iPhone Passcode Weakness

iPhone slide to unlock
iPhone slide to unlock

Whilst researching for a new iPhone data recovery service I found some surprising weaknesses in the default iPhone passcode system. Although nothing new, I’d never really considered the implications in much detail before.

It is common knowledge that iPhones are a valuable target for thieves. The phones are worth hundreds on the black market, but have you considered how much more valuable your data could be to criminals?

There are e-mail accounts, social media accounts and phone numbers, all of which add up to your online identity. If somebody had access to it all then at the very least they could work their way through your address book attempting to rip off your friends and family. Other more elaborate scams would also be possible.

Lots of people use a passcode to prevent unauthorised use of their iPhone. The problem is that the simple 4 digit passcode which Apple offers by default is really only worthwhile to stop friends and family using your phone. Anyone more determined to access your data can download software which can figure out the iPhone passcode within minutes.

I had heard about this, but didn’t expect it to be quite so easy. I tested it out on my own iPhone and within 2-3 minutes my passcode was displayed on the screen.

I won’t go into any great detail about how to do it. It’s all there online, but fortunately there are a few things you can do to protect yourself from this sort of attack.

The first thing is to turn off the “Simple Passcode” option under Settings > General.

Then you should use a longer passcode. Every extra digit adds thousands or millions more potential codes that would need to be tried, similar to the Exponential Wheat and Chessboard Problem.

  • 4 digits (0-9) – 0000 = 10,000 possibilities
  • 6 digits (0-9) – 000000 = 1,000,000 possibilities (9,900% Increase)
  • 8 digits (0-9) – 00000000 = 100,000,000 possibilities (999,900% Increase)

To really make things difficult for a would-be hacker you should use an alphanumeric code, mixing numbers and letters.

  • 4 character (A-Z, a-z, 0-9) – AAAA – 14,776,336 possibilities (147,663% Increase)
  • 6 character (A-Z, a-z, 0-9) – AAAAAA – 56,800,235,584 possibilities (568,000,000% Increase)
  • 8 character (A-Z, a-z, 0-9) – AAAAAAAA – 218,340,105,584,896 possibilities* (2,183,000,000,000% Increase)
    *11 times the number of red blood cells in the human body apparently

There is no way somebody could reasonably attempt all 218 trillion possible passwords, so they would use what’s known as a dictionary attack. A dictionary attack uses a modified dictionary of known words, so instead of trying all potential codes, they only try likely passcodes. Make sure your password is not a dictionary word to get the most benefit from your passcode. Add in some punctuation and then you’ve really got a decent code.

Published by

Dan Dilloway

When I’m not recovering data for Dataquest, I’m usually either riding my bike, writing blog posts or DIYing.