[Feature][Discussion] Dynamic Lockscreen Pin/Password based on date/time

nnad

About a decade ago, there existed some apps that allows setting a dynamic lock screen pin/password configuration based on changing parameters as current time, current date, current battery percentage and so on.

Say for example if current time is 01:59 and current date is 22/08/2024, we can set a password in the following pattern:
some_pass_${hh}_${mm}@${DD}-${MM}-${YYYY}
so password will be some_pass_01_59@22-08-2024 and the next minute it will be some_pass_02_00@22-08-2024

This can be customizable by users to compose their pin/password pattern, and there can be some modifiers to avoid being obvious, as mirroring 0159 can be 9510 and adding offset to minutes/hours...

I'm not sure if this is applicable in new android versions, as the last app I've seen that have this idea was in 2016.

I want to discuss this idea with you and you can share your opinions if this is still needed.

Example Apps:
Timepin: https://xdaforums.com/t/app-4-0-3-timepin-changes-your-pin-dynamically-based-on-the-current-time.2640494/
https://www.androidauthority.com/timepin-change-locksreen-pin-time-344046/

DroidLock: https://xdaforums.com/t/app-4-0-droidlock-dynamic-lockscreen-timepin-replacement.3371652/

fid02

nnad What is the practical and real-life benefit of such a feature?

leafnose

nnad
The pattern and modifiers would have to be quite elaborated, since a surveillance camera would get your device time besides having its own time code. The battery level, if a modifier, would also be seen on the footage.
If you’re recorded twice while entering your password, that’s game over. (Or you’ll have to change also the pattern of modifiers based on other modifiers, like time or temperature…)

fid02
You don’t have to enter your password while doing a 360 in order to avoid the cameras any more, or 1080 in my case since I’m too slow with the keyboard.
But I guess it is more a fantasy-life benefit for most.

Stewart

The real advantage would be to have a real unique password, changing over time, in general whether we want it or not, we very often choose a pin, password on things that define us whether close or far.
For the pin it can be a postcode, date of birth, lucky number etc and for the password it's not much different, it can be guessed if you know a little about the person.

fid02

Stewart The real advantage would be to have a real unique password, changing over time, in general whether we want it or not, we very often choose a pin, password on things that define us whether close or far.
For the pin it can be a postcode, date of birth, lucky number etc and for the password it's not much different, it can be guessed if you know a little about the person.

A simpler approach to tackling that issue would be to include a PIN and password generator in the OS when the user is setting up their device credentials. That could encourage the usage of a randomly generated 6-digit PIN or a diceware password. Admittedly, the people that choose 1234 as their device credentials might not care about being presented with a user-friendly generator. But I'll hazard a guess that the same people are also highly unlikely to enable a "dynamic password" feature, as proposed in this thread.

leafnose You don’t have to enter your password while doing a 360 in order to avoid the cameras any more, or 1080 in my case since I’m too slow with the keyboard.

Let's imagine for a moment that the proposed feature is included in GrapheneOS. Inevitably, it becomes public knowledge that a mobile OS is shipping such functionality. Consequently, anyone with this knowledge who is looking over the shoulder of someone who is using this feature and is entering their "dynamic password", would quickly deduce that the person being observed is using the feature to unlock their phone.

Let's say that my "dynamic password" is matrix_is_p**p${hh}_${mm}@${DD}-${MM}-${YYYY} which at the time that the knowledgeable observer observes that I'm unlocking my phone is matrix_is_p**p_13_59@23-08-2024. The observer has shoulder-surfed what I'm typing, deduced the enabled feature, and concluded that they only need to remember what I typed before "13" because, when they grab my phone later, they can input "matrix_is_p**p_" and then use the publicly known formula to input the rest.

The observer does not need to be a sophisticated or experienced attacker. A person such as myself, who possesses no advanced technical knowledge, could do it very easily. All they need is to know about the feature.

Sure, a "dynamic password" feature could protect against an observer that has no prior knowledge of the feature. But basing a security feature on the hope that users will not be observed by an informed attacker does not seem to me to be a prudent approach to protecting users against real-life harm.

nnad

fid02
I guess it is the user's responsibility to create a non-obvious pattern, if they were given the proper tools (modifiers)
For example the if we are 09:13 23/08/2024.

