Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

How to Create a More Secure Passcode on Your iPhone or iPad

arn said:
I don't see why the doubt. For me, article from credible website is "good enough" for this type of thing. Here's another source:

https://twitter.com/fmanjoo/status/700092451348942849
https://twitter.com/fmanjoo/status/700092718114975744
Click to expand...

From what I can tell from the trail of assertions, this IS the source. And if you read the replies to his tweet, you'll see several challenges, asking for attribution. He has provided no answer, other than "Apple". I won't claim he made it up, but I'll ask if he was talking to someone in Apple who can't be considered an authoritative source.

And the reason for my doubt? The media, "credible" or not, gets things wrong. Frequently. Nearly every time I read an article about something about which I have personal knowledge, I see errors. So, I've learned to question un-sourced assertions. And if the source is cited, I sometimes check out the source itself. Not so often, I find the source is mis-quoted, or quoted out-of-context.

If I'm wrong, I'll accept that. But at this time, I don't see anything to support this assertion that has been repeated by Techcrunch and others.

arn said:
Sorry, I can't get Tim Cook to meet you personally to tell you it's true. :)
Click to expand...

Frankly, I wouldn't expect Cook to make a statement about this to anyone. But, I'll wait until someone with the authority to speak for Apple on-the-record, and the knowledge to provide a complete answer, before I'll accept it as confirmed.
 
  • Like
Reactions: bstpierre and MeFromHere
It's always good to be skeptical. But there are 2 things to believe, here and it's not a stretch, since it's a very binary thing with little nuance. Is it technically possible for Apple circumvent newer iPhones? It's a yes or no answer.

So that leaves the following claims:

1. Did apple actually say this? ie. Is the journalist lying or misrepresenting this? From the links above, 3 journalists said they did. Easy to believe Apple did say actually say this.

2. Is Apple rep lying, not in the know, or misrepresenting this? This is from Apple PR, if you know how Apple and the media work. This is the official answer from Apple. I'm inclined to believe it to be true because there's not much room for interpretation. Is it possible, even if technically difficult? Yes, says Apple Pr.
 
  • Like
Reactions: Brian33
Jeremy1026 said:
Doesn't matter when the FBI gets their way and gets the backdoor they have been itching for.
Click to expand...

They're asking to be able to brute force the passcode. With a four digit code that would be trivial. With enough characters (and making sure they are truly random, not something a dictionary attack will find) it would take supercomputers longer than the entire age of the universe to date to crack your password. Cracking via brute force is an exponential game, the longer the password the more benefit of time to crack you get. 26 character passwords for the win. I personally have a passcode well over 10 characters (won't say exactly how far over as I adjust my tinfoil hat ;-) ).
 
ptb42 said:
From what I can tell from the trail of assertions, this IS the source. And if you read the replies to his tweet, you'll see several challenges, asking for attribution. He has provided no answer, other than "Apple". I won't claim he made it up, but I'll ask if he was talking to someone in Apple who can't be considered an authoritative source.

And the reason for my doubt? The media, "credible" or not, gets things wrong. Frequently. Nearly every time I read an article about something about which I have personal knowledge, I see errors. So, I've learned to question un-sourced assertions. And if the source is cited, I sometimes check out the source itself. Not so often, I find the source is mis-quoted, or quoted out-of-context.

If I'm wrong, I'll accept that. But at this time, I don't see anything to support this assertion that has been repeated by Techcrunch and others.



Frankly, I wouldn't expect Cook to make a statement about this to anyone. But, I'll wait until someone with the authority to speak for Apple on-the-record, and the knowledge to provide a complete answer, before I'll accept it as confirmed.
Click to expand...

I think I agree with you in that they wouldn't leave such a hole open.
But even if they did, knowing how Apple feels about the subject, I'll bet they'll have it all tightened up in the next processor they develop.
 
arn said:
1. Did apple actually say this? ie. Is the journalist lying or misrepresenting this? From the links above, 3 journalists said they did. Easy to believe Apple did say actually say this.
Click to expand...

Actually, from the links above -- I think only one journalist said they did, in a tweet. Others are simply repeating it as "fact". Without attribution to a source, you can't decide whether he made it up, misrepresented it, or reported it accurately.

arn said:
2. Is Apple rep lying, not in the know, or misrepresenting this? This is from Apple PR, if you know how Apple and the media work. This is the official answer from Apple. I'm inclined to believe it to be true because there's not much room for interpretation. Is it possible, even if technically difficult? Yes, says Apple Pr.
Click to expand...

Before we can make this determination, we have to determine who in Apple actually made the claim. As far as I've been able to find, no one has actually provided attribution to an individual, technical document, or even press release.

