How to Create a More Secure Passcode on Your iPhone or iPad

Discussion in 'iOS Blog Discussion' started by MacRumors, Feb 18, 2016.

  1. MacRumors macrumors bot


    Apr 12, 2001

    Apple's iPhones have long been protected by numeric passcodes, giving iOS users a way to protect keep their devices safe from hackers and prying eyes. Over the years, passcodes have been supplemented by Touch ID, Apple's fingerprint recognition system, but the passcode is still the iPhone's main line of defense.

    A passcode is required to set up Touch ID, and Touch ID is automatically disabled after 48-hours until a passcode is input by an iPhone or iPad's owner. In the United States, passcodes are especially important because the law suggests that while law enforcement officers can require you to provide a fingerprint to unlock a device, the same is not true of a passcode.

    For a long time, passcodes were four-digit numeric codes by default, but with iOS 9, Apple began using a six-digit passcode as the default option. Six-digit passcodes offer 1 million possible combinations instead of 10,000, making a passcode harder to crack.

    Apple doesn't advertise it, but the iOS operating system offers an option to make your passcode even more secure through the use of an alphanumeric passcodes or custom length numeric passcodes. Alphanumeric passcodes contain letters and numbers. Both alphanumeric and custom numeric passcodes can be much longer than four or six digits.

    Click here to

    Article Link: How to Create a More Secure Passcode on Your iPhone or iPad
  2. dwaltwhit macrumors 6502


    Oct 25, 2013
    I was not aware that I could be compelled to unlock my phone via fingerprint but not passcode.
  3. thasan macrumors 6502a

    Oct 19, 2007
    Yes. So the best way is to switch off your phone if you don't want others to see (hopefully nothing illegal in your phone).
  4. DCYorke macrumors member

    Apr 7, 2010
    I would recommend using spaces instead of hyphens in the password, that way you don't have to switch keyboards while typing it in.
  5. jclo Editor


    Staff Member

    Dec 7, 2012
    Yep, good tip. No need to use hyphens. That's just now 1Password generates word-based password strings as a default.
  6. Trik macrumors regular

    Jan 18, 2011
    Washington, DC
    I'd love an app that when I removed my Apple Watch, it turned off thumbprint on all my devices and required the passcode.
  7. ArtOfWarfare macrumors G3


    Nov 26, 2007
    Battery Staple Horse Correct

    Also, I feel like 1234567 would be a better password on an iPhone than on a computer. Like, on a computer that's one of the first thing you guess. But on an iPhone, that would mean you went through the effort of setting up an alphanumeric password of custom length. And you chose what is generally regarded as one of the worst passwords possible.
  8. Black107 macrumors regular

    Jun 5, 2009
    If you spam the sensor with unregistered fingers 5 times, it will ask for your password regardless if you put the correct finger on it after the unregistered fingers. This would be less conspicuous than shutting your phone down. In a pinch you could also restart.
  9. obafgkm macrumors member

    Jun 2, 2006
    It is too bad that this isn't specified for the iPod Touch in the title. Nothing in the description excludes the iPod Touch (I know that the iPod Touch doesn't have TouchID, but this is about the passcode).

    The iPod Touch, the forgotten stepchild of iOS.
  10. Major Tom 74 macrumors newbie

    Major Tom 74

    Feb 13, 2016
    Doing this since my ip5s , would like to see some stats on 80ms delay, number of digits and the time it takes to brute force it , also , can the 80 ms be ****ed with?
  11. Jeremy1026 macrumors 68020


    Nov 3, 2007
    Doesn't matter when the FBI gets their way and gets the backdoor they have been itching for.
  12. KALLT macrumors 601

    Sep 23, 2008
    But as we've seen now, Apple might be able to override the brute-force prevention and a trivial password like 1234567 is one of the first things that a reasonable ‘brute-forcer’ will attempt. Computers are vulnerable to this already, because the hard drive is accessible and the encryption key is often derived from a password (at least that is the case with FileVault; you can just reboot into Recovery and try as often as you like).
  13. nt5672 macrumors 65816

    Jun 30, 2007
    That is up to you and I. Apple has stuck their neck out. Now the government is quietly trying to cut their head off. They only way they, the government win, is if you an I are silent and don't say anything. Now is the time to call and write and tweet, and make whatever noise can be made because next month will too late.
  14. iOSFangirl6001 macrumors 6502


