FYI.

This story is over 5 years old.

Tech

Stop Using 6-Digit iPhone Passcodes

Now that police agents can allegedly crack iPhones protected with passcodes made of six numbers, it’s time to use longer, harder to guess and crack alphanumeric passphrases.
Image: KOKTARO/Shutterstock

How long is your iPhone PIN? If you still use one that’s only made by six numbers (or worse, four!), you may want to change that.

Cops all over the United States are racing to buy a new and relatively cheap technology called GrayKey to unlock iPhones. GrayShift, the company that develops it, promises to crack any iPhone, regardless of the passcode that’s on it. GrayKey is able to unlock some iPhones in two hours, or three days for phones with six digit passcodes, according to an anonymous source who provided security firm Malwarebytes with pictures of the cracking device and some information about how it works.

Advertisement

A picture of an iPhone cracked by a GrayKey. Image: Malwarebytes

In September 2014, Apple made disk encryption the default on iPhone. In theory, that means that if your phone is locked and protected with a passcode, someone who gets their hands on it can’t read or extract the data from it unless they know or can guess the passcode. This change sparked the ongoing cold war between the FBI and Apple, which reached a fever pitch in 2016 when the FBI asked a judge to force Apple to unlock the iPhone of the San Bernardino terrorist.

To protect against these kind of attacks, Apple has made a few changes in recent years. First of all, iPhones now require 6 digit passcodes by default (but people who have restored backups when upgrading to newer iPhones may still have 4 digit PINs). Second, after a certain amount of wrong guesses to unlock the device, iPhones are programmed to delay new guesses. Finally, there’s even a setting that you can turn on to wipe all data from the phone after 10 failed passcode attempts, as Apple’s iOS security guide explains.

If GrayKey works as advertised, it means Grayshift has found a way to avoid these delays and just keep guessing passcodes.

That’s why security experts are suggesting people stop using passcodes of only six digits altogether.

Harlo Holmes, a digital security trainer at Freedom of the Press Foundation, said that the best choice is to use a passcode that’s between 9 and 12 characters and combines letters and numbers.

Advertisement

Read more: The Motherboard Guide To Not Getting Hacked

“People should use an alphanumeric passcode that isn't susceptible to a dictionary attack and that is at least 7 characters long and has a mix of at least uppercase letters, lowercase letters, and numbers,” Ryan Duff, a researcher who’s studied iOS and the Director of Cyber Solutions for Point3 Security, told me in an online chat. “Adding symbols is recommended and the more complicated and longer the passcode, the better.”

To give you an idea of how vulnerable your passcode is, Matthew Green, an assistant professor and cryptographer at the Johns Hopkins Information Security Institute, did the math, assuming GrayKey can guess as fast as Apple says is possible in its iOS guide.

This means that a passcode made of 10 random digits (read: not something easy to guess such as 1234567890) would take as much at 25 years to crack—and 12 years on average—by GrayKey, according to Green’s calculations.

Of course, GrayKey is marketed only to police departments for now. It’s fair to presume your average street phone thief probably doesn’t have access to this kind of technology. Also, having to enter a long alphanumeric passcode is an inconvenience. Using the iPhone’s biometric unlocking features TouchID and FaceID mitigates that a bit—with the caveat that in the US, passwords have better legal protections than fingerprints.

As usual, it’s a matter of threat modeling. So you’ll have to balance convenience and security. But if you’re at all worried that your phone might get seized by the cops, you should stop using 6 digit passcodes.

Advertisement

If you want to change your iPhone passcode, here's how to do it.

  • Go to Settings.
  • Click on Touch ID & Passcode (You will have to enter your current passcode here)
  • Click on Change Passcode (enter your current passcode again)
  • Click on Password options at the bottom of the screen.
  • Click on Custom Alphanumeric Code
  • Enter your new passcode, which can now include letters, numbers and symbols.

Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at lorenzo@jabber.ccc.de, or email lorenzo@motherboard.tv

Motherboard’s documentary series “Dear Future” was nominated for a Webby. We’d love your vote, and it only takes a minute.