Short Pins Sink Orgs

Learn how long it takes to hack a 4-digit or 6-digit pin or paraphrase by brute force, and also the importance of two-factor authentication.

I probably know what you are thinking – another post on why passwords are bad. But it’s not so much that passwords themselves are just plain bad; the problem is more in the way in which we implement them. Many experts will tell you, as would I, that we should be using two-factor authentication for every account and system. Using two-factor authentication, you first log in with a password and then verify your identity via a second medium, like a code texted to your mobile. Yet the simple truth of the matter is that it just is not convenient for every day use on every system. It becomes practically impossible at worst and an utter nuisance at best.

Why then are passwords thought of as being bad? An end-user’s password is typically the key, or a piece of the key, for encryption. Encryption is used in order to keep confidential information from the prying eyes of unauthorized sources. The unauthorized sources could be malicious actors or mass surveillance activities, just to name a few. But when a human—or a machine—can easily guess the encryption password, then your confidential information can also by easily compromised.

From a security purist’s perspective it boils down to the aspect of randomization. If a password is random then the attacker must figure out the randomness in order to have a shot at cracking the password. Since we know end-users tend to balk at solutions that are not convenient, regardless of how secure it makes them, where does that leave us? With the question of what it takes to create a strong password. On every system it will be slightly different, so the focus here will be Android.

Below are the times it takes to brute force the pin or password—that is, have a computer guess every possible password to find the right one—on any Android device:

Android 4.3 and below:

4 Digit PIN: 30 Seconds

6 Digit PIN: 50 Seconds

6 Character Passphrase: 16 Days

8 Character Passphrase: 132 Years

Android 4.4: A standard laptop can perform approximately 133 guess per second, therefore the following:

4 Digit PIN: 1.25 minutes

6 Digit PIN: 125 minutes

6 Character Passphrase: 6.59 years

8 Character Passphrase: 19,963 years

Android 5.x:

Silent Circle has not performed any tests to validate the brute force times. Others have noted that the old methods of brute forcing the device PIN are not effective. However, Android has significantly improved the methods of their device encryption. You can read more about the new method here.

In case you are wondering why the times to brute force the passwords are different, this is because Android security evolves over time. In Android 4.3 and below an algorithm called PBKDF2 was used and was easier to brute force. In Android 4.4 SCRYPT replaced PBKDF2 as the algorithm of choice, increasing the time required to brute force a pin or password. And in Android 5.x unique device characters are used as part of the password; therefore the user-supplied credential is only a piece of the equation.

What does this mean for creating a password that can hold up to brute force attempts? Shorter is not sweeter. Just look at the numbers for Android 4.4: increasing your pin from 4 digits to 6 would increase the time it would take for a malicious actor using a standard laptop to guess your pin from less than two minutes to more than two hours. Using a 6 character password instead would increase that time to more than six years.

But it takes so long to type in a longer pin or password every time you unlock your phone, you say. Well if you’re a Blackphone user, you’re in luck; PrivatOS lets you create separate pins and passwords for your device encryption and your screen lock. That means, if needed, you can create a longer, more secure pin or password (say 8 digits or character) to use for device encryption and only enter it once every time the phone boots up. Then you can create a separate, shorter pin or password (say 6 digits or characters) to use for your screen lock – the one you have to enter every time your screen turns off. This isn’t available on any other Android device, and is just another way Silent Circle helps make privacy easier.

- Silent Circle CSO, Dr. Dan Ford (@Netsecrex)