    Aug 11, 2015
    An alternate title to this article could also be "EZ Ways to **** off the Feds" lol:rolleyes:
  15. boccabella macrumors member


    Oct 26, 2010
    In order for this to be effective wouldn't you also need to secure your iCloud account in the same manner?
  16. tedson macrumors regular

    Jul 17, 2002
    One other trick to make kracking tougher is to put a number or symbol between the 2nd and 3rd or the 3rd and 4th letter or the last and 2nd to last letter in each word. That makes using combinations of dictionary words much stronger.
  17. Porco macrumors 68030


    Mar 28, 2005
    Even simply switching from a digit-entry screen to the alphanumeric keyboard is better as gives less information away to anyone trying to gain entry, even if you left it with 4 digits as a passcode, because there are so many more possibilities on top of those constructed with some of the 10 possible digits, as well as the unknown length of the passcode (which is telegraphed immediately when you see 4 or 6 dashes on the screen).

    Obviously it's almost kind of academic, because if you bother to switch to alphanumeric you might as well use a better passcode than just 4 digits.
  18. ptb42 macrumors 6502a

    Oct 14, 2011
    You can do the math: 80ms * 10,000 attempts is 800 seconds, or 13.33 minutes. If you increase it to 6 digits, that's 80,000 seconds or 22.22 hours.

    However, the significance of 80ms depends on the iPhone model, or more specifically -- the processor. iPhone 5c or earlier used an A6 processor or earlier. iPhone 5s or later uses an A7 or later processor.

    The earlier iPhones (since the 3G, I think) with A6 and earlier enforce the 80ms per attempt by requiring the password to be run through PBKDF2 with enough iterations that it requires 80ms on the encrypted device. Each iteration, it does an operation that uses the device UID burned into the processor at manufacturer.

    The device UID can't be read directly. So, a brute-force attack on any other device but the specific encrypted iPhone would require brute force search of the device UID keyspace as well. The device UID is a 256-bit AES key, making this difficult in a reasonable amount of time, or at a reasonable cost.

    The later iPhones with the A7 and later added a Secure Enclave. This enforces a limit that changes with the number of consecutive failed attempts. The first 4 attempts, there is no delay. After that, it increases rapidly to as much as 1 hour after 9 attempts. The Secure Enclave even enforces this limit if the device is restarted (and presumably includes a power-cycle).

    Unless you choose an easily-guessed 4-digit passcode, it would take over a year to search the entire 10,000 key space, at 1 hour per attempt.

    You can find this in, on page 12.

    There have been unconfirmed claims that Apple says they could still compromise the Secure Enclave with a backdoor'ed iOS. But, that seems to contradict their security guide, and I can't imagine why they would go through all the effort to implement a vulnerable Secure Enclave. So, I'm waiting to see an authoritative citation.
  19. arn macrumors god


    Staff Member

    Apr 9, 2001
    Apparently it's possible even with secure enclave

  20. gnasher729 macrumors P6


    Nov 25, 2005
    Of course it matters. The FBI wants to install new software so that the phone doesn't wait longer and longer when you type in an incorrect passcode, and so that it doesn't erase the phone after 10 attempts. They still need to check 10,000 combinations with a 4 digit passcode (about 15-20 minutes), 1,000,000 combinations with a 6 digit passcode (a day), ... and 5 1/2 years for 8 digits + lowercase + uppercase letters.
  21. von franklin macrumors regular

    von franklin

    May 31, 2015
    if you don't want stuff to be seen on your phone do stuff face to face.
  22. ptb42 macrumors 6502a

    Oct 14, 2011
    Yes, this is the same trail of assertions I've seen earlier. It hinges on the contention that Apple can update the firmware for the Secure Enclave, and remove the enforced delay between attempts.

    But, I'm skeptical because I find it hard to believe that Apple would leave that door open. That would mean the A6 processor (and earlier) is actually more resistant to brute-force attacks on the combined device UID and passcode, due to the required iterations that require 80 ms.
  23. arn macrumors god


    Staff Member

    Apr 9, 2001
    This isn't speculation. This is Apple telling Techcrunch "yes, it's possible".

  24. ptb42 macrumors 6502a

    Oct 14, 2011
    No, this was Techcrunch claiming that Apple told them that.

    There was no attribution, and no source document.

    As you may remember, the "error 53" was "intended behavior", until someone at Apple other than a corporate mouthpiece investigated.

Share This Page