For the past two days, the Web has been filled with tech sites recommending that you should always password protect your phone. Of course, this isn't just some epiphany that everyone magically had at once. We all have recommended to friends, family members and everyone else that a PIN or some other password for your lock screen isn't a bad idea. So why all of the sudden was there an urge for everyone to state how a password on your smartphone is more secure than not having one?
On Tuesday, Symantec, makers of Norton antivirus software, performed a study called the Symantec Smartphone Honey Stick Project, where they deliberately lost 50 smartphones in New York City, Washington D.C., Los Angeles, San Francisco and Ottawa, Canada. The idea was to determine exactly what happens when a phone is lost. How many people try to contact the owner? How many people will snoop first? What information gets espied? You get the gist.
Long story short, Symantec scattered the 50 smartphones, all filled with generated personal and work data, and they waited. The results? Well, if the hundreds of sites that have already suggested you password lock your phone isn't a dead giveaway, the results were pretty grim. Only 50 percent of the people who found one of Symantec's "lost" phones made an attempt to return it, but not before taking a peek at its contents. In fact, "96 percent of our lost smartphones were accessed by their finders," says Kevin Haley of Symantec. He goes on to assure us that this "snooping" probably wasn't in good faith either, but more likely out of curiosity. Here are some more gruesome facts found by the project:
- Six out of 10 finders attempted to view social media information and email
- Eight out of 10 finders tried to access corporate information, including files clearly marked as "HR Salaries," "HR Cases", and other types of corporate information
- One out of every two finders tried to run the "Remote Admin" app
- Nearly 50 percent of the finders tried to access the owner's bank account
- Of the 50 devices, the owner only received 25 offers to help, despite the fact that the owner’s phone number and email address were clearly marked in the contacts app
- 89 percent of finders accessed personal information and 83 percent accessed business information
- 68 percent of devices were accessed prior to being moved by the finder (32 percent were moved before being accessed)
- 5 percent of devices were moved, but were not accessed during the 7 days of the study
- A total of 89 percent of devices showed attempts to access personal apps or data
- Attempts to access a private photos app occurred on 72 percent of the devices
- An attempt to access an online banking app was observed on 43 percent of the devices
- Access to social networking accounts and personal email were each attempted on over 60 percent of the devices
- A “Saved Passwords” file was accessed on 57 percent of the phones
- 66 percent of the devices showed attempts to click through the login or password reset screens (where a login page was presented with username and password fields that were pre-filled, suggesting that the account could be accessed by simply clicking on the “login” button)
- There was an average time of 10.2 hours before an access attempt was made; with a median time of 59 minutes (based on actual access attempts)
It should come as no secret that if you lose your phone that your personal (and even work) data is at risk of being espied. But seeing these numbers come as a bit of a reality check. Who would have thought 96 percent of people who find a phone would look through pictures, try to access bank account information or even try to access a remote computer? I always figured the number would be high – like 60 to 75 percent. But never would I have imagined 96 percent of people would go snooping before trying to return the device.
Anyway, the point that Haley and the Symantec Smartphone Honey Stick Project were trying to make is that you should secure your data. A simple password or pattern lock screen will do wonders to keep prying eyes out of your phone if it is lost. But if you would like to take it one step further, you could use remote wipe and device tracking solutions in the event your device is lost. Symantec's Norton Antivirus & Security app for Android devices offers both of these and more.
There is a downside to password protecting your phone, though. Passwords are always good to have, as they generally serve their purpose well – they keep those who are meant to be kept out from digging through sensitive information. But, sometimes, they can also keep you out when you need to access your phone the most.
Forgetting a password is fairly common today, as many suggest it is good practice to change your password every couple weeks or months. If you forget your password on an online account, it's typically not too difficult to recover or reset it. Simply click the "Forgot password?" link and have a new one or existing one sent to your email account.
However, recovering or still accessing your smartphone if you have forgotten your password isn't quite so easy. By default on a password protected BlackBerry, if you enter an incorrect password 10 times, the device will wipe itself. Other platforms offer similar security features, which are nice to have, unless you lock yourself out of the phone. On Android, if you enter the incorrect password too many times, it will make you wait several minutes before you can make another attempt. Eventually, it will allow you to enter the password of the associated Google account instead, but that doesn't always work.
For instance, my friend Meghal was using a pattern lock on his phone at a party last year. One of his friends thought it would be funny to remember his pattern, access the phone and change the pattern. It wasn't so funny when nobody remembered the password in the morning, though. Meghal figured that he could eventually just enter his Google account password. But when he did, even though he was entering the right password (it would let him login on my computer but not on the phone with the same exact password), an "invalid password" prompt would show. He left the phone with me so I could attempt to recover it. (Had it been rooted, it would have been as simple as booting into recovery, creating a backup and wiping the phone.) After several hours of trying to access the phone without losing any of his information, I gave up. I had to download some PC software to factory reset the device, and Meghal lost everything.
I have forgotten my own password a couple times, too. I used to change my BlackBerry password every couple months. One time I had completely forgotten what I had changed it to almost immediately after I clicked "Done". Luckily, I backed my BlackBerry up to my computer (oh, how I love cloud backups on virtually everything now). I had to wipe the device just so I could use it, but when I made it home, I recovered all of my data.
Now I'm kind of off and on about passwords. I use them sometimes, but I ultimately get fed up with them as I check my phones every couple minutes throughout the day. It's definitely smart to use them, but you may end up locking yourself out of your own device some day. And believe me when I say it isn't fun.
I guess if you're an Android user, you could just use Face Unlock. It's kind of difficult to forget how to hold your phone in front of your face. Just don't grow a beard, or wear sunglasses.
Tell me, ladies and gents. Have you ever locked yourself out of a phone? Did you end up losing everything? Or were you able to recover the password without wiping?