Passcodes Equate to Weak Security
With a mobile device, the trade-off between security and convenience of use is more noticeable than that of a desktop machine with a full keyboard. The device’s smaller on-screen keyboard combined with its mobile form factor make unlocking it a productivity nightmare for an enterprise. As a mobile device, an average user will work in short bursts—perhaps a text message or an email at a time—before placing it in his pocket again. To adequately secure a device, it must be unlocked by a password on each and every use, or at the very least every 15 minutes. This generally leads to one inevitable result: weak passwords.
As a result of the inconvenience of unlocking a device several hundred times per day, many enterprises resort to allowing a simple four-digit PIN, a simple word, or a pass- word mirroring an easy to type pattern on the keyboard (dot-space-mzlapq anyone?). All of these have historically been easily hacked by password cracking tools within a fraction of the time a complex password would take. While only a few select files are encrypted using Apple’s data protection APIs, the ones that are protected aren’t protected that much better.
Consider a four-digit PIN, which is the “simple passcode” default when using iOS. A four-digit numeric PIN has only 10,000 possibilities. Existing tools, which you’ll learn about in this book, can iterate through all 10,000 codes in a little less than 20 minutes. Whether you’ve stolen a device or just borrowed it for a little while, this is an extremely short amount of time to steal all of the device’s encryption keys. The problem, however, is that most users will defer to a four-digit PIN, or the simplest complex passcode they can get away with. Why? Because it’s not their job to understand how the iOS passcode is tied to the encryption of their credit card information.
Your users are going to use weak passwords, so you’ll need to either accept this as a fact of life, or prevent it from happening. Unless they’re bound to an enterprise policy forbidding their use, the average user is going to stick with what’s convenient. The inconvenience of corporately owned devices, in fact, is precisely why more employees are using personal devices in the workplace.