iOS 17 Gives You 72 Hours to Undo an iPhone Passcode Change

[MacRumors]

If you change your iPhone's passcode and forget it soon after, iOS 17 has a new option available to help out. Specifically, it is now possible to reset an iPhone's new passcode with the previous passcode for up to 72 hours after the change is made.

If you enter an incorrect passcode, tapping on "Forgot Passcode?" at the bottom of the screen will lead to another screen with a "Try Passcode Reset" option. Tapping this option allows you to enter the iPhone's previous passcode and create a new passcode.

As a safeguard, an option in the Settings app lets you expire the previous passcode immediately so that it cannot be used to reset the new passcode.

As of the first beta of iOS 17, it is still possible to change an Apple ID account's password with an iPhone's passcode, despite a Wall Street Journal report in February highlighting instances of thieves spying on an iPhone user's passcode in public and then stealing the device in order to gain widespread access to the device. In an interview with Daring Fireball's John Gruber last week, Apple's software engineering chief Craig Federighi said Apple has continued to "look at other ways to address this," but no changes have been made as of yet.

iOS 17 will be released later this year for the iPhone XS and newer, and it is currently available in beta with a free Apple developer account.

Article Link: iOS 17 Gives You 72 Hours to Undo an iPhone Passcode Change

 

[Apple Fan 2008]

Man, this is the best update we've had in a while!

 

[Jaymes]

And those of us over a certain age rejoice!

 

[System603]

Both this option and option to expire it immediately? Very well done. No sarcasm here. This is awesome.

Sometimes your memory will keep you hanging with the new passcode but your muscle memory will save you. And sometimes you need to do and enforce the change like a minute ago because of circumstances.

Well done Apple 👏

 

[I7guy]

So if someone phishes your password you can change it back? Or said another way, if you have to enter your devices passcode in public you can go to a private area change the password and then expire the old password?

 

[JosephAW]

This might lead to more confusion and both passwords could be lost. Then what?

 

[Apple_Robert]

Excellent news.

 

[Apple_Robert]

This might lead to more confusion and both passwords could be lost. Then what?

Come on MR and complain.

 

[TheYayAreaLiving 🎗️]

It sounds like instead of having just one you might be carrying Two passcodes.

 

[ignatius345]

As of the first beta of iOS 17, it is still possible to change an Apple ID account's password with an iPhone's passcode,

Just read about a really good safeguard against this using Screen Time, actually. I'm having trouble remembering where I saw it, but the basic idea was that you can go into Screen Time > Content & Privacy Restrictions and then disallow Passcode and Account changes. Once you've done that, you can ONLY change your Apple ID settings if you know the Screen Time PIN, which is a 4-digit PIN you can make totally different from the PIN you unlock your phone with.

I just kind of battle tested my own phone to see what I could do with a piece of tape over the FaceID sensor, just using the unlock PIN. I can get into the phone, but my banking and credit card apps all need FaceID or their own unique password to get in. Same with Venmo. I'm not using iCloud Keychain, so there's no danger in anyone using my unlock PIN to get at those banking passwords -- they're saved in 1Password which requires either FaceID or its own (very long) password. The one remaining way for people actually send money off my phone without FaceID is Apple Cash, which does not have a PIN option and which I don't believe can be protected with the Screen Time PIN from what I can tell. Kind of lame, but I'm not going to disable Wallet entirely.

It would suck to lose money, but honestly the HUGE thing here is not losing my entire Apple ID if someone PIN jacks my phone. I still feel like this is a fairly unlikely thing, but it feels good to have at least a layer of protection there.

 

[Newbie67]

Apple still has so much yet work to do in this sphere! Too many vulnerabilities left with passcodes and keychain access

 

[Mr. Heckles]

As of the first beta of iOS 17, it is still possible to change an Apple ID account's password with an iPhone's passcode, despite a Wall Street Journalreport in February highlighting instances of thieves spying on an iPhone user's passcode in public and then stealing the device in order to gain widespread access to the device. In an interview with Daring Fireball's John Gruber last week, Apple's software engineering chief Craig Federighi said Apple has continued to "look at other ways to address this," but no changes have been made as of yet.

They need to get this fixed. They should make it that if you use a security key, you need that to change your Apple ID password.

 

[antiprotest]

This might lead to more confusion and both passwords could be lost. Then what?

Then you should gracefully exit civilization and never pick up a smartphone again, while the rest of us can change our passcodes plus have a fall back to the old one.

 

[mystery hill]

instances of thieves spying on an iPhone user's passcode in public and then stealing the device in order to gain widespread access to the device.

They won’t be able to spy on a Vision Pro passcode.

If Optic ID fails, then you enter your passcode using the virtual keyboard which only you can see. The arrangement of the keys should change to prevent someone from guessing the passcode by looking where you’re pointing.

 

[wanha]

What a fantastically practical solution to a very common issue, especially among older users

 

[Bigkool2inSC]

Great feature. I know kids play pranks on each other and do this. Got everyone's phone set up with screen time and Passcode changes to "Don't Allow". This removes the Face ID and Passcode from view in settings. I love it.

 

[Bigkool2inSC]

They need to get this fixed. They should make it that if you use a security key, you need that to change your Apple ID password.

There a pretty good work around for this.

Turn on screen time.
Under Content and Privacy Restrictions, Set Account changes to "Don't Allow".

Then when you go to settings, your name and profile picture at the top will be grayed out.

Screen time is awesome. I think people miss out a lot but not using it.

