Riccardo, thanks for pushing on this.
I also have a computer science background and then later a software engineering background (I was taught that the science and the engineering were different). How should we judge this? Compare grades? School rankings? Career experience?
How about you make a more thorough case.
Or not. I’d already double checked my citations before posting, but your comment sent me down the rabbit hole again. While I did that, I spotted an obvious difference between what I thought I was writing and what I actually wrote, which is I meant for the three words to be random. I’ve corrected that and that does end up mattering.
It’s pretty interesting to go down this rabbit hole. I was surprised to learn that the encrypted password can be grabbed over the air during authentication. If the attacker isn’t present at the time of the initial authentication, they can force a re-auth event and then grab the encrypted password then. That makes a dictionary or brute force attack much more accessible since the attack will go at the speed of the attacker’s computer rather than the speed of your iPhone’s authentication routine.
Using the xkcd estimation, I believe the estimated crack time to brute force the password is about 100 days (2³³/1000/(60*60)/24). That’s not enough time for the crack to matter if you’re at a coffee shop just one time, but plenty of time to matter if you’re at the coffee shop every day, year round.
The more conservative study that I’d cited in that section hones in on non-random pass phrases and came to the conclusion that 1% of people will set multi-word passwords that are easily guessable via dictionary attack (and by my estimation, that guess would take less than 30 minutes). So, yes, random is an improvement in order to take away the dictionary attacks on common multi-word strings.
While I was in my calculator, I also looked at whether doing permutations of individual dictionary words would help the attacker. The answer is no. The total number of English words is 171,000 and the cube root of that is a very large number, larger than what we’ve been talking about. Even if you simplify the dictionary down to common words, the average person knows between 20,000 and 35,000 words. Still, the cube root of 20,000 produces enough permutations that an attacker would need 250 years.
Then I wondered if the attacker could gain an advantage by listening to someone type in the password. I’m pretty sure most people will have an audible pause in their typing and that the attacker could at least guess word length. Here, I got stuck. The word lists I found had counts that were almost unbelievably high. I’m not sure how to answer a question like, “How many six letter words are commonly known?” However, if the attacker is listening to keystrokes, they may as well be just watching you type the password in.
Last, I wondered what’s to gain for the attacker and what’s to lose for the user.
The attacker can gain free data service and increased privileges on par as being on the same wifi network as your device. Where and when is this incentive greater than being on the same wifi network as a coffee shop, where the attacker can walk in, grab the password, and then be on that network whenever they want? Often there are open networks available that allow for actual snooping of internet traffic and this isn’t true for an iPhone hotspot.
Then from the iPhone user’s perspective, the downside of being hacked is a higher bandwidth bill and exposure to increased privileges. The main privilege I can think of is that people can attempt to airdrop you files. What else? They can’t snoop your traffic.
So, now, having gone through this list, what’s the risk? My article is going to end up having about one million readers. If every single one of them adopts this advice for their hotspot, how many of them are going to get hacked? And then what’s the total financial downside summed up against all those users? My back of the envelope is that given the full context, my original advice is still good for someone who prioritizes productivity (which is explicit in the title of the article).
Am I thinking through the edge cases and details right? What would you add?