I’m thinking of changing my phone passcode to something more secure. That being said, it would be cumbersome to have something long and complex. I want to hear what password practices people use to unlock their mobile devices.
I already have biometrics authentication, it’s my passcode that is very weak.
Based on the OS and soft keyboard you use, I think you have different options, here is what I do:
I look for privacy friendly soft keyboards that suits my needs ( esp. languages), and then look at the feature that keyboard offers.
If the soft keyboard supports emoji input, not the fancy ones, but the ones like " ;-D :-/ " etc., these can be used as passwords, just pick several , maybe 4-6 that you’d like and remember. it easily gives you a relatively strong 12-18 digit password.
Beware not all soft keyboard can be used before first unlock, in that case, you might want to keep the “emojis” easy to remember so you can type it yourself for at least once every time you boot.
Also beware, the fancy emojis might not work as a password and can be keyboard specific, if you switch to other keyboard that might not work.
It allows you to wipe the phone after N attempts of unsuccessful password unlock. This way you don’t need to worry about your password/PIN being short. For example: set some good 4-digit password (good = not 0000, 1234, etc), set the number of unsuccessful unlock attempts to 5, and you’re good to go.
Also, this developer has other interesting apps which you may want to check out.
Repeating patterns doesn’t increase the entropy of a password. In the case of a phone’s PIN-code, this will only severely degrade a person’s UX (they will spend much more time unlocking their phone) and bring no additional security (“security theater”, that is).
A 4 digit pin only requires 9999 tries at worst. And a dedicated attacker could duplicate the storage(that’s how data recovery exists btw) and try an infinite number of times. A 16 digit password requires far far more resources to crack
Saying it twice doesn’t make it true. Duplicating the storage is also not an impossible thing to do
Search up something like “do repeated patterns or characters increase password complexity or entropy”, or simply “password repeating characters or patterns”. You can also try testing it yourself in some password generator tools with a good algorithm, for example in KeePassXC.
We don’t know the threat model of the OP and we don’t know if there’s a threat of an attacker duplicating their storage. When someone makes a simple post asking a question, providing no details on their threat model, I assume their threat model is that of a regular person. That is: they just want to make their phone password/PIN more secure, so that people (some unsophisticated rando who steals their phone, for example) couldn’t guess their PIN.
I took the context of OP’s question into account — they said:
You propose to OP to have a long password (you advised to repeat their password 2+ times and include an additional character). And I take the context of OP’s question into my answer: they seem to not want to have long password. Therefore I proposed an appropriate for that user solution: to limit the number of failed password attempts while still enjoying the luxury of having a short password which can be typed in one second.
You recommending a 4 digit pin hurts their security for no reason. And considering that they already use biometric a somewhat long (not extremely long) but memorable password being done at most once a day doesn’t seem like an issue
Typing a password or pin twice is relatively a bit longer but not necessarily more cumbersome as you’re just doing the same short thing twice instead of a more complex thing
At this point you are clearly taunting me and not acting in a good faith.
If you can’t do a self-research when a person has given you a precise search string that you simply need to put into your favorite search engine and press Enter, and also told you what actions you need to take to test it for yourself (even recommended the software) — just say so. I’m not going to waste my time giving you hundreds of sources and links available on the matter of repeated patterns in passwords. Do yourself a favor and search up this matter on the internet. Searching up will give a lot of relevant results.
It is MUCH more cumbersome. Even the shortest PIN, consisting of just 4 digits, can become infuriatingly long to type, when it is repeated twice (8 characters) or even thrice (12 characters!). And if you add additional characters, as you said, the password becomes 9 and 13-14 (depending on whether you add one or two additional characters) characters, respectively. Just take into account how often we unlock our phones: very, very often. As I said, this will degrade OP’s UX heavily.
It doesn’t hurt anything because I proposed a trade-off for that user, between a short password and a limited number of failed password attempts. Duplicating the storage and other things are out of the context of OP’s question.