iPhone Security: Your Six-Digit Pass Code Is No Longer Safe

iPhones protected by a six-digit pass code may no longer be safe thanks to a cheap tool being marketed to police that can unlock a smartphone in just days.

Grayshift has developed an iPhone decryption device called GrayKey that can break through some devices in just two hours. Presumably, the device is able to skip Apple's imposed wait times between pass code attempts.

iPhone X
File photo: Apple is reportedly decreasing supply orders for the 2018 iPhones. REUTERS/Thomas Peter/File Photo

Anyone who has ever tried a friend's iPhone pass code knows that it locks after so many attempts:

Five incorrect attempts: one-minute lock

Six incorrect attempts: five-minute lock

Seven to eight incorrect attempts: 15 minutes

Nine incorrect attempts: one hour

Ten incorrect attempts: Delete all information (optional setting)

Thankfully, GrayKey is being sold only to law officials and requires a profile to even enter the site. Anyone wanting to sign up is required to submit personal and work details, including an organization URL.

Apple used to require only a four-digit pass code but bumped up the minimum to six in 2015, via iOS 9. Users are now also given the option to enter letters in a 10 letter/number pass code.

According to Johns Hopkins Information Security Institute cryptographer Matthew Green, cracking the old four-digit pass code can be done in around 6.5 minutes (the longest it takes is 13 minutes). A six-digit pass code is better, with an average of around 11 hours and a maximum of 22 hours, based on his estimates.

If you have the patience and memory to install a 10-digit pass code (just numbers, no letters), the average unlock will take someone almost 13 years to hack in.

Guide to iOS estimated passcode cracking times (assumes random decimal passcode + an exploit that breaks SEP throttling):

4 digits: ~13min worst (~6.5avg)
6 digits: ~22.2hrs worst (~11.1avg)
8 digits: ~92.5days worst (~46avg)
10 digits: ~9259days worst (~4629avg)

— Matthew Green (@matthew_d_green) April 16, 2018

Anyone hesitant to install a 10-symbol pass code should be reminded that most of the time your iPhone will be unlocked by Face ID or Touch ID. However, any resets or updates will still require the pass code.

How to change your pass code:

  1. Go into the Settings app.
  2. Tap Touch ID and Passcode (Face ID and Passcode on the iPhone X).
  3. Tap "Turn on Passcode" or, if already on, "Change Passcode" (you'll need to enter your current pass code here).
  4. After entering your current pass code, Settings will ask for you to enter a new one. Below this, tap "Passcode Options."
  5. Here you will be given the options "Custom Alphanumeric Code," "Custom Numeric Code" and "4-Digit Numeric Code."
  6. Use either Custom Alphanumeric or Custom Numeric with plenty of characters to make your phone as safe as possible.