image by flomiscuous, CC by 2.0

My good friend from college sent me an interesting email.

Presh, real-life question for you: What is the safest way to lock my iphone? Let me explain. A friend unlocked his phone once and I grabbed it and said “so, 9,6,0, and 1, huh?” because the bulk of “tap prints” were on those numbers and, I rightly presumed, correlated to his password. He freaked out because were I a thief, I could unlock his phone pretty easily as I’d know all four numbers and that they are only used once each within the four-digit code (I believe where would be 4x3x2x1 = 24 options). Not terribly safe, is it?

(For more information, check out this great article which has images of smudge prints on phones, which also explains why 3 digit PINs are ideal)

Seeing the security issue, my friend came up with a solution he believed would be better:

So when setting my password, I opted to repeat a number (e.g. 1-2-3-1). That way, someone would look at my phone and even if they could figure the three numbers I use, they would either have to guess at the fourth number (which doesn’t exist) or, should they rightly figure out that I only use three independent numbers, they would have to try all possible permutations of those three different numbers within a four-digit code.

He felt his method was better, but he could not prove it. He posed a couple of questions over to me.

Am I helping myself by using three numbers in a four-digit code? Would it be even safer if I only mixed two independent numbers?

I thought this was a fascinating question. I came up with my opinion on the matter, and the math and my answers are below.

.

.

"All will be well if you use your mind for your decisions, and mind only your decisions." Since 2007, I have devoted my life to sharing the joy of game theory and mathematics. MindYourDecisions now has over 1,000 free articles with no ads thanks to community support! Help out and get early access to posts with a pledge on Patreon. .

.



The math needed for this problem

We need a way of counting possible passwords. The easiest case is when someone uses 4 unique numbers for the 4-digit passcode. Each number is used exactly once in the passcode, and hence the problem reduces to counting the number of ways to rearrange 4 objects. This is solved by counting the number of permutations. As calculated in the email, there are exactly 4! = 4 x 3 x 2 x 1 = 24 ways to have this kind of password.

But what happens when you have a password like 1231? That is, how can you count passwords in which one or more numbers are used multiple times?

The way to solve this is by using an extension of permutations known as the multinomial coefficient. The multinomial coefficient is calculated as the total number of permutations divided by terms that account for non-distinct or repeated elements. If an element appears k times (i.e. has a multiplicity of k), then the factor to divide by is k!

A simple example from Wikipedia’s entry can illustrate. Let’s say we want to figure out the number of distinct ways to rearrange the letters in the word MISSISSIPPI. There are 11 letters but some of the letters are repeated. There are 1 Ms, 4 Is, 4 Ss, and 2 Ps. The number of distinct rearrangements of the letters is the number of permutations (11!) divided by the factors for the elements accounting for their multiplicity (1! x 4! x 4! x 2!). The multinomial coefficient is thus 11 ! / (1! x 4! x 4! x 2!) = 34,650.

Am I helping myself by using three numbers in a four-digit code?

There are 4! = 24 possible ways a password can be formed from four distinct and known numbers. Will using just three numbers increase the number of possibilities?

The surprising answer is that yes, it does. It seems counter-intuitive at first so let’s go through an example.

Suppose you see an iPhone where the “tap prints” are on the numbers 1, 2, and 3. How many possibilities are there for the four-digit password to unlock the phone?

There’s a simple observation needed to go on. In order that three numbers are all used in a four-digit password, it must be the case that some digit is used twice. Perhaps the number 1 appears twice, or the number 2, or the number 3.

Suppose the number 1 is used twice. How many passwords are possible? We can use the multinomial coefficient to figure it out. We know the total number of permutations is 4! and we must divide by 2! to account for the number 1 being used twice. Thus, there are 4! / 2! = 24 / 2 = 12 different passwords. We can list these out:

1123

1132

1213

1312

1231

1321

2113

2131

2311

3112

3121

3211

But we are not done yet. We must similarly count for the cases in which the number 2 is used twice, or the number 3 is used twice. By symmetry it should be evident that each of those cases yield an additional 12 passwords.

To summarize, there are 12 passwords when a given number is repeated, and there are three possible numbers that could be repeated. In all, there are thus 12 x 3 = 36 passwords.

Notice there were just 24 passwords when using four distinct numbers.

This trick of using three numbers does in fact increase the set of possible passwords. While each case of three digits only gives 12 passwords, the gain to this method is that the other person doesn’t know which number is repeated. And so they have to consider all possibilities which becomes 36 possible passwords.

Would it be even safer if I only mixed two independent numbers?

If three is better than four, then is two better than three?

Unfortunately it is not.

There is just not enough variety when using two numbers. The gain in ambiguity of multiplicity is simply not enough to counteract the lack of passwords.

With two distinct numbers, there are only 14 possible passwords. This is found since the two numbers either have multiplicities as (1, 3), or (2, 2) or (3, 1). We can add up the multinomial coefficients to get 4! / (1! x 3!) + 4! / (2! x 2!) + 4! / (3! x 1!) = 4 + 6 + 4 = 14.

We can also list them out:

1112

1121

1211

2111

1222

2122

2212

2221

1122

1221

2211

1212

2121

2112

In conclusion, using two numbers ends up reducing the possible number of passwords.

Additional ways to help

If that weren’t enough, my friend actually brainstormed a couple of other ways to improve the password.

Actually now I can think of all kinds of brilliant maneuvers… like using three digits but tapping a phantom fourth number once the code is entered…. so there are four “tap prints” but only three which are relevant! Or, by the same measure, you could use four independent numbers and then tap a fifth time to have 5 options for four spaces.

I think these are interesting possibilities too, but they hit me as a little less practical since you’d have to diligently tap those extra numbers to make the smudge marks.

I’ll leave it to you to figure out how many passwords those methods will yield.

Perhaps an equally valuable suggestion is to simply clean the touch-screen intermittently to erase the finger print marks and leave no clue.