The iPhone, iPod touch, and (imminently) iPad are hot properties, making them attractive targets for thieves. Although Apple has greatly increased security over time (see “iPhone 3GS Offers Enterprise-Class Security for Everyone,” 27 July 2009) and has introduced useful features for dealing with lost or stolen devices (see “Find Your Lost iPhone or iPod touch with iPhone OS 3.0,” 17 June 2009, and “Use Find My iPhone from an iPhone, 30 September 2009), one visible weakness has been the use of an optional four-digit numeric passcode to get to the Home screen. Although four digits enable 9,999 possible number combinations, that’s nothing for basic cracking software to work through. Plus, most people just use the same four-digit PINs that they use on credit cards, increasing overall vulnerability if the code is cracked.
In response, Apple has developed an ingenious alternative. Although the four-digit passcode remains the default, a new Find My Locker feature of MobileMe promises extra security that you’re more likely to remember. When the service is activated (both on the device and via the Settings page at https://secure.me.com/locker), Apple accesses a private database that recollects the six-digit combination from a locker you used in school.
When you first sign up, you can choose between your junior high and high school lockers. For users who are more security conscious, a “Gym Locker” subcategory is available for each school era.
We were skeptical, to say the least, when Apple demoed the feature for us. However, TidBITS security editor Rich Mogull confirmed that, “Yeah, holy cow, that is the same locker I used during gym class in the 8th grade!” Other staff members also had no difficulty remembering their old combinations, which long ago had been burned into their memories by repetition during their formative years. Jeff Carlson successfully associated his gym locker combination by recalling the day when another kid on the basketball court tried to beat him up after gym class.
TidBITS publisher Adam Engst wasn’t as enthusiastic about the technology, noting that he still uses the same combination padlock from junior high when he goes for his daily run. “It’s one-fifth of my IQ, half my European shoe size, and my first cat’s name in ROT13 converted into digits then added together,” he said, “and I’m not wild about the fact that Apple knows it.”
Apple wouldn’t comment in response to our increasingly pointed questions about where they’re getting the data, and how it can be so specifically targeted; after repeated queries, the spokesperson implied that we should not be asking such questions where others could hear.
However, Apple did acknowledge that numbers given to customers who are not yet in junior high will work with the lockers to which they will be assigned when they’re older.