Brute force attacks on PINs get harder with new challenge phrase on Windows 10 Mobile

Joseph Finney

Brute force attacks on PINs get harder with new challenge phrase on Windows 10 Mobile

Mobile security has become more and more an issue high on the list of every major tech company. Major companies like Apple, Google, and Microsoft have been involved in many debates about device security from a range of attacks. One such attack involves bypassing the PIN lock on a device by trying a massive number of different PIN combinations. This type of attack is called a ‘brute force’ attack because it involves a simple process of trying all common or likely PIN codes over and over until the correct code is finally discovered.

Protecting against this type of attack can be difficult because the software isn’t ever compromised, instead the software must have special protocols which get called upon to slow attackers down. Apple’s approach involves locking the device for a set amount of time which should slow attackers down enough to make brute force attacks take too long to preform reliably. However this method leads to another type of ‘attack’ where people can maliciously lock users out of their phones by simply entering the wrong PIN over and over.

The challenge phrase delays would be cyber trespassers

With Windows 10 Mobile, Microsoft has taken a new approach to thwarting brute force attacks with a challenge phrase. Essentially when a the PIN gets entered incorrectly four times in a row, users are sent to a different screen where they are required to enter a specific phrase. This ‘challenge phrase’ slows potentially malicious brute force entry and doesn’t freeze the device. While similar to a captcha method, the challenge phrase also prevents automated machines from entering popular PINs over and over.

Currently there is a single challenge phrase of A1B2C3 and is case sensitive. Windows 10 Mobile also increases PIN security by enabling users to make a PIN with any length. In testing there is no reasonable limit to the PIN length, the only requirement being it must be only numbers. Any mobile users concerned with a weak PIN could always set theirs to Graham’s number just to make sure no one has enough time break into their phone.