The pattern does not have to be matrix_is_p**p${hh}_${mm}@${DD}-${MM}-${YYYY} because that is too obvious.
The user can distribute the variables in the password, for example ${YYYY}matrix_is_p**p${hh}@${DD}-${MM}-${mm}

Also, we don't have to use the values of date/time/battery as is. We can introduce some modifiers, as offset(add or subtract), multiple, reverse, and so on. We can also allow separating of fields, for example, instead of using minutes as a whole (${mm}) we can split it into ${m1} and ${m2} (in our example m1=1, m2=3)

We can also say that ${m1+2} syntax will add 2 to the first minutes value.

We can create a pattern like this: ${h1+3}_passw${m2}rd${h2}_${m1+5}

The password will be 3_passw2rd9_6 which will be hard to guess what is the origin of these numbers

leafnose

fid02
First, let me say that I’ve appreciated a good number of your contributions to the forum, but I don’t follow you if you really think it was necessary to explain the obvious, to me or to OP.
Also, it seems you used my tongue-in-cheek answer to your half-rhetorical question as a trigger to explain what you wanted to explain since the beginning; always expect a laconic reply to a laconic comment.
By doing so, you have triggered the fool in me, so I’ll go deeper in this discussion.

While I agree to the obvious part of your comment, it was only answering a small part of OP discussion request.
Neither @nnad nor I took the idea of the simplest time pattern seriously. If you reread my first message, the part directed towards OP clearly shows my scepticism towards this kind of approach when more elaborated (i.e. with modifiers and non-time variables) whereas I don’t even bother talking about the most basic one.
More importantly, it was also quite evident that OP deemed the basic one as ‘being obvious’ – he explicitly said it! Moreover, the three links posted by OP mention or explain modifiers, and the last also include the battery level variable.

[…] public knowledge that a mobile OS is shipping such functionality. Consequently, anyone with this knowledge […]
[…] knowledgeable observer observes […]
[…] then use the publicly known formula to input the rest. […]
All they need is to know about the feature.
[…] could protect against an observer that has no prior knowledge of the feature.
[…] on the hope that users will not be observed by an informed attacker […] against real-life harm.

I do strongly disagree here.
First of all, you are arguing against a single ‘publicly known formula’, but that has never been the subject, since OP straightforwardly talked about possible customisations and modifiers in his first message.
Secondly, if tomorrow you were wearing a white t-shirt with ‘24.08.24@14:45’ printed on it in big characters while walking past hundreds of people in the street (or standing on a stage) – scrutinising you like a pickpocket would do – at this exact time during one long minute, you can be sure that many if not most people will realise the surprising coincidence, and this, to the minute level.
A greater number of people will only see the date of the day, it would only be a matter of time (pun intended) then for most.
Now, to be fair, let put simply ‘2408241445’ (or the usual order in your country) on your white t-shirt: I’ll concede that possibly far fewer people will be struck at first, but then again, if it’s their job as it is for the smartphone snatcher, many will eventually get it.
All this to say that, in my opinion, it doesn’t even have to be public knowledge for it to be a poor choice; we have quite a certain power of deduction. Furthermore, many people have already thought of this kind of password trick; probably even more so since one-time passwords are mainstream.
But to concur with you, I’ll say that even in the case of multiple possible formulae, as long as they’re publicly known (hardcoded choice), it would not be prudent to use them.

