Do we need face ID on AW ?

[usagora]

I'd take that website with a grain of salt, other websites show different results for a 10 digit numeric passcode. The FBI paid a million dollars for a company to crack a 6 digit numeric passcode on an iPhone 5C and it took a lot longer than 3 seconds.. You have to defeat the 10 attempt passcode or erase all contents first to use brute force. Apple is constantly patching vulnerable ways to attack the phone so I guess if the government wants into your phone it's different than some random guy that stole your device... 10 digit numeric passcode is way more secure than what 98% of iPhone owners use.

So the difference must be the hardware. Because I've always, always read that security experts recommend long, randomized passwords containing all categories of characters (upper, lower, special, and number) when it comes to websites and such. So I'm guessing a 6-digit code on an iPhone is far more secure than a 6-digit password on, say, PayPal. Somehow I doubt it would take a million dollars to crack a 6-digit password on a website.

 

[usagora]

or is there some interface to tap into that I am not aware of?

That's what I was wondering when I asked is it possible to brute force an AW.

 

[BugeyeSTI]

So the difference must be the hardware. Because I've always, always read that security experts recommend long, randomized passwords containing all categories of characters (upper, lower, special, and number) when it comes to websites and such. So I'm guessing a 6-digit code on an iPhone is far more secure than a 6-digit password on, say, PayPal. Somehow I doubt it would take a million dollars to crack a 6-digit password on a website.

Yes a alpha numeric 10 digit passcode is way harder to crack. For example 1#a3/D&5=s would take the best software/computer over 600 years to crack (using the website you listed)

 

[Apple fanboy]

Yes a alpha numeric 10 digit passcode is way harder to crack. For example 1#a3/D&5=s would take the best software/computer over 600 years to crack (using the website you listed)

Of course it isn’t! Here are the (Hollywood) proven methods.
1. All you have to do is look at the books on the bookshelf of the person’s computer you are trying to crack.
Example. You have The Lord Of The Rings on your bookshelf. Your password is Frodo.
2. Is there a photo on the desk? Are they with someone or at a particular place? That’s the password.
3. Is there a pet. What’s the pets name? That’s the password.
4. Wife’s DOB.

 

[rui no onna]

So the difference must be the hardware. Because I've always, always read that security experts recommend long, randomized passwords containing all categories of characters (upper, lower, special, and number) when it comes to websites and such. So I'm guessing a 6-digit code on an iPhone is far more secure than a 6-digit password on, say, PayPal. Somehow I doubt it would take a million dollars to crack a 6-digit password on a website.

[0-9] 4 digits = 10^4 = 10,000 combinations

[0-9] 6 digits = 10^6 = 1,000,000 combinations

[A-Z] or [a-z] 6 characters = 26^6 = 308,915,776 combinations

[0-9A-Za-z] 6 characters = 56,800,235,584 combinations

Of course, password crackers often try words in the dictionary and this makes brute force easier.

As for security on websites, I believe a lot of financial sites normally lock the account if there are too many incorrect password attempts.

On the iPhone and Apple Watch, there's an increasing time delay whenever you input the incorrect passcode and the device can be setup to erase itself after 10 wrong attempts.

 

[iamasmith]

I'm guessing that any form of camera on an Apple Watch is something that their product management folks would have to consider long and hard.
Any accusations that the watch (or any other smart watch for that matter) could record photos might result in bans on smart watches generally in swimming pools etc. and the fitness features would suffer badly.

 

[ApfelKuchen]

and I assume you know this already, but you are not limited to 4 digits on AW, mine is actually 10 ...

You don't have to assume, I'll be specific. I was referring to the possibility that Apple would change the default Watch passcode from four to six digits. Humans being what we are, most would go along with that new default without hitting the Passcode Options link to select something either longer or shorter than six (as we did when iPhone/iPad moved from a default of four to six digits). Effectively, that would be an immediate upgrade to the device's security with little more than a tweak to the program code. No need for new biometric sensors.

The odds of correctly guessing a four-digit code are 1 in 10,000. The odds of correctly guessing a six-digit code are 1 in 1,000,000. The odds of a false-positive on Touch ID are 1 in 50,000 (more secure than a four-digit code, far less secure than a six-digit code). The odds of a false-positive on Face ID are 1 in 1,000,000 (equal to a six-digit code).

So... simply changing the default to six digits is as good as adding Face ID, and far better than adding Touch ID. No extra-cost sensors. No trying to find a way to jam all those Face ID components into something the size of a watch face (imagine, a Watch with a Notch - that phrase would go viral faster than you can say "Steve Jobs.")

Real-world security measures are always a balance between convenience and security. Make security too burdensome and a fair percentage of people will go without security. Punching in a passcode every time you pick up a phone or iPad quickly becomes burdensome. Biometrics remove some of that "friction," which makes it more likely people will actually secure their devices. Unlocking a Watch is far less frequent, as it only needs to be unlocked when affixed to the wrist (so long as it locks when it loses skin contact, which it does). Lower friction = less need for "lubricant."