My kids hate it but I love it.
"I don't need your phone, I can put it in time out with my phone"

 

[Mr. Heckles]

There a pretty good work around for this.

Turn on screen time.
Under Content and Privacy Restrictions, Set Account changes to "Don't Allow".

Then when you go to settings, your name and profile picture at the top will be grayed out.

Screen time is awesome. I think people miss out a lot but not using it.

My kids hate it but I love it.
"I don't need your phone, I can put it in time out with my phone"

I already have this done. The point is, I shouldn’t have to use a work around.

 

[Mr. Heckles]

mistake

 

[contacos]

The question is … why change it in the first place if you can go back to the previous one to reset the new one? Might as well just keep the original one? 🤯

 

[smelly feet]

How do mere mortals deal with all this password, PIN, passcode, keychains, biometric authentication stuff? I have no idea what all these things are and really can't afford to devote a good chunk of my life to trying to understand it like all of you appear to. The fact that it's so complicated actually lowers the security, because it's too hard to do everything 'just right'.

Since I can't figure all this stuff out, I use "Forgot Password" all the time! I can't remember all the passwords to all the services I use, and I don't trust a password manager, for all the reasons earlier posters have mentioned. If a master password is hacked, then everything is exposed. If one password is hacked, only that service is exposed.

I've been an Apple product user for over 30 years. The last 10 years have gotten so complicated that I don't even try to use most new features. Everything seems to need to have multiple configuration settings set in multiple places. And every iteration of the OS changes those places, so much that instructions on support sites reference settings and places which have been renamed or moved or simply don't exist. It's so hard that I don't even try.

 

[dumastudetto]

This is the kind of thoughtful innovation that only Apple can do. I love it.

 

[addamas]

Great feature. I know kids play pranks on each other and do this. Got everyone's phone set up with screen time and Passcode changes to "Don't Allow". This removes the Face ID and Passcode from view in settings. I love it.

There a pretty good work around for this.

Turn on screen time.
Under Content and Privacy Restrictions, Set Account changes to "Don't Allow".

Then when you go to settings, your name and profile picture at the top will be grayed out.

Screen time is awesome. I think people miss out a lot but not using it.

My kids hate it but I love it.
"I don't need your phone, I can put it in time out with my phone"

ScreenTime still have unpatched exploits leading to reset iCloud Password when using only iCloud e-mail, iCloud phone number and device passcode… because it can be chosen to authenticate using the same device passcode.

Maybe in iOS 17 it’s patched, iPadOS 17 seems to be the same…

 

[ypl]

Just read about a really good safeguard against this using Screen Time, actually. I'm having trouble remembering where I saw it, but the basic idea was that you can go into Screen Time > Content & Privacy Restrictions and then disallow Passcode and Account changes. Once you've done that, you can ONLY change your Apple ID settings if you know the Screen Time PIN, which is a 4-digit PIN you can make totally different from the PIN you unlock your phone with.

I just kind of battle tested my own phone to see what I could do with a piece of tape over the FaceID sensor, just using the unlock PIN. I can get into the phone, but my banking and credit card apps all need FaceID or their own unique password to get in. Same with Venmo. I'm not using iCloud Keychain, so there's no danger in anyone using my unlock PIN to get at those banking passwords -- they're saved in 1Password which requires either FaceID or its own (very long) password. The one remaining way for people actually send money off my phone without FaceID is Apple Cash, which does not have a PIN option and which I don't believe can be protected with the Screen Time PIN from what I can tell. Kind of lame, but I'm not going to disable Wallet entirely.

It would suck to lose money, but honestly the HUGE thing here is not losing my entire Apple ID if someone PIN jacks my phone. I still feel like this is a fairly unlikely thing, but it feels good to have at least a layer of protection there.

Great summary of what can (and should) be done to better protect private data. Same approach. I set 2FA for (or disable at all) not only important accounts but also important apps on iOS: settings/passcode (Screen Time passcode), banking apps ("financial" PIN), iCloud Files (off, need it only on MBA), important Notes (passcode). I forgot (shame on me, thanks) about keychain passwords, where some important passwords are kept. Fortunately I need them only on my MBA so Keychain is off now (and turning on is protected by ScreenTime password).

Apple claims to focus on user privacy, but ... there's a lot to be done to make private data really secure.

 

[ypl]

How do mere mortals deal with all this password, PIN, passcode, keychains, biometric authentication stuff? I have no idea what all these things are and really can't afford to devote a good chunk of my life to trying to understand it like all of you appear to. The fact that it's so complicated actually lowers the security, because it's too hard to do everything 'just right'.

Since I can't figure all this stuff out, I use "Forgot Password" all the time! I can't remember all the passwords to all the services I use, and I don't trust a password manager, for all the reasons earlier posters have mentioned. If a master password is hacked, then everything is exposed. If one password is hacked, only that service is exposed.

I've been an Apple product user for over 30 years. The last 10 years have gotten so complicated that I don't even try to use most new features. Everything seems to need to have multiple configuration settings set in multiple places. And every iteration of the OS changes those places, so much that instructions on support sites reference settings and places which have been renamed or moved or simply don't exist. It's so hard that I don't even try.

It's not that bad if you aply some rules, e.g.:
- divide passwords into 2-3 groups: 2-3 critical passwords (banking, AppleID, etc. - only in memory), tens/hudreds of less important passwords (forums, etc. - password manager)
- same for pin/passcode - one sequence for iOS, one for financial stuff (credid card, banking app).