Jump to content

Brute-forcing BioMetric security passes on mobile phones?

I have been reading a lot about cyber security recently. 


More so the security of actual real-world common devices (like mobile phones) and how Digital Forensic technicians at law enforcement agencies [Particularly the UK] use various third-party softwares such as Passware or Cellebrite to brute force passwords and passcode. The government agency pays these cracking companies (which are meant to be anonymous by the way) huge funds to utilize the software.


There are a couple of other ways to obtain passwords other than brute force, that may involve looking at linked accounts, stored on the local memory etc. However, for a 2023 Google Android or even 2023 Apple iPhone, a lot of the methods used will be brute force still. 


The success can vary depending on the mixture of characters used, but more importantly, the length of the password/code. See the table below which shows a similar 2023 example of how long the above software's would take to brute force into a phone. 




Using this example, if you had the FINGERPRINT scanner enabled on say an Android/iPhone, but your back-up password (in case you get locked out) was 20 characters long and heavily mixed, would there be any way they could brute force it using the BioMetric security option?


I guess they could take your fingerprints and somehow duplicate / transition them onto a replica if they really wanted to. However, assume your fingerprint data was unknown.

CPU: AMD Ryzen 9 16-core 5950X

CPU Cooler: Artic Freezer 2 AIO 360mm Radiator

Motherboard: Asus ROG Strix X570-F Gaming

Memory: 32GB (2x16GB) G.Skill Trident Z Royal 3600 MHz CL16

GPU: Nvidia RTX 4080 MSI Ventus 3X 16GB GDDR6X

Storage OS: 500GB Samsung 980 Pro Gen4 M.2 NVme SSD

Storage Games: 2TB Corsair MP600 Gen4 M.2 NVme SSD + 2TB Samsung 860 Evo SSD + 500GB Samsung 850 Evo SSD

Storage Misc: 2TB Seagate Barracuda Compute 7200 RPM

PSU: Corsair HX Platinum 1000W 80+

Case: Fractal Design Meshify S2 ATX Mid Tower

Monitor: Dell Alienware AW3423DW 175Hz 1ms 3440p (widescreen) HDR400 OLED panel 34"  + Asus PG258Q 240Hz 1ms 1080p G-Sync TN panel 24.5"

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, Actual_Criminal said:

The success can vary depending on the mixture of characters used

What matters more than anything is length, but not just length, entropy is extremely important. 


MyL0NgPa$$w0Rd! doesn't count as a 15 character password since it can be rainbow tabled extremely quickly. In any brute force attack this would be guessed very quickly, or at lest WAY quicker then the above chart would lead you to think.


When you generate a password, it needs to be genuinely random which is why password managers are useful. They create a password no human would remember and are actually sudo-random enough to be called high entropy. Anything using actual dictionary words, even if you throw l33t speak in there for example, is not good from an actual entropy stand point. Lots of articles you can look up on this if you wanted...


But a good example of an actually strong password would be:




Thats a 20 character password that won't be cracked anytime soon.






Website to check passwords yourself, for reference: https://bitwarden.com/password-strength/



Rig: i7 10700k @ 5.1Ghz, 4.8 Ring - - Z490 Vision G - - EVGA RTX 2080 XC Ultra @ 2025Mhz - - 4x8GB Vengeance Pro 3000Mhz 15-17-17-34 @ 3500MHz 16-19-19-38 - - Samsung 950 Pro 512 NVMe Boot + Main Programs - - Samsung 830 Pro 256 RAID 0 Lightroom + Photo work - - WD Blue 1 TB SSD for Games - - Corsair RM850x - - Sound BlasterX EA-5 - - EK Supremacy Evo - - XT45 X-Flow 420 + UT60 280 rads - - EK Full Cover GPU Block - - EK XRES RGB PWM - - Fractal Define S2 - - Acer Predator X34 -- Logitech G502 - - Logitech G710+ - - Logitech Z5500 - - LTT Deskpad


Headphones/amp/dac: Schiit Lyr 3 - - Fostex TR-X00 - - Sennheiser HD 6xx


Homelab/ Media Server: Proxmox VE host - - 512 NVMe Samsung 980 for VM's/Proxmox boot - - Xeon e5 2660 V4- - Supermicro X10SRF-i - - 128 GB ECC 2133 - - 10x4 TB WD Red RAID Z2 - - Corsair 750D - - Corsair RM650i - - Dell H310 6Gbps SAS HBA - - Intel RES2SC240 SAS Expander - - TreuNAS + many other VM’s


iPhone 14 Pro - 2018 MacBook Air

Link to comment
Share on other sites

Link to post
Share on other sites

I love that the estimated ChatGPT brute force times for the most secure passwords range into the billions of years. The Sun has long since become a white dwarf, humanity is either extinct or has become an intergalactic species... but dammit, someone finally got into Jimmy's Gmail account.

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now