by Rob Patey

Passcodes serve as the “lowest hanging fruit” of mobile security for enterprises, yet recent data from Fiberlink’s MaaS360 platform uncovers this startling fact: 15% of organizations still don’t enforce this most basic security measure.

Looking at 200,000 of the 2 million plus devices we manage for industries across the globe, we learned that passcode security still has a long way to go for complete protection of data on smartphones and tablets.

Limitless Passcode Options – Limited Implementation

It would help to first define the options available for passcode protection on mobile devices. The three most common categories are:

  • PIN/Simple Passcode: Just numbers or letters
  • Alphanumeric Passcode: Combination of numbers and letters
  • Complex Passcode: Combination of numbers letters and special characters

According to the data, the PIN/simple passcode prevails overall with an overwhelming 93% majority. Of those deploying this basic approach, 73% use only 4-5 characters—further highlighting this pervasive simplicity.

Why is this troubling? i09 recently did a report showcasing a robot constructed for a paltry $300 that can crack these codes in just under 24 hours–and that’s a high-end estimate. Also, considering most people use repeatable digits on their phone or tablet, regular old human hackers can usually get into your smartphone in 10 tries or less.

passcode-blog-augustHealthcare Passcodes Most Enforced; Public Sector Passcodes Most Complex

While there is no one-size-fits-all rule for passcode protection, IT can use several barometers for the proper approach in their industry. Healthcare, financial services and public sector organizations have some of the strictest audit requirements when it comes to data protection, with regulations like HIPAA, HITECH, FINRA and FISMA compliance constantly looming over their heads. Given these factors, it comes with little surprise that organizations under these umbrellas are the most fastidious when it comes to passcode enforcement through mobile device management policies and passcode complexity.

Passcodes Most Enforced Through Automated Policies by Industry (% of devices protected) 

  • Healthcare: 97%
  • Professional Services: 87%
  • Public Sector: 85%
  • Consumer/Retail: 81%
  • Financial Services: 79%
  • Manufacturing: 78%
  • Education: 41%

Most Complex Passcodes by Industry (% of devices using alphanumeric or complex passcodes)

  • Public Sector: 18%
  • Financial Services: 9%
  • Professional Services: 6%
  • Healthcare: 4%
  • Consumer/Retail: 3%
  • Manufacturing: 3%
  • Education: 1%

No One Right Answer

While a 10-digit complex passcode rife with special characters would help IT and CSOs sleep better at night, the pitfalls of such a draconian approach would greatly outweigh the benefits. Currently only 7% of organizations are employing a complex passcode, but even these organizations must exercise prudent caution. User experience must still be considered in the greater scheme of things as much as security. Human error could easily turn an overly complex passcode into a headache for IT quicker than you can type 432#$%hippa. If you must employ such complexity in your passcodes, a containerization approach can provide complexity on business device functions while leaving the personal side of the device more accessible.

Balance is the order of the day, a pragmatic marriage of user experience coupled with industry best-practices. Regardless of what passcode approach you take in securing mobility, the automation of Mobile Device Management (MDM) policies is an essential element to standardizing a vast ecosystem of device types and operating systems. Furthermore, policies in MDM can help automate remediation workflows when a user locks themselves out of their device or decides to root/jailbreak a device in order to bypass passcode protection all together. Warn, block or wipe are all at IT’s disposal depending on the severity of the infraction. Also, with MDM, IT gets a clear daily view, through their Watchlist, of which devices are passing passcode muster and which devices are still trying to pass on passcodes altogether.

Where do you stand on Passcodes? Share your best-practices in the comments below.