Courtney Linder | October 17, 2018

Now that the whole world knows Kanye West's iPhone password, how secure are your cell habits?

As seen in the Post Gazette...

When it comes to cybersecurity expertise, Kanye West is not exactly at the top of the charts.

During an Oval Office meeting with President Donald Trump last Thursday — where Mr. West was invited to discuss prison reform and gang violence — the entertainer quickly tapped “000000” to unlock his iPhone, revealing his password to the cameras rolling behind his shoulders and effectively, the entire world. 

Perhaps the rapper and producer behind 2007 hit “Stronger” should have considered how to make his password exactly that. Stronger. 

And while the collective Twitter universe acted as a Greek chorus — poking fun at how terrible the passcode was — his choice to use a glaringly simple password is indicative of a larger flaw in personal cybersecurity.

“A lot of people prioritize convenience over security,” explained Gretel Egan, a security awareness and training strategist for Wombat Security. The Strip District-based company, which was acquired by Silicon Valley cybersecurity firm Proofpoint earlier this year, helps firms tighten their security practices and train their workforces. 

According to Wombat’s 2018 User Risk Report, released last week, 28 percent of smartphone users surveyed use a four-digit pin as the security lock on their device, compared to 8 percent who use six digits.

At 33 percent, there’s a growing number of people who opt to use fingerprints or face scanners, but those technologies are still nascent and often require a pin as a backup.

The sheer numerical limitations of a four-digit pin makes it less secure, Ms. Egan said, because there are fewer possible combinations. Mr. West’s choice to use six digits is a step in the right direction, though that doesn’t matter much if your password is easy to guess. 

Still, Ms. Egan is not surprised that his was so simple. In January, Wombat reported the worst passwords of 2017, based on 5 million leaked that year. 

The top suspects were usually a combination of easy to guess numbers. For the seventh year in a row, “123456” was the most commonly used bad password.

“A lot of people have that kind of ‘it won’t happen to me mentality,’” Ms. Egan said. “I think particularly with cell phones we think, ‘I always have it with me.’”

There are cases of phone snatchers, though, that quite literally grab devices out of users’ hands. If you have a password that’s easy to remember — and then you pull a Yeezy and let the thief see the combination over your shoulder — you’re a prime target. 

“It’s almost depressing,” Ms. Egan said. “There’s almost no end to the number of ways that I can be compromised.”

She advises users to choose an alphanumeric password, one with both numbers and letters. Wombat’s report found that just 7 percent of respondents did so. She suspects it’s because smartphone users need to go into their settings and change the default option, which is usually a pin code. 

The longer the password, she said, the better. 

If you must choose a password that only includes digits, avoid using dates that have some sort of personal significance, Ms. Egan advised.

It’s better to choose a random number that’s easy for you to remember and even then, it may be worth reversing the digits. For example, “1980” may have been the year that you first met your best friend, but it’s common to select a year for a password. Choose “0891” instead.

Birthdays, anniversaries and children’s birth dates are becoming increasingly simple to find on websites like Facebook or Twitter; your data is a gold mine for hackers. 

On social media sites, Ms. Egan added, it’s fairly common for users to answer a series of “get to know you” questions and post responses for others to see for fun. Questions like, “what was your first car?” or “what was your first pet’s name?” are almost always common passwords or security questions for apps and websites, though. 

Companies are quite literally gathering up this data and creating user profiles to target people, Ms. Egan said.

Someone like Mr. West, in particular, has a lot to lose by using a bunk password. 

His phone likely contains contact information on famous people (like wife Kim Kardashian) who don’t want their phone number or email made public; photos that he doesn’t want leaked; and perhaps he has set up a digital wallet like Apple Pay that allows transactions from a bank account.

With more accounts linked together — consider how frequently you may use Facebook as a login option for other websites — cracking into a smartphone can be an entryway. 

Since the average person doesn’t normally take the initiative to educate themselves on best practices in cybersecurity, Wombat advocates for organizations to teach users. 

And the training shouldn’t stop at how to secure devices at the office.

Workers are increasingly logging into employer-managed email accounts from home. A bad smartphone password on a personal account could end up comprising a whole firm, Ms. Egan said.

Though Mr. West’s misguided choice didn’t surprise her, the 14 percent of respondents in Wombat’s report who said they did not use a security lock for their smartphone at all, did. 

“Yes, it may take you two to three extra seconds to put in your password,” she said. “But if you have that ‘oh my goodness moment’ [thinking that you lost your smartphone], you’ll be grateful you took the extra steps.”

As for Kanye? Well, in his own words, you can’t tell him nothin’. 


Read this article in the Post Gazette