It is common knowledge that a strong password contains characters from the largest character set possible; that is, a password made up of letters (A-Z) is weaker than a password consisting of letters and numbers, which is weaker than a password that contains letters, numbers, and symbols such as $, @, or &. This is because the larger the character set, the longer it will take to guess or crack the password.
History has shown that users will choose passwords that have the following qualities, in order of importance:
- Easy to remember.
- Easy to input.
- (If at all) hard to guess.
A memorable password is worthless if it takes more than a few seconds to type, and an easily typed password is worthless if it can’t be remembered. So typically, savvy computer users will pick a password that strikes a balance between the first two qualities, and some might take a moment to make it harder to guess by appending an arbitrary letter or number to the end. This is what causes passwords like password4 or vikings96.
But when using the Apple iPhone to enter text in a password field, what characters is the user presented with?
Letters only, with numbers and symbols hidden in secondary and tertiary keyboards. The extra effort needed to find and type a number (or an underscore, in the third keyboard removed) each time they enter a password will cause some people to either change their current passwords to be alphabetic or at least do so when choosing new passwords. If Apple wanted to encourage good password selection, the keyboard for a password field should at least look something like this:
The shift key would transform 0-9 into their traditional shift alternatives, and all of the keys would still be available in a secondary menu, if desired. However, if Apple wanted to make a truly game-changing move, they’d make the default password keyboard look like this:
Of course, that might be a little drastic. :-)
5 comments on “Does the iPhone encourage insecure passwords?”
I think there’s actually some benefit from this. It encourages people to use different passwords for different things. I surely wouldn’t want to use the same password I use on my online banking that I use on my cell phone when walking on the street and people can look over my shoulder.
I think another major thing to do for security purposes is diversify your passwords.
I wrote a little utility and put it online for generating safe/secure passwords using a variety of character sets safepasswd.com. One of the reasons why I made “memorable” the default is to encourage people to use more than one password. Hopefully if it’s a little easier to remember you won’t use 1 password for 500 things.
Does this keyboard not allow you to differentiate between upper and lower case? This is an essential way to create a strong password. A password which only contains lowercase letters and numbers can be cracked in days but a password with upper, lower and numbers would take years to crack.
All passwords created at PassPub.com use a mix of upper and lower case!
PassPub – Strong Passwords, Uniquely Generated
Martin – when the shift key is lit (the small arrow on the right), it types in uppercase, otherwise it’s in lower case. The display of the letters, however, is always in upper case.
I’m sure you’re aware, but your default password keyboard is no more secure than just displaying the standard A-Z keyboard.
I also strongly disagree that this is reason to believe the iPhone encourages insecure passwords. That’s a pretty strong statement considering all Apple did was try to make an easy to use keyboard.
I temporarily disabled my WPA password at home (one of those Steve Gibson-63 character masterpieces) because try as I might, I could not get my iPod Touch to successfully connect into my router. I am hoping after a few days of practice with the keyboard that I can try again.