Ottawa police will return phones to suspect after 175M passcode guesses


How many times should investigators be allowed to guess the passcode of a locked cell phone belonging to a suspect? Certainly not 44 nonillion, a Canadian judge has now ruled.

Ontario Superior Court Justice Ian Carter was recently confronted with precisely this type of question when he was asked to rule on an application by the Ottawa Police Service to retain three cell phones from a suspect for two more years.

The police had the phones for more than a year and seized it in October 2022 on a warrant based on information about a Google account user uploading images of child pornography. The problem was that all three devices were protected by complex, alpha-numeric passcodes.

The court decision said that the investigators tried about 175 million passcodes in an effort to break into the phone. But the judge also heard that more than 44 nonillion potential combinations actually existed for each phone.

If we’re being precise, there are 44,012,666,865,176,569,775,543,212,890,625 potential alpha-numeric passcodes for each phone. According to Carter, this means that the police were asking to find a needle in a very large haystack.

Thus, the judge denied the application to retain the phones and ordered them returned or destroyed. Carter added that the investigation can continue without the phone – besides, Ottawa police have already made a formal request to obtain more data from Google.

“While it is certainly ‘possible’ that they may find the needle in the next two years (the length of the detention order they seek), the odds are so incredibly low as to be virtually non-existent. This is an important consideration when determining whether a further detention order is warranted,’ said the judge.

The only way to obtain complex alpha-numeric passcodes is through a brute force process. That’s what the forensic investigators tried to do.

The method employs specialized software and a dictionary of passwords. The latter features English-language words combined with numbers, and others that employ “leet speak,” a system of modified spelling that replaces letters with related numbers or special characters.

Those who use leet speak — it’s popular with gamers and hackers — would typically change “alert" to “@lert” and “fear” to “f34r.” More advanced leet speak replaces all of a word’s letters with numbers or symbols.

It takes about eight days to test 30 million passcodes from an existing password dictionary, court heard. However, success depends on whether the sought-after passcode is included in the dictionary.

None of the attempts by Ottawa police to break into the phones of the suspect in their investigation proved successful, and the judge decided that was enough.

In his ruling, Carter also said that the court had to balance the property rights of an individual against the state’s legitimate interest in preserving evidence in an investigation.