You want to access a particular smartphone which has a 4-digit numeric pin, entered by tapping the screen. One day you see the owner wipe the screen, unlock the device, and then get distracted and walk off. You rush over, grab the phone but alas it has auto-locked again. The screen is clean except for smudge marks over the place where the 7 and the 9 appear on the screen. What is the maximum number of PINs you must test to break into the phone (and what formula can be applied for x smudge marks)?
Background: I was reading a blog post about the new "picture sign-in technique for Windows 8" which is to replace passwords, and the author compares the ease of cracking picture sign-ins to the ease of cracking standard smartphone PINs by interpreting smudge-marks on the screen (in a worst-case scenario like that detailed above). He states that the hardest case is a PIN of 4 unique digits:
“A PIN will leave a smudge in a known location for each digit used in the code. If there are n digits in the PIN, and all digits are unique (the hardest to deduce case), there will be n! possible ways of ordering the PIN. For a typical 4-digit PIN, this is 24 different combinations.”
I believe that he is incorrect; 4 unique digits is not the hardest to deduce case. I think that 3 smudges would allow 52 PINs (I've written this up in a blog post: A Shorter PIN Might Be More Secure against Smudge Attack). Then I started wondering whether 2 smudges would produce more or less permutations, but I’m not sure of what formula could be used and I refuse to count them manually on principal. Another interesting question would be the ideal amount of unique digits in the case of the PIN length being unknown to the attacker.
Best Answer
This ought to be solvable by thinking about it, so here is a method to work on.
To crack the case of an n digit pin known to contain precisely m distinct digits, compute the number of possibilities using up to m digits (without worrying about whether all the digits are used) and then subtract the number of possibilities with no more than m-1 digits [remember you have to choose the m-1 digits, which can be done in a certain number of ways, and factor this into the calculation]. Two very similar calculations for m and m-1 plus factoring in the choice gives a reasonably straightforward way through.