Once you know who/what it is, you can easily determine if it's really an "official" answer. Whether it is actually true is another matter, as the "error 53" debacle has shown.
 
  • Like
Reactions: Brian33
With all this going on and after reading this article. I've changed my password from the 6 digit passcode to the alpha numeric password. **** you government!
 
ptb42 said:
Before we can make this determination, we have to determine who in Apple actually made the claim. As far as I've been able to find, no one has actually provided attribution to an individual, technical document, or even press release.

Once you know who/what it is, you can easily determine if it's really an "official" answer. Whether it is actually true is another matter, as the "error 53" debacle has shown.
Click to expand...

"Apple PR" said it. Seriously, that's how Apple works. There's no name. Just an official line through their contacts. It's not an "unnamed source", it's Apple.

I was just trying to answer your question of "Can Apple circumvent the Secure Enclave". The most official answer we are getting from Apple at the moment is "yes". You can choose not to believe it.

arn
 
Last edited:
arn said:
"Apple PR" said it. Seriously, that's how Apple works. There's no name. Just an official line through their contacts. It's not an "unnamed source", it's Apple.

I was just trying to answer your question of "Can Apple circumvent the Secure Enclave". The most official answer we are getting from Apple at the moment is "yes". You can choose not to believe it.
Click to expand...

OK, I'm going to ask you the same question that was posed to the guy that tweeted this....

What's your source? "Apple PR" doesn't mean a thing. Did they hold a press conference, where a representative said that? If so, when was it held, where, and who attended it? Were you there, are you simply taking someone's word for it?

Or, did Apple issue a statement? If so, where is it?

If this is the official position of Apple, then where's their official statement?

I'll reiterate: Nearly every reference I've found to this claim is un-sourced, and the few that provide any source eventually trace back to this one guy's tweets. And, when he was challenged about the source of his information, he refused to respond, other than to just repeat: "Apple".

I choose to question this claim, and you as well, because you are essentially saying the same thing as the tweeter: "Apple said this", with no elaboration. I honestly don't understand why you accept it without question, and I don't know why you expect anyone else to accept it.

It's like me saying that "Apple PR" said the sky is green, and that if you don't believe it, that's your choice. I have absolutely nothing to corroborate it, but you'll just have to accept my word for it.
 
Jeremy1026 said:
Doesn't matter when the FBI gets their way and gets the backdoor they have been itching for.
Click to expand...
I'm worried about hackers and thieves. Apparently, it is possible to create a version of iOS with no password guessing penalty (says Tim Cook himself), so that's the weak link. I want a strong password just in case. As someone else said, this should also prevent the FBI from getting in, but they don't care about my phone.
 
Last edited:
Xenc said:
You could use the wrong finger 5 times to disable Touch ID and force passcode entry.

After all you had "sweaty fingers"... ;)
Click to expand...

It's actually three attempts for me. If it differs between devices, it might have something to do with how many fingers you've trained. More fingers trained, fewer retries before code is enforced. Just a guess, though.
 
Major Tom 74 said:
Doing this since my ip5s , would like to see some stats on 80ms delay, number of digits and the time it takes to brute force it , also , can the 80 ms be ****ed with?
Click to expand...
Already after 5 faulty attemps the delay is extended to some seconds and after about 7 or 8 faulty attemps to one hour, if I remember correctly.

If you choose 6 position PW and at the same time the mode of alphanumeric plus special characters than even brute forcing without delay would take 2-5 years - if you choose a secure pw using ALL of the several types of characters ...
 
Last edited:
PalindromeB0B said:
Spaceballs-12345.jpg
Click to expand...

Later in the scene

"12345? That's the password on my luggage!"
 
Apple themselves have very good described how tomprotect yourself:

There is a 60-page extensive description of all about it:

https://www.apple.com/business/docs/iOS_Security_Guide.pdf


The relevant information is on page 12.
Every process since the A7 processor automatically uses encryption. And automatic erasure in case of brute force methods.

IOS 8 and later uses a second container which gives you more security.
But if you use the most secure Password-option that the A7 processor gives you it might alreaday be nicely secure....
 
ptb42 said:
I choose to question this claim, and you as well, because you are essentially saying the same thing as the tweeter: "Apple said this", with no elaboration. I honestly don't understand why you accept it without question, and I don't know why you expect anyone else to accept it.
Click to expand...
Well, the site _is_ called MacRumors and not MacTruth.
 
