UPDATE (06/14/11 5:30pm): Big Brother Removed From App Store

(Researchers/Journalists: Looking for the original dataset? Feel free to ask)

In my last update to Big Brother Camera Security (Free), I added some code to record common user passcodes (completely anonymous, of course). Because Big Brother’s passcode setup screen and lock screen are nearly identical to those of the actual iPhone passcode lock, I figured that the collected information would closely correlate with actual iPhone passcodes.

In essence, this post is an homage to the well known Most Common Passwords on the Internet articles. Different articles pull from different sources, so naturally aren’t the same, but still demonstrate certain trends. Similar trends are evident in the data I present below.

To kick things off, out of 204,508 recorded passcodes, the top ten most common were:

Top ten iPhone passcodes: [1234, 0000, 2580, 1111, 5555, 5683, 0852, 2222, 1212, 1998]

Naturally, 1234 is the most common passcode: mimicking the most common internet passwords. To put this into perspective, these 10 codes represent 15% of all passcodes in use. Most of the top passcodes follow typical formulas, such as four identical digits, moving in a line up/down the pad, repetition. 5683 is the passcode with the least obvious pattern, but it turns out that it is the number representation of LOVE (5683), once again mimicking a very common internet password: “iloveyou.”

Interestingly, 1990-2000 are all in the top 50, and 1980-1989 are all in the top 100. I would interpret this occurrence as a subset of users that set their passcodes to the year of their birth or graduation.

To test this, I found the average expected occurrence for numbers matching a specific decade’s format:

As you can see, any passcode between 1930 and 2020 has a much higher likelihood versus the average (represented by ****): at minimum a 50% gain, at maximum a 2570% gain. This data implies a heavy age range of 11 - 21 year olds.

Following are some heat maps and corresponding graphs with the breakdown of digit occurrences by position in the passcode. I recommend clicking on the images to get a better look.

Formulaic passwords are never a good idea, yet 15% of all passcode sets were represented by only 10 different passcodes (out of a possible 10,000). The implication? A thief (or just a prankster) could safely try 10 different passcodes on your iPhone without initiating the data wipe. With a 15% success rate, about 1 in 7 iPhones would easily unlock--even more if the intruder knows the users’ years of birth, relationship status, etc.

AuthorDaniel Amitay