Resolved Passcode failed attempts, scary!

[adnbek]

In previous iOSes, a few failed attempts would lead to the phone being locked out, for incrementally longer and longer periods of time, slowing down the number of attempts one can make at any given time.

Why was this removed? I find it very useful as it makes it harder to brute force your way through AND if you activate "Erase after 10 failed attempts" it would still take a while for someone to do so.

Now, anyone can pick up your phone, quickly do 10 attempts and wipe your phone!

 

[GreyOS]

In previous iOSes, a few failed attempts would lead to the phone being locked out, for incrementally longer and longer periods of time, slowing down the number of attempts one can make at any given time.

Why was this removed? I find it very useful as it makes it harder to brute force your way through AND if you activate "Erase after 10 failed attempts" it would still take a while for someone to do so.

Now, anyone can pick up your phone, quickly do 10 attempts and wipe your phone!

More wow, never noticed this. This is terrible.

My work email exchange enforces erasing of data after just 8 failed attempts too... I hope no one I know hears about this and does it as a joke!

 

[Armen]

If what I'm seeing today is indeed true than it looks like the final release will have more fixes than the GM. A security flaw like the pincode problem can't wait for 7.0.1. It should be patched sooner in an emergency update.

 

[WolfSnap]

In previous iOSes, a few failed attempts would lead to the phone being locked out, for incrementally longer and longer periods of time, slowing down the number of attempts one can make at any given time.

Why was this removed? I find it very useful as it makes it harder to brute force your way through AND if you activate "Erase after 10 failed attempts" it would still take a while for someone to do so.

Now, anyone can pick up your phone, quickly do 10 attempts and wipe your phone!

I just tried it.. I get an 'iPhone is disabled' message after 6 wrong PINs. Then, disabled again after another single attempt. I didn't keep going, but, I'm sure it'll lock out for longer and longer periods of time... Are you not seeing that?

Seems to follow the iOS 6 lockout pattern: http://cinnamonthoughts.org/2010/09/13/ios-passcode-waiting-intervals-for-failed-attempts/

 

[Tyler23]

In previous iOSes, a few failed attempts would lead to the phone being locked out, for incrementally longer and longer periods of time, slowing down the number of attempts one can make at any given time.

Why was this removed? I find it very useful as it makes it harder to brute force your way through AND if you activate "Erase after 10 failed attempts" it would still take a while for someone to do so.

Now, anyone can pick up your phone, quickly do 10 attempts and wipe your phone!

Just don't turn that on? After 5 or 6 attempts it locks you out. It only wipes your phone after 10 attempts if you have that feature turned on.

 

[WolfSnap]

Just don't turn that on? After 5 or 6 attempts it locks you out. It only wipes your phone after 10 attempts if ok have that feature turned on.

I never turn on the 'wipe device after 10 attempts'.. I'd rather control when to wipe from iCloud. Plus, with the new activation lock, my iPhone will be a door-stop.

 

[adnbek]

Yeah and I'm definitely turning off "Erase after 10 failed attempts" until this is fixed.

 

[C DM]

Took me about 8 wrong attempts before I got the message that the iPhone is disabled, without any timer as to how long it is disabled for. Kind of strange. And about a minute or two later it looks like the message is gone and I can use the phone again.

 

[adnbek]

Just don't turn that on? After 5 or 6 attempts it locks you out. It only wipes your phone after 10 attempts if you have that feature turned on.

Even if it's off, it's easier to brute force your way in if you're not being slowed down from previous failed attempts.

----------

I just tried it.. I get an 'iPhone is disabled' message after 6 wrong PINs. Then, disabled again after another single attempt. I didn't keep going, but, I'm sure it'll lock out for longer and longer periods of time... Are you not seeing that?

Seems to follow the iOS 6 lockout pattern: http://cinnamonthoughts.org/2010/09/13/ios-passcode-waiting-intervals-for-failed-attempts/

It wasn't doing it with me at all. I turned off "Erase..." to test it and I could keep making up pins over and over (stopped at around 15x) and it never once got disabled.

 

[ominx]

Even if it's off, it's easier to brute force your way in if you're not being slowed down from previous failed attempts.

----------



It wasn't doing it with me at all. I turned off "Erase..." to test it and I could keep making up pins over and over (stopped at around 15x) and it never once got disabled.

Are you using a simple passcode (4 digit PIN) or one with a custom length with mixed characters?

I can confirm I too do not get locked out with a custom passcode.

 

[Thierry ba]

In previous iOSes, a few failed attempts would lead to the phone being locked out, for incrementally longer and longer periods of time, slowing down the number of attempts one can make at any given time.

Why was this removed? I find it very useful as it makes it harder to brute force your way through AND if you activate "Erase after 10 failed attempts" it would still take a while for someone to do so.

Now, anyone can pick up your phone, quickly do 10 attempts and wipe your phone!

It will not wipe your iPhone unless you turn it on in settings.

 

[C DM]

Are you using a simple passcode (4 digit PIN) or one with a custom length with mixed characters?

I can confirm I too do not get locked out with a custom passcode.

Did that apply the same way to both passcodes and passwords before? And now its different in some way?

