I’m thinking of changing my phone passcode to something more secure. That being said, it would be cumbersome to have something long and complex. I want to hear what password practices people use to unlock their mobile devices.
I already have biometrics authentication, it’s my passcode that is very weak.
The answer is: as long&complex as you are personally comfortable to use every day.
Alphanumeric is better than numbers only. At the very least use 8 digits.
What phone do you use?
Based on the OS and soft keyboard you use, I think you have different options, here is what I do:
I look for privacy friendly soft keyboards that suits my needs ( esp. languages), and then look at the feature that keyboard offers.
If the soft keyboard supports emoji input, not the fancy ones, but the ones like " ;-D :-/ " etc., these can be used as passwords, just pick several , maybe 4-6 that you’d like and remember. it easily gives you a relatively strong 12-18 digit password.
Beware not all soft keyboard can be used before first unlock, in that case, you might want to keep the “emojis” easy to remember so you can type it yourself for at least once every time you boot.
Also beware, the fancy emojis might not work as a password and can be keyboard specific, if you switch to other keyboard that might not work.
The recommended PIN/passcode length depends on your secure element. On Google Pixels a random 6 digit PIN is already secure enough.
you could type your current password twice/thrice and maybe slip in a letter or two
There’s an app which could be useful:
It allows you to wipe the phone after N attempts of unsuccessful password unlock. This way you don’t need to worry about your password/PIN being short. For example: set some good 4-digit password (good = not 0000, 1234, etc), set the number of unsuccessful unlock attempts to 5, and you’re good to go.
Also, this developer has other interesting apps which you may want to check out.
Repeating patterns doesn’t increase the entropy of a password. In the case of a phone’s PIN-code, this will only severely degrade a person’s UX (they will spend much more time unlocking their phone) and bring no additional security (“security theater”, that is).
How does it not? Unless the attacker knows that you duplicated your password it’s still 2-3x the length. Add a random character inside and they can’t just do random multiplication
Funny how objectively adding entropy by increasing password length is “theatre” but recommending a weak password in hope that a dedicated attacker aren’t able to duplicate the storage is not
I suggest you read up on it.
As I said, a weak password doesn’t matter if the max number of failed password attempts is 3 or 5 or 10.
Do give sources then
A 4 digit pin only requires 9999 tries at worst. And a dedicated attacker could duplicate the storage(that’s how data recovery exists btw) and try an infinite number of times. A 16 digit password requires far far more resources to crack
Saying it twice doesn’t make it true. Duplicating the storage is also not an impossible thing to do
Search up something like “do repeated patterns or characters increase password complexity or entropy”, or simply “password repeating characters or patterns”. You can also try testing it yourself in some password generator tools with a good algorithm, for example in KeePassXC.
We don’t know the threat model of the OP and we don’t know if there’s a threat of an attacker duplicating their storage. When someone makes a simple post asking a question, providing no details on their threat model, I assume their threat model is that of a regular person. That is: they just want to make their phone password/PIN more secure, so that people (some unsophisticated rando who steals their phone, for example) couldn’t guess their PIN.
I took the context of OP’s question into account — they said:
You propose to OP to have a long password (you advised to repeat their password 2+ times and include an additional character). And I take the context of OP’s question into my answer: they seem to not want to have long password. Therefore I proposed an appropriate for that user solution: to limit the number of failed password attempts while still enjoying the luxury of having a short password which can be typed in one second.
If you can’t give numerical data, just say so
You recommending a 4 digit pin hurts their security for no reason. And considering that they already use biometric a somewhat long (not extremely long) but memorable password being done at most once a day doesn’t seem like an issue
Typing a password or pin twice is relatively a bit longer but not necessarily more cumbersome as you’re just doing the same short thing twice instead of a more complex thing
At this point you are clearly taunting me and not acting in a good faith.
If you can’t do a self-research when a person has given you a precise search string that you simply need to put into your favorite search engine and press Enter, and also told you what actions you need to take to test it for yourself (even recommended the software) — just say so. I’m not going to waste my time giving you hundreds of sources and links available on the matter of repeated patterns in passwords. Do yourself a favor and search up this matter on the internet. Searching up will give a lot of relevant results.
It is MUCH more cumbersome. Even the shortest PIN, consisting of just 4 digits, can become infuriatingly long to type, when it is repeated twice (8 characters) or even thrice (12 characters!). And if you add additional characters, as you said, the password becomes 9 and 13-14 (depending on whether you add one or two additional characters) characters, respectively. Just take into account how often we unlock our phones: very, very often. As I said, this will degrade OP’s UX heavily.
It doesn’t hurt anything because I proposed a trade-off for that user, between a short password and a limited number of failed password attempts. Duplicating the storage and other things are out of the context of OP’s question.
When a quick search mostly just says it doesn’t without any mathematical example I have the right to ask you to be the one to give source, you’re the one who made the claim anyway
OP himself said that he uses biometric
A relatively long but manageable password would be the best tradeoff, it doesn’t carry the risk of storage duplication at all. And doesn’t hurt convenience too much BECAUSE op uses biometrics anyway
Does that app work before first unlock after a reboot? If it doesn’t then it’s kinda useless and just gives a false sense of security.
Yes, it works before the first unlock, after a reboot. It’s because the app must be given device Admin permission ( BIND_DEVICE_ADMIN ).
How would apps like Sentry referenced earlier in this thread or iOS’ 10 attempt limit apply to this scenario? Are they physically attacking the device itself?