Six-digit passcodes are no longer considered safe to use due to specialized forensic equipment like GrayKey that takes advantage of iOS exploits to perform brute-force attacks no your passcode. But don’t worry, iDB has you covered. Simply follow our step-by-step tutorial to create a strong alphanumeric passcode on your iPhone or iPad that will elevate your security and render hacking hardware such as GrayKey pretty much useless.
Who needs the passcode?
While you can also use face recognition or your fingerprint instead of your passcode, as a security precaution the device will still require the passcode when you do the following:
- Turn on or restart your iPhone or iPad
- Update the iOS operating system
- Erase your device
- View or change passcode settings
- Install iOS or iPadOS Configuration profiles
Despite Face ID and Touch ID, the passcode continue to have relevance.
That’s chiefly because the encryption keys used by your iPhone and iPad to keep your private data safe from the prying eyes are derived from your passcode.
And as noted in Apple’s iOS Security Guide, your passcode is also required if the device’s just been turned on or restarted, the device hasn’t been unlocked for more than 48 hours, you haven’t used the passcode to unlock your device for 156 hours (six and a half days), you haven’t used a biometric (Face ID or Touch ID) to unlock the device in four hours and after five unsuccessful biometric match attempts.
iPhone, passcodes, encryption and Uncle Sam
Law enforcement agencies enjoyed a productive relationship with Silicon Valley technology giants up until Edward Snowden’s explosive revelations back in 2013 that Apple, Google, Microsoft, Yahoo and Facebook provided the NSA with direct access to their servers or data without a court order, something that all of the named companies vehemently denied.
The release of iOS 8 in September the following year marked an important milestone because iOS 8 enabled encryption for everything stored on the device by default.
The company said at the time it would no longer be able to perform “data extractions in response to government search warrants” because the files are protected by an encryption key, tied to the user’s passcode, which Apple “does not possess,” according to Fast Company’s report providing a rare look inside a $10 million cyber lab designed to crack iPhones.
Beginning in 2015, Apple started enforcing six-digit passcodes because four-digit ones were no longer considered safe. A four-digit passcode can be cracked with 10,000 random sequences. A device like GrayShift’s GrayKey can try 10,000 permutations in under ten minutes.
By comparison, a six-digit passcode boasts the total permutations to one million, requiring GrayKey less than 24 hours to run through all the possible combinations. Devices like GrayKey take advantage of iOS exploits to bypass the code that escalates the delay after failed passcode attempts, limiting the number of tries to ten before the device is wiped.
While the iOS software can be hacked, the iPhone’s Secure Enclave cryptographic coprocessor has so far proved itself unbreakable. Aside from storing the encryption keys and encrypting/decrypting files on the fly, the Secure Enclave takes 80 milliseconds to compute each passcode guess.
The Secure Enclave comes to the rescue
So while devices like GrayKey can try thousands of passcodes per second, the Secure Enclave delay (enforced in hardware) limits the number of tries to about twelve per second.
As Apple itself explains:
The passcode is entangled with the deviceʼs unique ID (UID) so brute-force attempts must be performed on the device under attack. A large iteration count is used to make each attempt slower.
The iteration count is calibrated so that one attempt takes 80 milliseconds. This means it would take more than five and one-half years to try all combinations of a six-character alphanumeric passcode with lowercase letters and numbers.
Daring Fireball’s John Gruber sums it up nicely:
It’s the Secure Enclave that evaluates a passcode and controls encryption and the 80 millisecond processing time for passcode evaluation isn’t an artificial limit that could be set to 0 by hackers. It’s a hardware limitation, not software.
So, if you’re worried about any of this, the answer is simple: use an alphanumeric passphrase to unlock your iOS device, not a six-digit numeric passcode.
Indeed, six-digit iPhone passcodes have been unable to offer adequate protection against hacking devices like GrayKey. And while it’s been suggested that iOS 12.1.2 and later render GrayKey and similar devices useless, the jury is still out there as to whether new exploits may have been found that could prove helpful to law enforcement agencies..
Guide to iOS estimated passcode cracking times (assumes random decimal passcode + an exploit that breaks SEP throttling):
4 digits: ~13min worst (~6.5avg)
6 digits: ~22.2hrs worst (~11.1avg)
8 digits: ~92.5days worst (~46avg)
10 digits: ~9259days worst (~4629avg)
— Matthew Green (@matthew_d_green) April 16, 2018
And with that in mind, iDB invites you to follow along with our step-by-step tutorial right ahead to learn how to create an alphanumeric passcode on your iPhone and iPad that provides the strongest security and protection against brute-force attacks like GrayKey.
How to create alphanumeric passcode on iOS
Do the following to create an arbitrary-length alphanumeric passcode in iOS.
1) On your iPhone X and later or iPad with Face ID, go to Settings → Face ID & Passcode. On your iPod touch and earlier iPhone models, you will navigate to Settings → Touch ID & Passcode. On devices without Touch ID, venture into Settings → Passcode.
2) Enter your passcode to continue.
3) If no passcode has been set up on this device, tap Turn Passcode On. Otherwise, tap Change Passcode to switch from your current passcode to the much more secure alphanumeric code option.
4) Enter your old passcode again in order to continue with this action.
5) Now tap Passcode Options near the bottom of the interface, then choose the option Custom Alphanumeric Code from the popup menu. You can, of course, also choose to create a custom numeric code or switch back to the least secure 4-digit passcode, but doing so will weaken your security.
6) Enter a custom alphanumeric code, then tap Next.
7) Type in your new passcode again, then hit Next to have it verified and start using it.
It may take a few seconds for the device to save the new passcode. While iOS may appear unresponsive during that time, just wait for a few seconds and everything will be back to normal.
And that’s how your create an arbitrary-length, strong alphanumeric passcode on iPhone and iPad. Congratulations, you are now much safer with your custom alphanumeric passcode!
TUTORIAL: How to restrict USB data access on iOS
You’re also recommended to enable the option to have the iOS device immediately ask for your alphanumeric passcode as soon as you lock the screen. For your own security, if you use Touch ID or Apple Pay, the immediate passcode requirement is auto-enabled.
Last but not least, you can curtail the GrayKey box and other law enforcement tools if you limit USB data access on your device. To do so, toggle off the USB Accessories option at the bottom of your passcode settings, which will prevent devices from establishing a wired USB data connection when your iPhone or iPad has been locked for more than an hour.
Need help? Ask iDB!
If you like this tutorial, pass it along to your friends and leave a comment below.
Got stuck? Not sure how to do certain things on your Apple device? Let us know via firstname.lastname@example.org and a future tutorial might provide a solution.
Submit your own how-to suggestions via email@example.com.