top of page
Search

Pin Guessing Gets Harder

  • Writer: Dan Raywood
    Dan Raywood
  • 2 days ago
  • 3 min read

News emerged recently about the release of the new version of Android, which comes with stricter protections around lock screen PIN and password entry.


Previously, Android 16 allowed ten incorrect guesses in the first minute, with the total increasing to as many as 1,800 attempts over five years. Now, the maximum number of failed attempts has been reduced to five in the first minute, with increasingly longer timeouts applied after every subsequent failed attempt.


In fact, analysis by Risky.Biz found that the timeout after a series of incorrect guesses increased so dramatically that a phone would have to wait a year before another attempt could be made after 17 incorrect guesses. Even after nine incorrect guesses, the phone would impose a 90-minute timeout.


You may feel that this reduction is quite severe, but it exists for good reason. Fewer opportunities to enter the correct PIN reduce the time and chance someone has to break into a device, making this a positive security improvement. If you did know the PIN, or even the unlock pattern, you would likely enter it correctly within five attempts. Even if it took a few more tries, you would only be waiting around 30 minutes after eight failed attempts.


So, let's say you obtained a device, didn't know the PIN, and decided to guess it in order to gain access. The chances are that many people will have chosen something simple such as "1234" or "0000", so those would probably be among your first guesses. Once those obvious choices are exhausted, however, the odds of correctly guessing the PIN become significantly lower.


I do have some experience of this. Back in 2000 (before my working life and certainly before my cybersecurity career), I used my dad's laptop, which had a DVD player built into it. I realise it sounds like I'm talking about a different era, but during that session I accidentally logged myself out and was taken back to the login screen. I tried a few passwords that I thought he might have used: family names, our street name, and other possibilities. He wasn't the type to use the name of a sports star or anything similarly obvious, so I eventually managed to lock him out of his own laptop. When he returned later, it wasn't anger I received, but disappointment.


At the time, he worked for a major UK company and had a properly secured corporate laptop with a strong password that wasn't easy for a postgraduate like me to guess. Compare that with the average mobile device user today. They typically choose their own PIN or password, have the option of enabling facial recognition or fingerprint authentication, and every aspect of that login security is personal.


If someone were to get hold of a device that had no security enabled at all, then this rate limiting would be largely irrelevant. Research by Opinium found that 81% of users have built-in biometric security enabled, leaving the remaining 19% potentially vulnerable to PIN or passcode attacks, whether carried out manually or through some form of automated attempt.


According to Risky.Biz, the new PIN and password guess limits are part of a broader range of security features that Google has introduced to Android this year. These changes are designed to make life more difficult for phone thieves and the illicit market that trades in stolen devices.


While these features won't prevent phones from being stolen, they will make it much harder to break into the device and access the owner's data. From that perspective, they represent a worthwhile improvement to Android's security - but only if users actually enable and use the available security features.


So what can we actually expect from these enhanced security features? According to the Android blog, the lock screen will display a timeout lasting one minute or longer, using larger units of time for better readability, such as "Try again in 30 minutes." This passive security measure is likely to frustrate anyone attempting to gain unauthorised access to a device, as few people are willing to wait extended periods between attempts. In many cases, it may simply be enough to make them abandon the effort altogether.


The question that comes to my mind is: what if access is urgently needed? There is, of course, still the option to make an emergency call, but after a couple of incorrect PIN attempts, you would probably become much more cautious and take your time entering the correct code. If the next few attempts are also incorrect, you're not only increasing the risk of another mistake, but you're also facing progressively longer delays before you can try again.

 
 
 
bottom of page