Given that you concluded with protection ‘against real-life harm’, let us consider the following thought experiment:
You have set up a dynamic password based on time, not with the basic formula, but with just a tad bit more sophisticated one, with one or two modifiers, to make it less obvious.
You’re in a grocery store, large enough for it to have a dedicated security guard watching all the livestream cameras footage. Then, for whatever reason, you have to unlock your phone in the store; it would be too annoying to interrupt your errand in order to get out, and your fingerprint sensor is out of the question, either because your phone is in a BFU state, or because it is not reliable enough.
But no luck, the watchman is crooked and is working with a bunch of snatchers, and he already had eyes on you…
Let me be clear here: this is nothing far-fetched in many places of many countries.
Often, snatching involves time critical actions, and many stealers wouldn’t feel at ease keeping a phone for more than a few hours or a day.
It is maybe not the most relevant video, must some parts of it are:
iPhone Thief Explains How He Breaks Into Your Phone | WSJ

Taking the example from the video (iPhones are not widely available or popular in all countries), if a thief is doing five to ten phones a night, there is a good chance that he’ll just go to next phone after some failed attempts, and eventually resell it, the buyer having no idea of the filmed password. However, there might be a chance that the thief sense there’s a big haul at stake with your phone; in this case, the sophistication of your password pattern will be tested; still, the clock is still ticking, and he’s still in a hurry.

Does it seem like an unlikely scenario to you? I would dare say that it’s one of the most common real-life scenarios for most of us, long before any kind of law enforcement involvement, which wouldn’t be in a hurry most of the time, let alone three-letter agencies.
But that’s not all, even in the case of LE implication, some information on your phone may only have a value for a limited time (e.g. password to a distant server). Not all law enforcements are on the cutting edge of this kind of stuff, and not all will be able to cause you harm in time – and rubber-hose cryptanalysis is not always relevant.

I believe that all of the above in my response is circumscribed within the intended discussion by OP.

Now, to stay on this subject, but in a broader perspective, just an idea.
What about using the method of loci to divide each day of a year in two parts, that is, 00:00-11:59 and 12:00-23:59? So it would involve memorising 730 variables; that can be a word, a word combination or a word-number combination for instance. Again, not really far-fetched, that is mostly a feat possible through training, and for sure, it is already applied in some ways.
https://en.wikipedia.org/wiki/Method_of_loci
Obviously, the simpler the variable is, the more brute-force prone it would be.
The 730 variables would be fed to a secure and encrypted database used by the password app.
In this case, the outward formula would be known, but not the words.
From then on, the adversary would either have to wait one year, or to modify clock time to get to the right time for which the variant is known – that’s maybe easy, I don’t know, but again, it may be time critical.
Let spice things up and let use a correspondence table in order to use another calendar than the Gregorian one, like a fictional one or a real one with a total of days different from 365 days.
That’s getting far-fetched, but I think it’s closer to what @nnad wanted to discuss.

Maybe some cypherpunk thought experiment will contradict me and show some possible fallacies uttered by me; in the meantime, that’s my take.
For the technical aspect, which will probably have the last word, I’m all ears; I wouldn’t be surprised if it’s simply not achievable within the current architecture.

xmachina

This idea sounds great at first, and I applaud you for thinking critically about your security, but this idea doesn't provide the kind of protection you think it will. It will protect you from nosy family members for a time, but any medium-to-advanced attacker will research you before attacking. In that research, they will find this feature, and then they will employ it to crack your password like this:
"Hmm, this 'Graphene' has a feature to use variables in the password. So now, for every number, I'll add a test to use permutations of the month/day/year/time/etc with it."
And if they have a password they phished or shoulder surfed, they still have you. It may just take two more minutes.

The reason this idea doesn't work is because it's based on security by obscurity, and any slightly motivated attacker will do at least basic research, which will unearth this, which will neutralize its effect. Even a nosy family member could get curious and figure it out. This is why it's good to both check around you before entering your PIN/password as well as changing it regularly.

nnad

xmachina So now, for every number, I'll add a test to use permutations of the month/day/year/time/etc with it.

We can also use letters. User should be able to customize the mapping, i.ie map a value or range of values to a letter or word.
Example: For days in the week, user can use m for Monday, t for Tuesday and so on. OR make another mapping as a for Monday (A is first letter in alphabet and Monday is first day in week), b for Tuesday and so on. We can do the same with month's name.
For hours, we can map 24 hours to the first 24 letters in alphabet, or map to the first letter in the number, o for one, t for two, e for eleven...
This can increase number of trials to know the formula because many numbers can map to same letter. i.e. 2,3,10,12,13,20,21,22,23 will map to letter t, 4,5,14,15 will map to letter f....
So letter t may stand for any of 2,3,10,12,13,20,21,22,23, Tuesday, Thursday and it take extra effort to know what t stands for (maybe we have multiple ts in our password/mapping which will increase the possibilities).

