Brute-forcing BioMetric security passes on mobile phones?

[Actual_Criminal]

I have been reading a lot about cyber security recently. 

 

More so the security of actual real-world common devices (like mobile phones) and how Digital Forensic technicians at law enforcement agencies [Particularly the UK] use various third-party softwares such as Passware or Cellebrite to brute force passwords and passcode. The government agency pays these cracking companies (which are meant to be anonymous by the way) huge funds to utilize the software.

 

There are a couple of other ways to obtain passwords other than brute force, that may involve looking at linked accounts, stored on the local memory etc. However, for a 2023 Google Android or even 2023 Apple iPhone, a lot of the methods used will be brute force still. 

 

The success can vary depending on the mixture of characters used, but more importantly, the length of the password/code. See the table below which shows a similar 2023 example of how long the above software's would take to brute force into a phone. 

 

 

Using this example, if you had the FINGERPRINT scanner enabled on say an Android/iPhone, but your back-up password (in case you get locked out) was 20 characters long and heavily mixed, would there be any way they could brute force it using the BioMetric security option?

 

I guess they could take your fingerprints and somehow duplicate / transition them onto a replica if they really wanted to. However, assume your fingerprint data was unknown.

[LIGISTX]

1 hour ago, Actual_Criminal said:

The success can vary depending on the mixture of characters used

What matters more than anything is length, but not just length, entropy is extremely important. 

 

MyL0NgPa$$w0Rd! doesn't count as a 15 character password since it can be rainbow tabled extremely quickly. In any brute force attack this would be guessed very quickly, or at lest WAY quicker then the above chart would lead you to think.

 

When you generate a password, it needs to be genuinely random which is why password managers are useful. They create a password no human would remember and are actually sudo-random enough to be called high entropy. Anything using actual dictionary words, even if you throw l33t speak in there for example, is not good from an actual entropy stand point. Lots of articles you can look up on this if you wanted...

 

But a good example of an actually strong password would be:

 

yZYwQMJIl*@R2*#

 

Thats a 20 character password that won't be cracked anytime soon.

 

 

 

Website to check passwords yourself, for reference: https://bitwarden.com/password-strength/

 

 

[Commodus]

I love that the estimated ChatGPT brute force times for the most secure passwords range into the billions of years. The Sun has long since become a white dwarf, humanity is either extinct or has become an intergalactic species... but dammit, someone finally got into Jimmy's Gmail account.