Do you really need a long pass code on Android?

Google Team

23 days ago

Do you really need a long complicated pass code on Android?

Traditionally, IT admins applied similar pass code requirements to Android devices as with server and desktop operating systems. However, this approach can be excessive and unnecessarily restrictive. Unlike laptops or desktops, where unlocking grants access to all user apps and services, Android operates differently.

As “Android is now the most common interface for global users to interact with digital services”*(1) with many organizations, from small businesses to large multinational corporations and government agencies, relying on Android devices to access sensitive company data, it’s important to understand the distinction. The key difference lies in how these operating systems handle app permissions. While server/desktop OS's typically consider all apps running within the context of the logged-in user account as fully authorized, Android operates with a more granular approach. Android apps are not inherently granted full authorization for all user actions.*(1)

This inherent security measure within Android mitigates the risk of malicious code exploiting the vulnerabilities of server/desktop OS's. On server/desktop systems, attackers often only need to execute malicious code with the currently logged in user's privileges to gain significant control. Android's more restrictive environment makes this type of attack more challenging.

Windows, macOS, and Chrome will typically use a username and password coupled with Single Sign-On (SSO) or Multi-Factor Authentication (MFA) that is tied to a corporate account to log into the OS. Android simply uses a PIN, pass code, or pattern that is not tied to a user’s LDAP or domain account to unlock the device. This separates the device unlock on Android by not having that tied to a corporate identity. This difference keeps an Android pass code to unlock a device separate from the user's account to access corporate services and applications.

In this way, the Android security model grants less power to users versus traditional OS's that do not require multi-consent models. The immediate benefit to users is that one app cannot act with full user privileges. The user cannot be tricked into letting it access data controlled by other apps due to the robust app sandboxing on Android.

So, do you really need a long pass code on Android if the unlock pass code is not tied to your corporate account? Let's consider some more interesting facts to determine if a long pass code is needed to protect an Android device.

NIST passcode guidelines: A shift in perspective

What does the National Institute of Standards and Technology (NIST) have to say?

The general password guidance from the latest version of SP 800-63b *(2) are listed below:

Pass code Length: Minimum 8 digits
Complexity (Special characters, uppercase, lowercase, number): No longer required
Pass code hints: Do not allow
Simple or known pass codes: Do not allow
Periodic pass code changes (every 90 days, etc.): Not required. Only force changes when a known compromise is detected.
SMS for MFA Codes: Do not use
Pass code guess prevention (Throttling): Implement

NIST’s updated requirements are a result of technology advances that prevent guessing a pass code. As an example, 8 digits without special characters, upper and lower case, and pass code changing requirements are no longer recommended. An 8-digit pass code of non-repeating numbers is now sufficient to provide very strong protection. On Android we actually changed our PASSWORD_COMPLEXITY_HIGH to 6 digits back in Android 12. Let's explore this a little more.

Rate limiting and password guessing

Android implements a very strong default rate-limiting capability, which imposes increasing delays after the 5th failed login attempt, culminating in a 24-hour lockout after 100 attempts. The benefit to a managed device is that Android Enterprise can limit the attempts to a specific number before a device wipe is triggered automatically. This helps prevent access to personal and company data.

Assuming that an Android device is properly managed with a limited number of failed pass code attempts, let's say 10 tries, enforcing a device wipe by policy renders an attack mostly infeasible. Even the latest version of the password-guessing USB tool, rubber ducky, is ineffective.

Now, let's explore a simplified explanation of what a hash is in this context. Imagine your pass code to unlock your Android device is "019283". Android has an "algorithm machine" (called a hash function, or algorithm such as SHA256) that takes that password and generates a unique string of characters that represents that specific data, such as "a5f4g6h7j8k9l0". This is the hash of your password. It looks nothing like your original password, making it virtually impossible to figure out your lock screen pass code "019283" just by looking at the hash. Additionally, reversing the hashing calculations is infeasible and the algorithms are created in such a way as to protect against a reversing calculation.

Now, every time you try to unlock your device, Android securely feeds what you type into the unlock prompt and puts it through the same hashing algorithm. If the resulting hash matches what is stored in secure hardware on the device, then Android knows you've entered the correct password and it unlocks. What is stored in secure hardware on Android is the hash of your pass code, not your pass code itself.

