GrayKey Can Unlock iPhones for Less Than $100 – It’s Time to Move Away from 6-Digit Passcodes [How To]
Apple has always touted its devices as the most secure products available to consumers. But while Tim Cook was using Facebook's data privacy scandal to his company's favor, Apple was facing probably one of the biggest blows to iPhone security in years. Reports last month claimed that a cybersecurity firm was enabling the US government, intelligence agencies and the police to get into any iPhone - including the very latest - for as low as $50 a piece ($15,000 for 300 devices according to leaked reports).
Remember the FBI-Apple encryption saga of 2016? The agency had to pay millions of dollars to get a relatively insecure iPhone (5c) unlocked by a third party company. But this latest tech introduced by GrayShift - a company led by an ex-Apple employee - brought the price down to just a few dollars.
Which brings us to the point - why to stop using 6-digit passcodes on iPhone...
Developed by GrayShift, GrayKey boasts to unlock iPhone in just two hours. If it's a long password like a six-digit passcode predominantly used by iPhone users, the unlocking process could take up to three days.
Apple has used several protections to keep iPhone secure against brute forcing efforts, including a delay between new guesses and a feature to wipe all data after 10 failed passcode attempts. However, GrayShift appears to have found a way to bypass these protections - or at least some of them.
As is the norm in the industry, once a vulnerability is discovered, it will eventually find its way to the dark web putting everyone's security at risk. Security experts are now recommending users to go for an alphanumeric passphrase between 9 and 12 characters. However, choosing an alphanumeric password won't affect your security positively if you are going to opt for the same old passwords that have been dumped several times in the past few years. Choosing a truly complex and unique password is the key.
Guide to iOS estimated passcode cracking times (assumes random decimal passcode + an exploit that breaks SEP throttling):
4 digits: ~13min worst (~6.5avg)
6 digits: ~22.2hrs worst (~11.1avg)
8 digits: ~92.5days worst (~46avg)
10 digits: ~9259days worst (~4629avg)
— Matthew Green (@matthew_d_green) April 16, 2018
Matthew Green, an assistant professor at the Johns Hopkins Information Security Institute, suggested keeping a numeric password that is just longer than the typical 6-digit passcode. This will not only protect your device against brute forcing attempts but also makes sure that you get the familiar passcode keypad when entering your password. If you choose an alphanumeric passcode, Apple will present you with that typical, congested iOS keyboard.
How to choose an iPhone passcode that is longer than 6 digits
Here are the steps to select a stronger passcode on your iOS devices:
- Go to Settings > Touch ID & Passcode.
- Tap on Change Passcode. You will be asked to enter your old passcode.
- The next screen will ask you to enter your new passcode. But, instead of entering a new 6-digit passcode, tap on Password Options.
- Choose either Custom Numeric Code or Custom Alphanumeric Code depending on what you want.
If you choose a custom numeric code, you can select a longer passcode that still consists of only digits (should ideally be at least 9 digits). If you choose the alphanumeric option, you have the luxury to mix up letters, numbers, and symbols but that comes with the trade-off of a congested keyboard that might affect convenience.
Those who are worried they will forget a longer numeric passcode, follow the decades-old trick of focusing on letters and not digits. For example, "fbi is crazy" (without spaces) would translate into 3244727299. Easy to remember and - hopefully - difficult to crack.