For minutes we can use range mapping, in numbers or letters

[0:15] -> 1 OR f (stands for first)
[16:30] -> 2 OR s (stands for second)
[31:45] -> 3 OR t (stands for third)
[46:59] -> 4 OR f (stands for fourth)
Or we can map them in other way,
[0:30] -> p (stands for past)
[31:59] -> t (stands for to)

So, user can define mapping between letters and numbers to have better password.

JayJay

If you think about it, you would actually be better off and more secured by changing your password daily instead. Skip HHmm and use mirrored dates or another complex pattern.

As others mentioned this feature protects you only from family members and alikes. If launching such feature then it means everyone would know about GrapheneOS having this feature and combined with a snap or 2 from surveillance camera and its gameover.

The pw change takes you less than 60sec to perform daily. And even if you missed a day or two in your life it won't be end of the world.

fid02

leafnose First of all, you are arguing against a single ‘publicly known formula’, but that has never been the subject, since OP straightforwardly talked about possible customisations and modifiers in his first message.

Quite honestly, I did not understand from the first post that customizing modifiers is an element – and the key factor – to OP's suggestion. Perhaps I did not read the post carefully enough, or perhaps my understanding of English is just not up to par any longer. I appreciate the response from the OP to my post, which to me clarified the feature suggestion at hand, and also made it clear to me that my previous post is quite irrelevant to the discussion.

I also did not see your reply to my first post as tongue-in-cheek, so I took it at face value.

My first post was apparently interpreted as me having made up my mind on my opinion of the feature suggestion. I'm rather interested in hearing substantive arguments, which I think has been provided now.

leafnose

nnad
I see several issues.

Could you provide an example of a string that you would deem secure enough?
You don’t have to explain in detail the pattern, just indicate which part is the fixed password and which part (or parts) is the variable password. Also tell how much time the string would be the current active password.

nnad

leafnose
The pattern is:
^N53${mm+8}m@R${h1:alpha1:}${w1}&H@d${D2+1}
and it changes every minute.

Assuming Now it is Wednesday 01:45 PM 28/08/2024

Password now:
^N5353m@Row&H@d9
After 5 minutes (01:50 PM)
^N5358m@Row&H@d9
After 10 minutes (01:55 PM)
^N5363m@Rtw&H@d9
Tomorrow At Thursday 01:45 PM 29/08/2024
^N5353m@Rot&H@d0

My idea was to use the normal user's password and add to it some variables to improve it. Of course the user has to change the password every now and then, as they should in normal flow.
Maybe This dynamic password can be used in 2nd factor pin in fingerprint unlock, not the main password used when devices is at rest or lockdown.

leafnose

nnad
The four passwords have an entropy between 64 and 74 bits. Isn’t that a bit too low?
And if somehow the adversary determines which part is the invariable part, it can get as low as 43 bits, based on the examples.

Moreover, the first one, assuming it’s the one being watched, will be the starting point of any attempt. If brute force is involved, I don’t see how it would hold for a whole minute – and each failed attempt should teach something regarding the pattern.
Also, some people or some algorithms could very well decipher the pattern, or at least reduce the range of possibilities used in a brute force attack.

Then, if the clock can be manipulated, even in the case they cannot go back in time, they still would be able to freeze the time and take as much time as they need to find the password of ‘Tomorrow At Thursday 1:45 PM 29/08/2024’.

It still could be helpful against the typical smartphone snatcher.

I’m just guessing here; perhaps someone more knowledgeable about brute force and deciphering will chime in.

Maybe This dynamic password can be used in 2nd factor pin in fingerprint unlock, not the main password used when devices is at rest or lockdown.

That could help, even if there’s only five attempts possible. But if they’re using the fingerprint, your fingerprint, are you sure you’ll be mute?