Unlock button on locked screen

I compared my L5 locked screen (i.e. the screen asking for the code to unlock) with other mobile devices. When I mark the last digit of the unlock code, the device automatically gets unlocked without having to press “Unlock”. As the code length in this case isn’t know, the device must hash after every digit the now available marked digits and see if the resulting hash matches the stored hash.

Why we don’t use this procedure in our L5?

Weaker security in 2 ways:

  1. If your password is 1234 and you want to try 123456, you will get access. If you have to enter that button first, you wouldn’t get access with 123456.
  2. A wrong password blocks input for a second. This way it’s so much more hard to brute force access your phone via bot. Instead of many passwords per second, you can just type 1 password each second.

Regular phones also have unlock via fingerprints. Nothing is easier than faking a fingerprint. Smartphones are not build to be save.

More important for better usability than removing that additional button would be to change the gesture to swipe down (away) the keypad. While typing password a way to fast, sometimes I slide minimal over the screen. But that is enough to push the layer away. The increase the range of that swipe-gesture could make it much easier to login.


An assumption? Maybe the length of the password is known.

What happens if you type the right length of characters but an incorrect password? Automatically gives an error when the last character is entered?

3 ways potentially.

  1. A would-be attacker only needs to try exactly one password to know the exact length of the password and thereafter need only try passwords of the known length, rather than wasting time on any longer or shorter passwords. NB: Dependent on the above assumption about how this is implemented.

As always with these things, it is your phone and if you make an informed decision to weaken your security in this way then that is your right.

That limits the generality of how the input is done (since it implies that input characters are available one by one as each character is entered). That is, there are implications for both the source of input and the interface that is used to get input.

This might not work in some remote access scenarios but I guess unlocking from the lock screen is an inherently local action.

Anyway, I’m sure you can make your phone work the way you want it to … if this is something that you really want.

1 Like

I do not know any password system on UNIX where the length of the original clear text password is stored. Only the hash is stored. So, reading of digits will only stop (unlock) if the so far typed typed digits matches the hash. The attacker can not figure out the password length without knowing the password.

But you were talking about “other mobile devices”, which I, perhaps erroneously, took to be a reference to either Android or iPhone.

Yes, my company iPhone seems to allow only 6 digits to enter. I don’t know if this was an option at the firsttime configuration or if the phone remembers how many digits I entered on setting the pass code.

Looks like it defaults to 6 digits.

It is an option. You can choose 4 instead of 6, or you can choose some custom length. And you can choose alphanumeric instead of numeric-only.

I don’t think the option is “first time only” i.e. I think you can change the passcode type and length subsequently, as often as you want.

However, as it’s a company phone, it is possible that you are locked out from changing anything of that nature i.e. possible that you are forced to have 6 digits rather than fewer digits.

I don’t know whether the iPhone remembers anything about what you (your employer) chose. All I am saying is that without further testing, I wouldn’t assume.

1 Like