it is a slam dunk.
That’s because modern smartphones impose limits on the number of incorrect guesses.
Under iOS, an attacker is allowed six failed attempts after which the phone is disabled for a minute. Continue to guess incorrectly and the timeouts increase to 5, 15, and 60 minutes before, after the tenth attempt, the iPhone will either need to be re-initialized via iTunes or (if the option has been enabled) all data will be wiped.
So, while 000000 sounds easy to guess – any brute forcing utility would spot it in fractions of a second if it was used to secure a website account – on a physical device it’s not quite so straightforward.
An attacker with physical access to Kanye West’s iPhone would still have to decide which ten of the million possible passcodes they were going to try.
000000 is one of the most obvious, but there are plenty of other ‘obvious’ combinations of numbers, touch screen pattens or significant numbers (such as birth dates) when you only have ten choices.
So if lesson number one is choose a better passcode, number two is that lock out limits can go a long way to saving users from their own bad choices.
However, there’s an even more important lesson to be learned here…
Even if West had chosen a stronger passcode, it would have made no difference for the simple reason that he entered it in front of others while being filmed.
https://twitter.com/jetpack/status/1050517946139840517
Instead of mocking him for naivety, we should thank him for reminding us of this simple security point – complete with a hard-to-miss demonstration of the principle in front of the world’s press and millions of onlookers.
Naked Security
What Kanye West can teach us about passcodes
Pulling out an iPhone XS to show the assembled throng a picture of the hydrogen-powered aircraft that “our president should be flying in,” West casually unlocked it using the passcode ‘000000’.
lollerSkates
every c-level suit i know uses 111111, 11111111, 000000, 00000000, 123456, 12345678
(some get really creative and use 22222 or 22222222)
Maybe the bigger problem isn’t Kanye, its that we are still using numerical pass-codes in 2018. side note, no one cares about privacy or security, example Facebook is still in business, what a world we live in.
John E Dunn
Presumably you know this because they’ve either told you or you shoulder-surfed the passcodes – point well made!
Bryan
Possibly shoulder surfing, but it’s surprising/disturbing how many people blithely leave their phones on the support desk with a stickynote passcode. Or the (only-slightly-better) email,
phone doesn’t work**
it’s on your desk
code is 1234
thx bry
** every IT support tech’s favorite descriptive phrase
Frank
We have a solution for this, we issue login tokens so the user can chose a 120 char long pw and only needs to provide a small pin to access + proximity to his pc. If somebody tries to access remotely his computer he can’t use the pin+ device part as that is only working via the interface that is a physical interface. hence the attacker is facing the long pw to crack. Even the most bored CEO is able to handle this and the good thing is we just evolved to Smartphone as token instead of device.
Bryan
Yo John, Imma let you finish …but Beyonce had one of the best passcodes of all time!
John
Well played :)
Bryan
we should thank him for reminding us of this simple security point
Indeed.
Bonus head-scratcher:
If I anticipated using my phone on television–or in front of any large group–I’d change my authentication method prior to the event, reverting shortly after.**
Just think: what if that’s what Kanye’s doing here?
:,)
** Albeit I’d likely use fingerprint, still representing more of a barrier than ‘000000‘ and leaving me less paranoid over losing my device during the event itself.
gab
:)
[URL removed]
Mark Stockley
If you want to see what gab wanted to link to, go to YouTube and search for “Spaceballs 12345”. You won’t be disappointed.
Bryan
Agreed. I sent that link to a buddy after he gave me his alarm code in a group email. Yep, 123456.
Pleased to report after a bit of denial, he progressed to acceptance and finally to change. My reply-all probably helped.
:,)
/me leaves to go watch the clip…
Mark Stockley
Fixing the world, one user at a time. Go get your YouTube reward Bryan, you earned it!
Matt Parkes
I reckon he will come back with the excuse that he changed his PIN to 000000 to make it easier to unlock his phone when needed because its obviously nerve wracking when upfront and personal with the POTUS and that he changed it to a far more secure PIN later on. Doesn’t explain why he just didn’t use FACE ID though.
Mahhn
I’m an ugly guy myself, but if I was konyay I wouldn’t use Face ID, it might break the phone. He has the guy version of BRF.
Creeping Slime (@tattooed_mummy)
When you are as famous as Kanye wouldn’t that be a risk? with a bazillion images of him everywhere? Or is Face ID better than that now? I don’t know – I use it, and finger print id
Jim B
Unless of course, he knew he would be unlocking it on camera, so changed the code to 000000 for the duration, then switched back to his real code afterwards.
