Usability vs. Security in the Context of Apple iOS Mobile Hotspots

The real weakness is because iOS default / suggested passphrases aren't very secure: "As the hotspot wordlist consists of only 1842 entries followed by a four-digit number, there are only around 18.5 million possible combinations."

At first, I figured this could be used as a case against Randall Munroe&#x27;s password generation algorithm [1]. But it looks like the problem is with Apple&#x27;s implementation, not with the method. The abstract claims that &quot;the process of selecting words from that word list is not random at all&quot;. I wondered how not-random the selection was. The paper says: &quot;words from this Top 10 list are ten times more likely to be selected as a default password&quot;. The word frequency distribution graph [2] is pretty damning.<p>[1]: <a href="http:&#x2F;&#x2F;xkcd.com&#x2F;936&#x2F;" rel="nofollow">http:&#x2F;&#x2F;xkcd.com&#x2F;936&#x2F;</a> [2]: <a href="http:&#x2F;&#x2F;imgur.com&#x2F;nAKkPe3" rel="nofollow">http:&#x2F;&#x2F;imgur.com&#x2F;nAKkPe3</a>

Nothing in the article talks specifically about the word list coming from either scrabble or crossword.<p>I wrote a scrabble &#x2F; boggle solver web app and used the built-in dictionary provided with my Linux distribution.<p>Check it out at <a href="http:&#x2F;&#x2F;words.gumyum.com" rel="nofollow">http:&#x2F;&#x2F;words.gumyum.com</a> [source-code]<p>The hotspot cracker appears to use a similar algorithm.

Interesting but the danger appears to be slightly overblown:<p>&gt;A GPU cluster composed of four AMD Radeon™ HD 7970 can cycle through around 390.000 guesses per second. As the hotspot wordlist consists of only 1.842 entries followed by a four-digit number, there are only around 18.5 million possible combinations. This means, that a GPU cluster will crack an arbitrary password in less than 50 seconds.<p>Being in range of a hotspot in with that kind of hardware reliably and for any length of time is going to be difficult. Yes it&#x27;s insecure but not to someone on the street attacking it with just their phone.

I&#x27;ve since changed the password, but I believe this may be fixed in iOS 7. I seem to recall some thoroughly random password after install.

It seems to be using a private API method of UITextChecker. [checker suggestWordInLanguage:@&quot;en_US&quot;]; to generate each word in the list. Can anyone explain what this method is actually doing? It doesn&#x27;t take any sort of argument (other than language), does it literally just give you a random english word?

I&#x27;ve always considered personal hotspot default passwords to be insecure. Ironically, I&#x27;ve never changed my iPhones default password. Thank goodness for poor coverage on Australia&#x27;s CityRail network, I suppose...