If you’re an iPhone user (or use any iOS device as a matter), it may be time to consider using a stronger passcode.
In the wake of the San Bernardino terrorist attacks, Apple stepped up its iOS security protocols by enabling disk encryption by default, requiring a passcode to decrypt it (which is done every time you unlock your phone). Also, newer versions of iOS require a six digit minimum unlock code, versus a four digits on older systems.
However, a company called GrayKey recently developed a low-cost device that can be connected to any iOS device, promising to unlock it by using brute force. Usually, if someone unsuccessfully tries to unlock an iOS device, it would enforce a delay as follows.
- 1-4 tries: no delay
- 5 tries: 1 minute delay
- 6 tries: 5 minute delay
- 7-8 tries: 15 minute delay
- 9 tries: 1 hour delay
- 10 tries: Optional setting to wipe phone’s memory
The GrayKey Box allegedly bypasses this delay protocol, allowing the software to continually guess passwords until the phone is unlocked. So far the device has only been made available for sale to U.S. law enforcement officials.
Matthew Green, Assistant Professor of Computer Science at the Johns Hopkins Information Security Institute, did the math and worked out worst and average case scenarios, showing how effective the GrayKey box could be. For those with four digit passcodes, your device could be unlocked in mere minutes. Six digit passcodes take a bit more time, but could easily be cracked in less than one day depending on how random the number sequence is.
Based on these estimates, iOS users should consider using longer and more complex passcodes that are at least 9 characters long. A ten digit passcode code could take anywhere from 12 1/2 to 25 years to crack.
Green acknowledged that using a combination of alphanumeric and special characters would add extra time to the decryption process, but said that simple swapping of letters for numbers (e.g. l33t instead of leet) would barely increase passcode complexity as it could still be easily guessed by the device.
Even if you choose to use numeric characters only, avoid easy sequences like 123456789 or 000000000.
To change your passcode:
- Go to Settings > Touch ID & Passcode (Face ID & Passcode on the iPhone X)
- Enter your old passcode
- Scroll down to Change Passcode
- Re-enter your old passcode
- To change the length and complexity, click the Passcode Options link above the virtual keypad and choose the type of combination you want.
- Enter your new passcode and save.