Phone passwords should be mandatory, say police

THE police are lobbying mobile phone manufacturers to make setting a secure PIN number or password mandatory.

The Met's National Mobile Phone Crime Unit (NMPCU) has been meeting with executives at big smartphone suppliers like Samsung and Apple in an attempt to force mobile phone users to set passwords on handsets 'out of the box' for over two years, according to an investigation by The Register.

The NMPCU believe that getting everyone to use a passcode would significantly reduce the number of mobile thefts.

But, to do that, they need the cooperation of biggest mobile companies to ensure, first, that new users have to set a password as soon as their phone is switched on for the first time and, second, that the new user can't use a preset, such as the typical "0000" or "1234", or another easily guessed number, like the phone user's date of birth.

Passwords reduce crime

There is some evidence that technology that makes phones harder to use once they've been stolen is a deterrent to thieves.

The NMPCU have commissioned their own research on the number of iPhone robberies in London in the six months before and after the introduction of the iOS 7 Activation Lock. They found that iPhone thefts fell by 24%.

Further evidence comes from across the pond.

In 2013, after Activation Lock was rolled out, thefts of iPhones were already down 38% in San Francisco, compared to the previous year. In the same period, thefts of less secure Samsung phones rose 12%.

Activation Lock is offering considerably more than a passcode, however. The update means that once a user turns on Find My iPhone their Apple ID and password will be required to turn off the Find My iPhone service and to erase or reactivate the device.

Official Home Office crime statistics also show that the number of 'thefts from the person' fell by 10% in the year ending March 2014. While this doesn't only cover mobiles, police say that indicates that new technology and other anti-theft measures such as the Immobilise personal items register and post theft phone blocking are acting as a deterrent, as well as protecting phone users' personal data and helping them to get their stolen items back.

None of this evidence specifically suggests passwords will prevent crime. But the police are likely to think that it's worth a shot, since so many people leave their phone completely unsecured.

Majority leave phone unprotected

The NMPCU's internal research suggests that 60% of phones don't have a password.

Another study out this year from Lookout Security which found that 66% of Britons don't have a passcode.

Setting crime prevention aside for a minute, that could pose a further threat to victims of mobile phone theft.

DCI Bob Mahoney said that the information you can find on an unlocked phone - addresses, telephone numbers, diaries, Facebook, Twitter and the like - is valuable and in the wrong hands and has the ability to "destroy a person's life".

New technology

So making setting a password a mandatory requirement seems like a good idea. But it also poses a challenge.

If forced to set up the password, there are concerns that users may not choose a sensible code. A 2011 study conducted by an application developer found that 15% of all iPhone owners use one of 10 passcodes.

Of the 204,000 passcodes collected as part of the study, "1234" was the most common.

Over 5,000 people had set their phone to unlock to "0000", while another 4,753 chose "2580", the straight line down a numeric keypad.

These insecure passwords are likely to increase if consumers are made to set them up.

Mobile security is advancing in other ways. Two factor authentication is increasingly the norm and biometrics, such as Apple's TouchID, are being embraced by handset makers, although they're far from protected.

The majority of mobile users, though, would be doing better if they set a simple PIN.