How a strong BYOD password can make identity theft easier

I regularly take a train journey into London, it takes about an hour an a half.
During this time I learn a great deal from reading, not books, but the laptop of the person sitting next to me.
This is common problem, talked about in many blogs – but on a recent journey I came across a new variant!

The person sitting next to me got her iPad out and was invited to enter their password (they had changed to default 4 characters mode to use a more complex phrase).
Reading passwords from a keyboard (especially a screen based one) as typed is not too difficult. However, most helpfully the iPad decided to display each character as typed on briefly on screen…

Daneila23!

Presumably this is a feature Apple decided would help the user enter the correct password more easily, and I am sure it does. But a side effect is it makes shoulder surfing easy.

This is just another example of a security / usability tradeoff. Daniela obviously cared about security as the default 4 character PIN option had been strengthened, but I doubt the simplicity of reading the stronger password had been considered.
I don’t know if this feature of iPads can be turned off – If it can, Daniela I recommend you do.

I hope the password is unique…

Daniela then proceeded to user her iPad to read her email.
I hope that Daniela has chosen unique passwords, as I could easily see her email address. If the iPad and email password are the same, I now have all I need to access her email. As email is used in most password reset applications, I can now take over her Facebook, Twitter. All too easy.
(see also my blog on the challenges of unique passwords)

What really stuck me about this, is how by making one part of a system more secure (a better iPad password), it significantly strengthened the possibility of breaking into a much larger system (as the now more secure password is more likely to be re-used). All goes to show how complex good security design is, and the need to look at the whole system.

PS: I moved seats before I wrote this article, just in case Daniela was reading.

One thought on “How a strong BYOD password can make identity theft easier

  1. Surely the weakness here is not the use of a stronger password but the helpful typing system provided? Not being an iPad user I don’t know if the 4 character and stronger entry methods differ.

    Like

Comments are closed.