We have all seen the following image on social media, but it portrays incorrect data when it comes to Android. This table does not take into consideration that the attacker has successfully been able to capture the hash of the pass code. Extracting the hash of a pass code from a locked Android device's secure hardware is non-trivial and is extremely difficult, actually infeasible on Android.

Conclusion: Rethinking pass code complexity for Android

In conclusion, it is important to note that I have only covered a small portion of a very complicated topic that involves encryption, key storage, hashing, and rate-limiting in Android kernel and services. While anything is potentially possible, the reality of exfiltrating a hash from secure hardware is really not feasible or practical. Requiring a pass code that is long and complicated is not a factor in 2025 on Android. With the proper management policies, guessing a pass code to unlock a stolen or lost device should not be a concern any longer. Have a look at what your EMM provider options are when setting a pass code requirement and consider how you can make the user experience for your users better by not having to enforce long complex pass codes, it just frustrates users.

*(1) Android Security Model: https://arxiv.org/pdf/1904.05572

*(2) https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-63b.pdf

Updated 23 days ago

Version 4.0

Best practices

Security

Bigdogburr

Google Team

Joined May 29, 2024

View Profile

Community blog

Explore curated guides and tips from the Android Enterprise team and community members.

jasonbayton
Level 4.0: Ice Cream Sandwich
4 days ago
I'm liking NIST's newer guidance. I do not like the implementation of complexity buckets, which seem half-baked multiple years after introduction (since they were referenced). I'm hopeful that gets improved because until then I'm sticking to my 6-8 numeric complex default across all policies everywhere :)

Solid article, bring on that verifiable data Burr!
Moombas
Level 4.1: Jelly Bean
18 days ago
Alex_Muc There are so many ("funny") ways to provide the password directly on the place where it'S needed.
As you mentioned just post-its on the screen, table or keyboard. Under the keyboard, on the coffee machine,... Lockscreen pin at the backcover of a device and so on... Have seen so many of those possibilities as people get really creative on that but it's always a messing around with security which some people don't care about.

But especially regarding the 90days thing, i really would like to get rid of that in our company (this was mentioned on so many security posts in the past years already to not go this way) and instead would like to choose a really good password but as long as they force people to do this in a regular base (no matter which time frame they choose), people will choose easy passwords which can be easily changed like BlaBla1 -> BlaBla2 -> BlaBla3 ... Which also isn't a good way.
Bigdogburr
Google Team
19 days ago
Michel For sure too much to discuss here in comments, but that is the problem which I will be addressing in 2025. There is a ton of verifiable data on your question, the issue is that many do not know where to find it. Stay tuned as I have some exciting updates coming that will certainly provide access to the details of which you seek..... Mike.
Michel
Level 2.3: Gingerbread
19 days ago
Well, there is one thing Lizzie , sorry for cursing here but I'm confronted with the comparison with Apple very often when talking to customers.

The general idea is that Android is less secure than Apple iOS devices. I know that thats not the case, and both platform can be secured to the same level (When using trusted brands as Samsung or Google for your hardware). But I'm missing some knowledge about what it is that makes Android as safe (or safer) than Apple.

Where are the differences between those to? Where does Android excel in compared to iOS?

I know it might not be the best place to get the answer on this but it is something I come across very often h😂
Lizzie
Google Community Manager
19 days ago
Great to see you find this useful Michel. We got some more coming... plus, if you have any other security related topics you are keen to explore a little more (like the above), please do share them. 😀🔒
Michel
Level 2.3: Gingerbread
19 days ago
Interesting blog, thanks for sharing. Would like see more of this 😁
Alex_Muc
Level 2.3: Gingerbread
22 days ago

Bigdogburr wrote:
Periodic pass code changes (every 90 days, etc.): Not required. Only force changes when a known compromise is detected.
In the past, I have seen quite wild actions by people who had to change their passwords every 90 days. Especially when people were prevented from using “too similar” passwords, passwords ended up on pieces of paper. Some of them were pinned directly to a computer screen. 🤓
I am glad that various security authorities have moved away from this recommendation and instead recommend more complex passwords.

As a user, you don't necessarily know whether your own password for an account has been affected by a data leak. I think it's pretty good that Chrome warns you when logging in if it appears in a data collection. You can then change passwords accordingly.