The moment Apple fixes this in a release, assuming they do, which I was hoping 11.3 would do....... then I'll probably go back to 6 numeric codes.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
iPhone Cracking Methods Like GrayKey Box Can Guess a Six-Digit Password in 11 Hours on Average
- Thread starter MacRumors
- Start date
- Sort by reaction score
The moment Apple fixes this in a release, assuming they do, which I was hoping 11.3 would do....... then I'll probably go back to 6 numeric codes.
I assume this device use brute force to try every possible combination to work out your passcode. I also assume it will start at 0-9 then A-Z then symbols (i think). If that is the case then using all symbols (or Z's if symbols not used) will mean your passcode takes longest to work out.
Anyone know the sequence used for symbols used? ie !@£$%^& etc etc
Anyone know the sequence used for symbols used? ie !@£$%^& etc etc
There's a much easier way for a thief to prevent remote wiping: simply remove the SIM.
Y'all storing atomic secrets in your iPhones? Please. A normal passcode is going to keep out the few people who might give a quarter of a crap about your Comcast login, your Snapchats and your secret porn stash.
If a government wants to know what's in your phone, they're gonna cut to the chase and demand that complex, randomized 12-digit nightmare of a password from you and hold you until they get it -- and/or subpoena your ISP, your telco and Apple itself to get what they want.
And if there are non-state Bad People that motivated to get what's on your phone, more likely they'll just scoop you up into a van in a parking lot one fine day, drive you somewhere out of the way, and do terrible things to you until you unlock that phone.
I mean, whatever, if it makes you feel better to have a passcode that supposedly takes years to brute-force, then by all means go for it. It's fun to pretend you're a secret agent or whatever, I guess. But don't be under the illusion that a determined attacker doesn't have other options.
And if you DO happen to own data that valuable, I'm gonna go out on a limb and say maybe don't keep it on a networked device you carry with you constantly?
If a government wants to know what's in your phone, they're gonna cut to the chase and demand that complex, randomized 12-digit nightmare of a password from you and hold you until they get it -- and/or subpoena your ISP, your telco and Apple itself to get what they want.
And if there are non-state Bad People that motivated to get what's on your phone, more likely they'll just scoop you up into a van in a parking lot one fine day, drive you somewhere out of the way, and do terrible things to you until you unlock that phone.
I mean, whatever, if it makes you feel better to have a passcode that supposedly takes years to brute-force, then by all means go for it. It's fun to pretend you're a secret agent or whatever, I guess. But don't be under the illusion that a determined attacker doesn't have other options.
And if you DO happen to own data that valuable, I'm gonna go out on a limb and say maybe don't keep it on a networked device you carry with you constantly?
Last edited:
They would probably thank you for telling them it's 13 characters.
That was posted several months ago when this device was first mentioned on macrumors.
But I have difficulty remembering my own phone number.
This is the funniest thread in a long time. Don't you all realise you are just average geeks with naff all on your phones anyone would have the slightest interest in. The self-importance is text-book Apple.
Why do you all think law enforcement will be after the contents of your phone? Honest to god that’s something I never think about as I have zero plans to be involved in any criminal activity.
Well, that settles. I'm changing my passcode to the last 10 digits of PI.
Using the middle part of PI here, easier to remember ;-P
The primary brute force protection (design the key derivation function with enough interations that it takes significant time to compute) wasn't cracked, otherwise it wouldn't take 6 minutes to crack a 4-digit code.
They were able to sidestep the additional protections, but those aren't enforced cryptographically but only in Apple's password entry routines. Apparently the "gray box" is somehow able to run its own cracking code on the device (similar to how jailbreak exploits are used) so it's not affected by the limited number of attempts.
Very cool. Looks like a fairly modern device... no headphone jack, thankfully! Apt font choice for "Status". The grommets suck, though - that's where the unit will break first and you have to return the whole box for cable replacement... Why not properly connectorize these two cables? Oh, it would drive the MSRP up by another $65, that's why. I may hold off until Rev 2.
Last edited:
Yeah, I'm sure a bunch of terrorists and cybercriminals are watching this website veeerrrry carefully for important secrets about cryptography.
Right, I've gone alphanumeric and with some pretty unpredictable special characters... and while I've never had much of a problem with FaceID recognition (some fails but nothing to grumble about), since changing FaceID has improved no end, no fails even at the most extreme angles - attempting to unlock without giving attention (bringing up the passcode/word option) unlocks the second I look at the phone to enter the password, that never happened before... probably fluke, but now that I want to be faced with entering the passcode/word (without having turned off FaceID in order to do so) it's just not happening
...shouldn't complain really haha!
...shouldn't complain really haha!
