How one good security advice can be a bad one too

Let’s take iPhone security advice for example.

One, supposedly great, online resource suggest that you must:

1. Generate a random alphanumeric code of 11 characters for unlocking your phone
2. Enable full factory reset after 10 failed passcode attempts
3. Turn off fingerprint and/or face ID unlock

Sure, each of these advice might be good, separately. But, combining these three together can cause unwanted effects.

Too many people giving advice on cybersecurity fall into this trap.

Depending on who you are, what you have to protect on your phone, and who are your potential attackers - you need to choose appropriate protection measures. Implementing random tips and advice is often counter productive.

Getting back to the 3 “tips” from above. How do you know which one to implement? One of the good approaches is to start with the list of realistic threats.

Mobile device threats can be roughly categorized like this:

Application-based threats
For example, threats could come from malicious apps, malware, spyware, etc.

Web-based threats
You get exposed to them usually while using a web browser, and unknowingly visit malicious websites.

Network-based threats
For example, cybercriminals can steal your unencrypted data while you use public WiFi networks in an insecure manner.

Physical threats
The threats you’re exposed to when you lose your mobile device or it gets stolen. With the direct access to your device, the attacker could do little or a lot of harm.

:: :: ::

Listing all of the possible threats to your iPhone is not an easy task. Deciding on how to mitigate the threats affecting you is even harder.

That’s why I’m creating a system which can help you choose appropriate security measures for you and your iPhone. It has only one goal: help you improve your iPhone security in a practical way, without drastically changing the way you use your phone.

:: :: ::

For example, for a regular person (who’s not a CEO, VIP or any other kind of very important or affluent person), the most important physical threats could be:

1. You lose your phone
2. Someone steals your phone
3. You break your phone and it won’t turn on anymore
4. Someone steals your PIN by looking at you unlocking it in a public place

Here’s just one example:

You’re in a public place, like a coffee bar. You unlock your iPhone using the passcode 1111 or 000000.

Someone interested in your phone can easily see your passcode. If the same person steals your phone, then you’re in trouble.

The attacker can access all of your data.

So, how could you prevent such a disaster today? What you really need to do is:

1. Set a passcode, which has 6 to 8 numeric characters. It’s much easier to type, then a passcode with the alphanumeric characters.

2. Enable fingerprint or face ID unlock features. (notice that this is totally opposite from the 3rd advice at the start of the article)

Is this really a good advice?

For regular folks, yes.

You don’t have to generate a random alphanumeric code of 11 characters for unlocking your phone. The person who would steal your phone would most likely want to get some quick money by selling your iPhone or stealing your bitcoins.

You’re most likely not targeted by advanced attackers, and they won’t use any sort of sophisticated software to break your password.

The easiest way for your potential attackers to get your passcode is to see you typing it, or to try to guess it using a few most popular passcode combinations.

That’s why your passcode shouldn’t be 111111, 123456 or 020385, if you’re born on 2nd of March, 1985. These can be easily guessed.

Additionally, by enabling the fingerprint and face ID unlock features, most of the time you’ll be unlocking your iPhone without a passcode. So, you’ll expose it less often too.

You can make their job harder, if you configure your smartphone properly.

Here’s the link to the official documentation on how to do this. https://support.apple.com/en-us/HT204060