  • Like
Reactions: bstpierre
But who wants to type in his password each time he has to unlock his iphone?
People were already annoyed about having to log in once a day (or less) on websites
 
dwaltwhit said:
I was not aware that I could be compelled to unlock my phone via fingerprint but not passcode.
Click to expand...
Yes, in the US at least the courts have found that you can be compelled to give up your finger print to unlock your phone. They equated it to giving up DNA. You however can not be required to give up your passcode. Forcing you to give up something that is in your mind is a violation of your fifth amendment right not to self incriminate.

Best thing to do is turn your phone off, that way it requires a passcode upon reboot.
 
cwagner1 said:
Yes, in the US at least the courts have found that you can be compelled to give up your finger print to unlock your phone. They equated it to giving up DNA. You however can not be required to give up your passcode. Forcing you to give up something that is in your mind is a violation of your fifth amendment right not to self incriminate.

Best thing to do is turn your phone off, that way it requires a passcode upon reboot.
Click to expand...
It would be easy to give users the choice in what circumstances they prefer "light mode" security and when "heavy duty" security.

For example depending on time not having used it:
thiefs never try to hack instantly because they are on the run normally
When you go to bed it is not a pain to be forced to use the "heavy duty" security
Since the heavy duty mode is already now and will surely stay nothing than an option: The persons already to lazy to tap some numbers and characters and complaining about it could still use the less-secure mode.
Or use one of the "code" for dump people like "0000" or "1234" and so on.... But the should not complain after their data were hacked.... :D
 
Puonti said:
It's actually three attempts for me. If it differs between devices, it might have something to do with how many fingers you've trained. More fingers trained, fewer retries before code is enforced. Just a guess, though.
Click to expand...
I think it might be 3 before you are prompted to use the PIN instead, but you aren't required to do it and could still use TouchID, but after 2 more (5 total) you are basically required to use the PIN and TouchID isn't an option at that point.
 
  • Like
Reactions: Puonti
C DM said:
I think it might be 3 before you are prompted to use the PIN instead, but you aren't required to do it and could still use TouchID, but after 2 more (5 total) you are basically required to use the PIN and TouchID isn't an option at that point.
Click to expand...

I double-checked and you're right - the passcode entry coming up after three failed attempts threw me off.
 
  • Like
Reactions: Brian33
Great article, even with Apple doing what they can here we need to step it up in protecting our honeypot's of personal information we carry around with us. Sad its just one major consumer electronics company in the world that's standing up for customer privacy...doesn't seem to portend a very good future for personal liberty and the right to privacy in that regard.

Saw a poster mention 6 digits would take 11 hours to go through all the combinations (brute force) the way the FBI wants via a direct connection to the iPhone.

boccabella said:
In order for this to be effective wouldn't you also need to secure your iCloud account in the same manner?
Click to expand...

For it to be effective, against the FBI, NSA etc. trying to brute force your phone (assuming they get through the courts) - All that convenient (i)cloud stuff has to go in the trash (be disabled). You would need to not be iCloud enabled with anything you don't want the Govt to have (Apple can give them access to all that via a warrant and would have no choice in the manner) and be backing up locally (not in iCloud) as well as synching locally on your computer via iTunes.

I'm guessing this is one reason Apple didn't think this day was going to come...for 99% of the iPhone users out there the govt can get everything via a warrant and the users iCloud data.

Now on the other side of things if the FBI / NSA etc. has access to your phone unless you have a really long alphanumeric password (not written down somewhere) they could just plug it in and brute force it in a couple of weeks (6 digits would be a half a day or so).

Basically if Apple looses in court its going to be game over to have the option for true personal privacy (from govt access) of our devices.
 
Last edited:
Sasparilla said:
For it to be effective, against the FBI, NSA etc. tryimg to brute force your phone (assuming they get through the courts) you would need to not be iCloud enabled with anything you don't want the Feds to have (Apple can give them access to all that via a warrant) and be backing up locally (not in iCloud) as well as synching locally on your computer via iTunes.
Click to expand...

Not to mention that the local backups of the phone would need to be encrypted. iTunes offers encryption for them as an option.

Another alternative would be to encrypt the whole disk with something like FileVault 2 (built into OS X), but then you'd also need to encrypt any backups of your computer you maintain - on a TimeCapsule, for instance. They remain unencrypted even if the computer's disk is encrypted, unless you specifically encrypt the backups too.
 
  • Like
Reactions: Brian33, MrAverigeUser and Sasparilla
dwaltwhit said:
I was not aware that I could be compelled to unlock my phone via fingerprint but not passcode.
Click to expand...
It is easy to force your fingerprint onto the sensor. So that way they have the ability to force you to unlock your phone.
They cannot "force" a passcode out of your brain.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back