Must've been a bad password. 25 actually random characters would take much longer to crack.
[doublepost=1523917185][/doublepost]There's a risk of stolen phones being sold on the black market to someone who can crack them and break into bank accounts that way. I stopped using my phone for anything that stores my bank account number or similarly sensitive info a while back. I'm not going to trust a mobile device with that no matter what security they claim.
[doublepost=1523917268][/doublepost]
What I said above about criminals breaking into phones. The black market is sophisticated enough to have a whole process that stolen phones go through, giving a little profit to each person in the chain. I tracked one left in a taxi once and saw it go to a parking lot, then to some business front, then off to China.
Last edited:
I use a 28 character alphanumeric passcode. Nobody is going to hack into my phone, should it ever fall into the wrong hands, including the gubmint.
If you believe this story, not sure I do. Yeah get everybody comfortable again, that's playing chess. On the otherhand I don't really care if law Enforcement searches my phone, I'm not a dumbass
There are some people in this thread who think this is funny. I've had a coworker who had her identity stolen. It is a life changing event. She is not important. She doesn't have state secrets. She doesn't work for a vast organized crime ring.
So no, you don't need to be important to take security seriously. Hackers make money or simply have fun taking over accounts. Having your electronic identity stolen and accounts taken over is extremely time consuming to undo, very inconvenient, and expensive. And you never know if it is completely over.
Anyone getting access to your phone or your computer, as if they were you, then has access to your web history and email. With access to web history and email they can see all of the places you go to that have accounts. With access to your email they can take over any number of accounts that use email for password resets, even banking accounts. Some accounts won't even need the email password reset, if you have autofill enabled.
Think you're secure because you enabled 2-factor authentication? Nope, they've got the second factor...your phone, which is going to receive any SMS, call, or email needed for 2-factor authentication, and it will have the authenticator apps on it for time-based codes.
So even though nobody has any particular interest in targeting most of us, and odds are very low, the stakes on the other hand are extraordinarily high. It's certainly enough that I'm willing to have a code that's just a little bit longer, and with TouchID or FaceID you don't even have to enter it all that often. Also do the same practices on your tablets and home computers.
This is also why I hate the "if you've done nothing wrong, you have nothing to hide" argument. Wrongdoing has nothing to do with it. Everyone has something to hide--access to your critical accounts.
So no, you don't need to be important to take security seriously. Hackers make money or simply have fun taking over accounts. Having your electronic identity stolen and accounts taken over is extremely time consuming to undo, very inconvenient, and expensive. And you never know if it is completely over.
Anyone getting access to your phone or your computer, as if they were you, then has access to your web history and email. With access to web history and email they can see all of the places you go to that have accounts. With access to your email they can take over any number of accounts that use email for password resets, even banking accounts. Some accounts won't even need the email password reset, if you have autofill enabled.
Think you're secure because you enabled 2-factor authentication? Nope, they've got the second factor...your phone, which is going to receive any SMS, call, or email needed for 2-factor authentication, and it will have the authenticator apps on it for time-based codes.
So even though nobody has any particular interest in targeting most of us, and odds are very low, the stakes on the other hand are extraordinarily high. It's certainly enough that I'm willing to have a code that's just a little bit longer, and with TouchID or FaceID you don't even have to enter it all that often. Also do the same practices on your tablets and home computers.
This is also why I hate the "if you've done nothing wrong, you have nothing to hide" argument. Wrongdoing has nothing to do with it. Everyone has something to hide--access to your critical accounts.
Last edited:
Lots of words not much in way of proof that your system works. The resources put into getting data is proportional to how important it is for law enforcement, if the data exists then it can be retrieved if necessary. Especially if you are in custody. If you go through all that to protect your bootleg movies then your safe
But if it makes you happy...
"10 digits: ~9259days worst (~4629avg)"
Not sure if this is a theoretical estimate or they've been trying to hack a 1994 iPhone all this time.
Not sure if this is a theoretical estimate or they've been trying to hack a 1994 iPhone all this time.
The 10-try wipe option just isn't cutting it. I think it needs a Mission Impossible self-destruct setting.
Programmable runaway temp on the battery should do it. Put a little extra pizzaz the GreyKey solution.
Programmable runaway temp on the battery should do it. Put a little extra pizzaz the GreyKey solution.
Looking at the estimated cracking times for the various numeric-only passcodes, I decided to compromise at a 12 digit numeric passcode. It’s still relatively more convenient than an alphanumeric passcode (passphrase?) while being fairly difficult to crack, in terms of minimum number of days needed.
That is my code!
Great! Now everyone knows my code!
Well, it is about time for me to change it, anyway.