The Forbes website echoed a few days ago a project carried out jointly by several universities in which the common purpose was to study the selection of user unlock PIN codes on the iPhone.
For this study, and since the iPhone has locking systems when using brute force techniques to unlock its terminals, they took advantage of a function found when we first configured our code. This feature tells us if our unlock PIN, be it 4 or 6 digits, is strong enough, and is based on the number of times it is used. It is here where, thanks to the alert indicating the weakness of the code, these students and their robot were able to get the blacklists of codes that Apple has indexed as most used.
For this you had to enter 10,000 different codes for the 4-digit keys and 1,000,000 for the 6-digit keys. What better ally for a task as repetitive as this than a robot? With a Lego robot operated by a Raspberry Pi, it was programmed so that all possible combinations were tested one by one, recording with each code the response of the terminal, indicating if it was sufficiently secure, or if on the contrary it belonged to the blacklist weaker passwords.
For each code, the robot took a photo of the response that was sent to a server that analyzed the image and indexed the code accordingly.
For the sample on which to compare the results, 1220 participants were chosen on whom the obtained codes were applied, thus also allowing the collection of information on the trend of use.
The results obtained by this study were that there are 274 codes considered weak for 4-digit passwords and 2910 codes considered weak for 6-digit PINs. If we look at the ratio to the total possibilities, does this mean that the 6-digit codes are more secure? Mathematically speaking yes, but comparing the results with the sample participants, the study revealed that 6-digit passwords are usually simpler since they rely more on length than complexity.
In conclusion, it was determined that there is no real advantage of a 4-digit code over one of 6 and vice versa using the vulnerable code samples, so it is the same to use one option than another if it is to forcibly unlock a device blocked by code.