 

[ominx]

Did that apply the same way to both passcodes and passwords before? And now its different in some way?

I'm not sure actually. I only changed to a password with iOS 7.

 

[GreyOS]

It will not wipe your iPhone unless you turn it on in settings.

You don't always have the option to turn it off as some Exchange accounts enforce it.

 

[campingsk8er]

It's been this way the entire Beta process (from Beta 1 all the way to the GM now). The only thing that is different between iOS 7 lock process and pre-iOS 6 is that before, you would get locked out for 1 minute after 10 wrong attempts, and then for each successive attempt, it would go to 5 mins, 15 mins, 60 mins, and then I don't know what. I never pushed it past that. In iOS7, after like 8 wrong attempts, your locked out for about a minute and it just keeps repeating that. I'm not trying to compare at all, but Android is like this as well.

 

[PNutts]

If what I'm seeing today is indeed true than it looks like the final release will have more fixes than the GM. A security flaw like the pincode problem can't wait for 7.0.1. It should be patched sooner in an emergency update.

What security flaw like the pincode problem are you referring to? I haven't heard of anything and want to know what the risk is. Thx.

 

[C DM]

It's been this way the entire Beta process (from Beta 1 all the way to the GM now). The only thing that is different between iOS 7 lock process and pre-iOS 6 is that before, you would get locked out for 1 minute after 10 wrong attempts, and then for each successive attempt, it would go to 5 mins, 15 mins, 60 mins, and then I don't know what. I never pushed it past that. In iOS7, after like 8 wrong attempts, your locked out for about a minute and it just keeps repeating that. I'm not trying to compare at all, but Android is like this as well.

Actually it was after 5 (or essentially 6) attempts in iOS 6 and before, as mentioned in the link posted earlier in the thread: http://cinnamonthoughts.org/2010/09/13/ios-passcode-waiting-intervals-for-failed-attempts/

 

[Armen]

What security flaw like the pincode problem are you referring to? I haven't heard of anything and want to know what the risk is. Thx.

Are you not following this thread? OP says you can try to enter a pin code 10 times in a row with no duration increase in attempts. If you set your 10th fail = wipe..a random person can pick up your phone and fail the pin 10 times and wipe it in under a minute.

 

[C DM]

The one in this thread? the OP is saying you can try to enter a pincode 10 times in a row with no lockout. If you have the 10th attempt set to wipe? guess what..anyone can come by and quickly enter 10 wrong pins and wipe your phone in under a minutes.

I definitely got locked out at least on the 8th attempt.

 

[adnbek]

Are you using a simple passcode (4 digit PIN) or one with a custom length with mixed characters?

I can confirm I too do not get locked out with a custom passcode.

Simple passcode in my case.

----------

It will not wipe your iPhone unless you turn it on in settings.

Thanks, we know this. And it's irrelevant.

 

[Armen]

I definitely got locked out at least on the 8th attempt.

what duration between attempts? it's supposed to be:

1min
5min
15min
30min
1 hour.

 

[C DM]

Simple passcode in my case.

----------



Thanks, we know this. And it's irrelevant.

Just tried it again with a simple passcode and it took over 10 attempts to get it to come up. However, I realized that in order to test this quickly I entered the same wrong passcode a number of times, so now I'm thinking maybe it's actually based not on just absolute count of attempts, but on the count of unique attempts--so basically different passcodes. Going to try this in a bit again with each one being a different passcode to see if that makes a difference.

----------

what duration between attempts? it's supposed to be:

1min
5min
15min
30min
1 hour.

After the 8th attempt that time, since this was the first lockout, I got locked out for what seems like 1 minute (no information was actually available as to the length of the lockout, but it was back to normal in about a minute). Just got locked out a second time and it was for 5 minutes (again, without any time information actually displayed). So the intervals seem to be about the same (at least the first ones).

 

[kultschar]

Did I not read somewhere that thieves will no longer be able to wipe phones e.g. you can only wipe with authorisation etc on iOS7 or was that only on new iPhone?

 

[Armen]

Just tried it again with a simple passcode and it took over 10 attempts to get it to come up. However, I realized that in order to test this quickly I entered the same wrong passcode a number of times, so now I'm thinking maybe it's actually based not on just absolute count of attempts, but on the count of unique attempts--so basically different passcodes. Going to try this in a bit again with each one being a different passcode to see if that makes a difference.

----------

After the 8th attempt that time, since this was the first lockout, I got locked out for what seems like 1 minute (no information was actually available as to the length of the lockout, but it was back to normal in about a minute).

Ya see that's not working properly. the first lockout after a failed attempt is 1min before you can try again. Enter your pin wrong 3 times in a row there and your next try is in 5 minutes...then 10 minutes...then 30 minutes..eventually I think its 24 hours.

 

[C DM]

OK, just tried it again with unique different passcodes, after entering the 5th one wrong the phone got disabled for 1 minute. Attempted to enter a wrong password again, and right after the 1st wrong attempt the phone got disabled again (looks like for the longer 5 minutes this time).

It looks like this feature is still working correctly, although perhaps was updated to only account for actual different unique attempts (since repeating the same passcode doesn't really help you break in), if that wasn't working like that before.