I Don’t Lock My Devices

Go ahead, use it.

Let me start by saying that I really do care about my security. I have an elaborate KeePass setup full of 32-character-garbage passwords (yes, one password for each service, big and small) protected by a 45-character master password only known by my parents and I (you know, just in case). It takes me fifteen goddamn minutes to login to Gmail on a new computer, but that’s the price I’m willing to pay.

There’s all this talk about the new fingerprint sensor, and how vulnerable it is to attack. The biggest response is that this mechanism is not meant to offer watertight security to your device, but instead allows the user to offer a little security over no security.

I think it’s pointless.

A password-protected lock screen may prevent your friends from sending stupid messages to your contacts list, but if you want any shot at recovering a stolen device, a lock screen is the last thing you want. Let me explain.

There are plenty of stories of people recovering their stolen devices: usually it involves chasing down a moving dot on “Find My iPhone.” The perpetrator heads home after a successful yield, maybe plays a little Angry Birds, before eventually (hopefully) being caught by a couple guys with a laptop. But let’s think about this for a bit, what happens if that phone has a password-protected lock screen on it?

Scenario A: Locked iPhone

A clever thief has just finished up a breadth first search of the D train, hoping to find some lost iPhones. The past few days have turned up nothing but a few half-full Mountain Dew bottles and some spare change in Metrocard form, but today he’s gotten lucky — a shiny 64GB iPhone 4s, complete with a small ding in the corner and a Hello Kitty case to boot. Nice yield!

He takes out the phone and sees a lock screen. The 1 in 10,000 odds are playing much less in his favor, so he gives up after a few 0000s and 1234s. No Angry Birds today, instead, he’ll sell the phone for parts. The original data is safe, but the owner can say bye-bye to that phone for good. I heard Hello Kitty cases are easy to come by, though.

Scenario B: Jordan’s Missing Lock Screen

Entitled to a one-stop subway ride to Herald Square (walking 8 blocks can be such a drag), our second subject has left his iPhone on the train. Shortly after, the phone is recovered by our thief.

“Sweet, no lock screen!” our hero loudly proclaims in the middle of Union Square. He then toys around on the phone, checking out an inbox full of Tess’s Snapchats and seeing his victim’s Facebook profile. Poor sap’s got some funny statuses, though!

During this time, our second subject has logged into Find My iPhone on his Mac, and begins tracking the whereabouts of his stolen phone. He could play it safe and wipe it remotely, or he can play a little cat and mouse and try a recover the phone himself. He’ll offer the basketball team a couple slices of pizza for backup.

Our thief can, of course, still clear this phone and sell it for parts, but why? He’s already gotten access to the damn thing. Clear out a few apps and bam, he’s got himself a shiny new phone.

There are a few key differences between the two examples. (A) is safer from a privacy standpoint — your data is protected from unauthorized use, but you’ve lost your phone for good.

(B) is a little different. Our perpetrator can snoop around your device, but he’s being tracked while doing so. This gives you a fighting chance to recover your stolen device. You can still clear your device in a pinch, though, and keep out the bad guys.

What’s more important to you? Allowing unauthorized users to log in and play around on my devices gives me the ability to track them down before my iPhone becomes a paperweight. It’s not guaranteed that I can recover the phone by any means, but it gives me a better chance of doing so. Best part is that I can still wipe my phone remotely if I’m really concerned.

I don’t password protect my devices. This goes for every phone I’ve ever owned, and every laptop I’ve ever used (notable exception: work laptops, where sensitive data should never be accessed by someone else).

So if its just a device for personal use, I want the thief to be able to play around with it — snoop around a bit, there’s nothing too secret on there. Open up my apps, check out my contacts, and play my games while I track your sorry ass. I can always throw in the towel and clear it myself if you’re too stupid to.

Go ahead, use it. I dare you.