good thing mine is a 27 character alphanumeric ;-) should take a few years
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
iPhone Cracking Methods Like GrayKey Box Can Guess a Six-Digit Password in 11 Hours on Average
- Thread starter MacRumors
- Start date
- Sort by reaction score
Apple: fix this. If I activate a feature that is supposed to wipe out the phone after 10 incorrect password guesses, I expect it to work.
So you keep saying on every single security thread... It's somewhat wearisome.
You don't need to know squat about what's being done on other platforms to realise that a 6 digit passcode isn't secure. Try using your uber hacking techniques to brute force a proper password. Then we can talk.
On reading this I have just added a 7 to the end of my current 123456 password.
Hopefully that should buy me a few days!
I liked this cartoon about passwords: https://xkcd.com/936/
Hopefully that should buy me a few days!
I liked this cartoon about passwords: https://xkcd.com/936/
Do you think somebody with any real inside knowledge would be posting on a widely read public forum?
I don't have to enter my passcode that often so I may move to a diceware passphrase:
https://www.rempe.us/diceware/#eff
https://www.rempe.us/diceware/#eff
I've seen 25 character mixed case with numbers of special characters cracked in under 20 hours. But keep telling yourself that kind of stuff is impossible if it makes you feel better.
On reading this I have just added a 7 to the end of my current 123456 password.
Hopefully that should buy me a few days!
I liked this cartoon about passwords: https://xkcd.com/936/
It's true enough. What's frustrating is that a lot places that require passwords enforce the silly rules about using numbers and so-on and therefore continue to encourage people to use weak passwords, when you would be more secure with phrases.
Last edited:
I’d rather Apple make Face ID and Touch ID work correctly and more accurately! I still have a 4 digit passcode because Face ID is a hit or miss! If it doesn’t recognize my face I have to turn the screen off and back on for it to try again or make a motion of putting it down and raising it again.
Touch ID works much better but I have to relearn my thumb every so often on my 6s plus. My iPhone 5s was slower but worked more consistently than the 6s plus.
Also no easy way to use Face ID while driving. I could look straight ahead and drive while my thumb unlocked it and either use Siri or type by muscle memory. Face ID doesn’t recognize my 12 chins. And you have to stare at it for a second or so before it unlocks. Can’t do that when you need to stare ahead while driving
Touch ID works much better but I have to relearn my thumb every so often on my 6s plus. My iPhone 5s was slower but worked more consistently than the 6s plus.
Also no easy way to use Face ID while driving. I could look straight ahead and drive while my thumb unlocked it and either use Siri or type by muscle memory. Face ID doesn’t recognize my 12 chins. And you have to stare at it for a second or so before it unlocks. Can’t do that when you need to stare ahead while driving
Total and utter bull that can be brute forced.
And do you know why I know that (other than the mathematical impossibility)? Because anybody with that capability wouldn't be posting here.
Security is a cat-and-mouse game, and always will be. Someone finds a weakness, that weakness gets patched, and then another weakness is found. Saying the Greykey will eventually be obsolete is a bit on the foolish side of optimistic. However, I'm sure there will be periods where Apple updates iOS and renders it inoperable for a while, until GreyKey finds a new exploit.
That being said, aside from it being able to bypass the failsafe mechanism for wrong password attempts, the actual method it employs to crack passwords seems pretty basic. Theres definitely merit to having a longer, more complex passcode, its up to each individual to decide what trade off between security and ease of access they find acceptable.
That being said, aside from it being able to bypass the failsafe mechanism for wrong password attempts, the actual method it employs to crack passwords seems pretty basic. Theres definitely merit to having a longer, more complex passcode, its up to each individual to decide what trade off between security and ease of access they find acceptable.
GrayShift is headed by an ex-Apple employee who was an expert in iPhone security. I can't believe he hasn't been arrested. Oh that's right, his company was funded by the Deep State. My only question for this betrayal is "what was your price?". Just another way to herd the sheep toward biometrics. And your DNA kit is in the mail. But hey, don't worry your DNA won't be shared....
TIM!!! HELP!!!
TIM!!! HELP!!!
I didn't say I personally have the capabilities. Those I work with certainly do and I've been part of cases in multiple instances where such tech was used to access a suspect device.
"With the release of iOS 9 in 2016 Apple switched from a four digit passcode to a 6-digit passcode as the default, making iOS devices more secure, but for those concerned about their iPhones being accessed either by law enforcement with the GrayKey or by a hacker with a similar cracking tool, a 6-digit passcode is no longer good enough."
Correction to the article...iOS 9 came out in 2015. iOS 10 came out in 2016.
Correction to the article...iOS 9 came out in 2015. iOS 10 came out in 2016.
Well looks like Apple will need to update their device security documentation:
IOS Security Guide
https://www.apple.com/br/privacy/docs/iOS_Security_Guide_Oct_2014.pdf
page 11, paragraph 2, heading "Passcodes"
This may no longer hold to be true.
Meh. I only am concerned about protecting the data from the average person who might pick my lost iPhone from the street or someone who mugs me for it. Those types aren't going to have a device like this.
If things change and I suddenly become a public figure or otherwise am doing something that requires extreme security then I'll turn off Face ID and change my code to something that will take me several minutes and a few failed attempts every time.
If things change and I suddenly become a public figure or otherwise am doing something that requires extreme security then I'll turn off Face ID and change my code to something that will take me several minutes and a few failed attempts every time.
Not really too complicated. In the case of just using digits, it’s just powers of 10 (10 digits, 0-9). So, if it takes ~92.5 days for 8 days, 9 digits is 10 x 92.5, which is ~925 days... 10 digits is 925 x 10, which gets us to the ~9250 days. Add 1 more digit and you get ~92500 and that 260 years (we average out the attempts to half and that is now 130 years)! We could just reduce this to: (9.25 * 10^-6)^n = Days, where n is the number of digits.
Last edited:
I would have to assume that Apple is complicit in this. When such devices have popped up in the past, they either only worked on older versions of iOS or Apple issued a software update that prevented the method from working any longer.
In this instance, the silence from Apple is deafening.
In this instance, the silence from Apple is deafening.