Hey, you never know, it’s theoretically possible!
Pierre Jodoin
I’d like to put the blame on Apple (and other mobile device builders).
There is no way in hell such a weak passcode should be allowed.
Mark Stockley
This.
Brian T. Nakamoto
If Apple disallowed “dumb” passcodes, then casual snoops wouldn’t be tempted to waste some attempts on them. I guess we should thank Kanye for keeping the prospect of an easy passcode alive.
Paul Ducklin
I’m with you. This thing where people praise vendors for preventing or warning you about “weak” passcodes, and moan at those who don’t protect you from “weakness”, has always sat badly with me, especially when short passcodes with strong rate limiting and quick lockout are concerned (e.g. three tries only for a phone or bank PIN).
Any attempt to impose some sort of algorithmic control over something that is supposed to be random is a bit of a fool’s errand IMO.
As you say, if 00000 gets banned, then the sort of easy passcode people will adopt instead, such as 00001 (and, of course, the easier-to-type “bottom row” variants 00007, 00008 and 00009) will probably need to be stopped soon as they take over in the “bad passcode” list. And once 12345 has gone for good you’ll probably find that 12346 takes over from it and then that will need adding to the blocklist… and so on until it’s easier to have a list of passcodes that you are allowed than ones you aren’t :-)
I always cringe when a website that prides itself on preventing me from having weak passwords tells me that a 32-character hexadecimal string created directly from /dev/random is “weak” but Passw0rd! is “very strong” because it contains at least one upper, one lower, one digit and one punctuation.
Steve
He shoots, he scores! WTG Duck!
Dylan Kaufman
As it happens, iPhones show you how many digits need to be entered, so someone trying to break into your phone doesn’t have to guess that.
Mark Stockley
Fixed, thanks!
John E. Dunn
True. Interestingly, had he been using an Android device that wouldn’t have been the case – passcodes are entered on a blank line.
Paul Ducklin
*Is* it true? I just unlocked my iPhone and I couldn’t see any hint of my passcode length on the lock screen. There’s an empty box that fills up with blobs as you enter digits. If your enter more than 10 digits you see 10 blobs and an ellipsis mark – three successive tiny dots , like this: …
When you’re ready to submit the code you’ve entered, you tap OK.
(I have some Microsoft apps on my phone that are “PIN protected”, presumably a basic extra precaution to protect you against inquisitive snoops who pick up your phone for a moment while you are turned away, and that PIN entry dialog shows a little circle for each digit, and automatically “hits OK” when you have typed the right number of digits. But not on the lock screen.)
Did I miss something? Is this an option?
Does your passcode need to be longer than N digits for the length hint not to be shown? (If so, making your code longer than N is a neat idea for extra security in two ways!)
mike@gmail.com
Not using face-id or fingerprint is probably a security measure to prevent forced unlocking of his phone.
Paul
Blah glass half full article about a publicity whore. Guess needs to file an article, so might as well reuse a 2fa tag line.
Paul Ducklin
Fair enough… but this whole story *is* nevertheless a warning about the dangers of learning about cybersecurity simply by following what everyone else is saying and tweeting, and so forth. In this case, there was a collective outpouring of intellectual superiority over Mr West, a/k/a Mr Ye, from everyone who had a decent lock code, such as 73550982. Hey, because 73550982 is *so* secure after it’s been broadcast on international television.
Maybe a better headline would have been “What the twitter fest about Ye’s lock code utterly failed to teach you.”
I think there is every need for articles like this one and I am glad we wrote it.
John Leslie
Passing thought – knowing Face-ID isn’t super-reliable I think I’d have changed my passcode to something that’s easy to type, plus different to my real one, before appearing in public where I thought I’d need to show people something on my phone…
Paul Ducklin
I did wonder that. As passing thoughts go, it’s not a bad one at all.
The only problem is that you absolutely must remember to switch the code back promptly afterwards!
Having said that, I wonder if there is any moment in Ye’s life where he doesn’t think he might need to whip out his phone in public to show people something for promo purposes?
Anonymous
isn’t 000000 the same as the nuclear launch code? Only the president and Kanye should be able to unlock the phone :)
Paul Ducklin
I thought the nuclear codes were 00000000, a full eight digits and therefore A MASSIVE ONE HUNDRED TIMES safer 🔥