New estimates from a security researcher suggest GrayKey, a digital forensics tool in active use by U.S. law enforcement agencies, is capable of cracking Apple’s standard six-digit iPhone passcode in an average of 11 hours.
Matthew Green, assistant professor and cryptographer at John Hopkins Information Security Institute, said this morning on Twitter that with an exploit that disables Apple’s passcode-guessing protections, a 4-digit passcode is crackable in 6.5 minutes on average, while a 6-digit passcode can be calculated in 11 hours.
Guide to iOS estimated passcode cracking times (assumes random decimal passcode + an exploit that breaks SEP throttling):
4 digits: ~13min worst (~6.5avg)
6 digits: ~22.2hrs worst (~11.1avg)
8 digits: ~92.5days worst (~46avg)
10 digits: ~9259days worst (~4629avg)
— Matthew Green (@matthew_d_green) April 16, 2018
The latest assessment assumes GrayKey uses an exploit that bypasses Apple’s built-in security protections. Specifically, iOS delays multiple incorrect passcode attempts in a bid to thwart brute force attacks. These pauses are enabled after four consecutive attempts and run from one minute for a fifth unsuccessful attempt to one hour for the ninth consecutive error.
With the release of iOS 9 in 2015, Apple switched from a four digit passcode to a 6-digit passcode as the default, making iOS devices more secure, but for those concerned about their iPhones being accessed either by law enforcement with the GrayKey or by a hacker with a similar cracking tool, a 6-digit passcode is no longer good enough.
Several security experts who spoke to Motherboard said people should use an alphanumeric passcode that’s at least seven characters long and uses numbers, letters, and symbols.
If you are already using Apple’s standard 6-digit code and want to update to a longer numeric or alphanumeric value, navigate to “Face ID & Passcode” or “Touch ID & Passcode” in the Settings app, enter your passcode and select Change Passcode.
Enter your passcode once more to reveal a passcode settings screen, then select Passcode Options. Choose either Custom Alphanumeric Code or Custom Numeric Code and plug in your desired passcode. Re-enter the code on the next screen to activate.