This probably feels like an obvious topic and I’m not sure how many people will actually find this useful, but I’m writing this for all the people out there that are as stupid as I am.
Why so stupid?
I’m not exactly sure why I’m like this, maybe it was that one time my brother made a toddler sized dent in the wall when he “accidentally” chucked me at it head first, but the reason it’s relevant now is because I’m one of those dimwitted fellows whose passcode for my phone and laptop is my birthday.
And it’s not even the full six digits, just four. A glucose deprived diabetic suffering from a hangover and a concussion could probably crack it in a few minutes.
But I’m sure (hoping) that I’m not alone and that some of my dimwitted brethren might also wonder how someone is able to remember a number that isn’t their birthday to use as their passcode.
So in honor of you poor unfortunate fellows I did some research on how to create and remember a secure passcode.
But first…
Why does it even matter?
Our devices are everything to us.
We use them for work, education, communication, managing our finances, and entertainment. We spend most of our waking hours staring at them.
And because we invest so much time, energy and trust into these devices, our entire lives can be upended and potentially ruined should the wrong person get access.
And often this access is merely protected by a 4 digit passcode.
Grayshift is a company that offers a software product called GrayKey that is able to bruteforce iOS passcodes in order to get access to the device. This is a legitimate company and they only sell this software to law enforcement units (but if the good guys have it the bad guys likely do as well, and sometimes the good guys might also be bad guys) and they claim they can crack a 4 digit passcode in as little as 30 minutes and a 6 digit passcode in around 2 days.
To combat this Apple has since added a feature called USB restricted mode (disables all USB communication 1 hour after the phone was last unlocked) in response to products like GrayKey. But if we know anything about IT is that everything is hackable and it’s only a matter of time before they find a way around these added protections.
And if this kind of software exists for iOS you can be sure it exists for Android, Windows, and Mac as well.
Plus there is the added threat from family, friends and acquaintances that are potentially looking to snoop or steal from you (yes this does happen, hell Jewel’s mum stole like $100 million from her) and know enough personal information about you to be able to guess a weak passcode.
So with that being said, better safe than sorry.
Is your passcode insecure?
So to start off with let’s get into some signs that your passcode may not be secure:
- You are using a date that is important to you that can be easily found in the public domain – birthdays (your own or a family member’s) / anniversaries / etc.
- Your passcode contains words that can easily be associated with you – like names of your children, spouse or dog
- By words I mean the number that correspond the words letters on a phone number pad (fido = 3436)
- You are using a four digit code starting with 19 or 20 – these are commonly used codes as they correspond to years that are important to people so hacker tend to include them in their cracking lists
- Your house or apartment number
- The last four digits of your phone number
- Your zip or postal code
Okay so they are the general rules on what to avoid when creating a passcode, but what about specifics? Well it just so happens that some bright nerd actually did a bit of digging and analysis way back in 2012 by looking at passcodes that had been released in data breaches and that were in the public domain in order to determine which passcodes were used most often and how frequently they were used.
So if your passcode is included in the below table – you should definitely change it and if you are creating a new code be sure to avoid any code that is listed below.
Data sourced from datagenetics.com
How to create a secure passcode?
Okay so it is all well and good to know what not to do, but how do simpletons like you and I actually create strong passcodes that are hard to crack and will keep us secure?
First we have to understand that there are two categories of passcode:
- Passcodes that we need to remember
- These are the codes that we frequently use in order to get access to our devices like our phone and laptops.
- Passcodes that we don’t need to remember
- These are the codes that we use for banking, debit cards and secure applications, etc and that we only use occasionally.
- For passcodes that fit into this category you should make them at least 6 digits (if possible), make them completely random, and store the codes in your password manager (if you want to know more about setting up a password manager sign up to my email list below to receive my guide “Hard to Hack” which covers password managers and how to use them).
- Storing all of these passcodes in your password manager means that you only need to remember your device code and your master password in order to get the benefit of having strong, unique codes for all of your other accounts /systems.
So with that being said let’s get to the crux of this article – how do we create strong, unique passcodes for our devices that we can actually remember?
- Note: storing these codes in our password manager is still a good idea (that way if we forget our phone code we can access our manager on our computer and get it) but we will need to remember these codes in order to access our password manager in the first place.
Rules for creating a passcode:
- Use a code that is at least 6 digits (this is possible on all modern phones and PCs)
- As mentioned above the GrayKey brute forcing software can crack a 4 digit code (10,000 potential codes) in 30 minutes whereas it takes up to 2 days to crack a 6 digit code (1 million potential codes) and considerably longer for codes that are 7 digits or more. This gives you a lot more time to do damage control and change account passwords, sign devices out of certain accounts (like iCloud and your socials), and lockdown any financial accounts.
- Use the word method – this involves coming up with a word that is easy to remember (like “steaks”) and using the digits that correspond with that word on a phone keypad (so “steaks” would equal “783257”)
- Obviously as mentioned above avoid any words or dates that can be easily associated with you.
- Also ensure that the code that your words correspond to is not listed in the above frequently used codes table as all of these codes are used in cracking dictionaries.
- Use different codes for different devices, this way if an attacker is able to guess or crack the code for one device your other devices still remain secure.
And there you have it folks, that’s all there is to it. Obviously this is not rocket science and there is nothing special or advanced about this advice but it is simple, effective, and (most importantly) memorable.
Stay tuned, follow the above advice, and may our benevolent and devine techbot overlords protect thee devices forever onwards.