As hackers and law enforcement agencies begin rolling-out advanced new mechanisms designed to make their way into password protected devices easier, it’s never been more important to consider beefing up your iOS security with a passcode strong enough to withstand those brute-force hacking attempts.
Devices like the GrayKey box, which are designed to brute-force unlock essentially any iPhone model at the price of around $50 apiece, are slowly but surely making their way into Police Departments all around the world. But with the burgeoning adoption of GrayKey, should also come grave concerns for anyone waning to prevent their iPhone from being broken into and examined against their will.
While it’s been reported that an advanced mechanism like GrayKey is capable of cracking 4-digit iPhone passcodes in “just hours,” and 6-digit passcodes in a “matter of days,” it turns out that GrayKey is actually capable of successfully cracking any iPhone model protected by a 6-digit passcode in about 11-hours, on average.
That’s according to Matthew Green, assistant professor of cryptography with the John Hopkins Information Security Institute. In a Tweet published to his official Twitter account this week. Green noted that with a device like GrayKey — which is inherently capable of side-stepping Apple’s in-built iOS security protections — not only is a 4-digit passcode guessable within less than seven-minutes, but even beefing up your security settings to a 6-digit passcode simply isn’t enough to protect it anymore.
Guide to iOS estimated passcode cracking times (assumes random decimal passcode + an exploit that breaks SEP throttling):
4 digits: ~13min worst (~6.5avg)
6 digits: ~22.2hrs worst (~11.1avg)
8 digits: ~92.5days worst (~46avg)
10 digits: ~9259days worst (~4629avg)
— Matthew Green (@matthew_d_green) April 16, 2018
It’s not entirely clear if Green’s estimates are accurate, or just speculation based on cumulative reports, but in either case, it’s resoundingly clear that whether your iPhone is locked by a 4-, 6-, 8-, or even 10-digit passcode — if it falls into the hands of hackers or law enforcement you’d better hope to high heaven there’s nothing incriminating stored on it.
Whether you’re concerned about your iPhone being hacked by law enforcement via a device like GrayKey, or even by other nefarious actors in possession of a similar tool, it’s probably a good bet to ensure you’re device is restricted behind the strongest and most likely impenetrable security blanket.
And that would be an alphanumeric passcode, according to multiple iOS security experts cited in a recent Motherboard report.
“People should use an alphanumeric passcode that isn’t susceptible to a dictionary attack and that is at least 7 characters long and has a mix of at least uppercase letters, lowercase letters, and numbers,” said Ryan Duff, an iOS security researcher and Director of Cyber Solutions for Point3 Security.
“Adding symbols is recommended and the more complicated and longer the passcode, the better.”
- To enable more formidable passcode protection options on your device, you’ll have to visit the Settings app.
- From there, scroll down and select Face ID/Touch ID & Passcode.
- Enter your current passcode.
- Scroll down and select Change Passcode.
- When the prompt comes up asking you to enter your new passcode, tap on the Blue Passcode Options text towards the center of the display.
- Select Custom Alphanumeric Code, and then enter a new passcode comprised of letters, numbers, and symbols as specified above.
Of course, remember to keep in mind that implementing an alphanumeric passcode in lieu of a simple 4- or 6-digit code is a timely compromise — though the extra effort on your behalf obviously comes at the benefit of stronger security.
Passwords are easy to forget, so simplify your life and keep track of all of them in one secure spot with a password manager. Consider using one of the following password managers.
For additional security, consider using a VPN to encrypt and anonymize your internet traffic. Here are a few of our favorites.