There has been significant debate over law enforcement's right to access our digital devices in recent years. New tools from Grayshift and Cellebrite are popping up faster than ever to help government agencies, as well as traditional hackers, break into iPhones. If you're concerned, you can take steps right now to beef up your passcode and prevent outsiders from gaining access to your device.
Chances are your iPhone's passcode is six numerical digits long, which is the default passcode option on new iPhone models. You could even have a four-digit numerical passcode if you want, which was the default option in iOS 8 and below.
This makes sense since Apple would want the default passcode option to be these short, easy-to-remember PINs so users wouldn't forget their passcodes and get locked out of their devices. But a four- or six- digit number code isn't strong enough for the password-cracking weapons of today, so you should definitely consider making your passcode stronger.
Four- and six-digit numerical passcodes are weak. There are only 1 million possible combinations for a six-digit numerical code and a staggering 10,000 with four-digit number codes. While a million might sound like a decent pool to choose from, its fodder for hackers. According to Johns Hopkins cryptography professor Matthew Green, it takes an average of 11.1 hours for a hacker with the right tools to crack a six-digit number code and just 6.5 minutes to break a four-digit one.
While 6.5 minutes is pretty rough, 11.1 hours might sound like a long time. After all, when was the last time you were without physical access to your iPhone for more than 11 hours? But in the wrong circumstances, that's bad news. If your iPhone is stolen, for instance, intruders could gain access to all of the information inside your device. Banking information, photos, passwords, contacts — anything and everything you do on your iPhone.
For daily use, alphanumeric passcodes aren't practical for most people. If you feel your life would be more comfortable with a standard numeric passcode — which is easier to remember and faster to type in — then just making your passcode longer can help make things harder for any would-be hackers.
For one, make sure you're using enough numbers. Forget six digits — try eight or even ten instead. Remember Matthew Green? According to him, an eight-digit numerical passcode takes 46 days on average to crack, while a ten-digit one takes 4,629 days. That's because eight-digit number codes give you 100 million options, while ten-digit codes give you 10 billion. If you can stomach typing in 10 numbers at a time, you can rest assured it'll take any hacker or law enforcement official an average of 17.5 years to break into your iPhone.
To change to a longer code, open up your "Passcode" settings, enter your current passcode, then select "Change Passcode." Enter your old passcode, then select "Password Options" on the next screen. Next, choose "Custom Numeric Code" on the popup, enter your new long number code, hit "Next," then verify it and hit "Done." The only downside to this is that you'll have to tap "OK" after entering your long passcode each time instead of iOS instantly recognizing on the last digit.
That may sound funny to you, but it's true — if you're thinking of making your passcode 1234567890 or 0000000000 because they are both "one in 10 billion," think again. Sure, these codes technically are, but they're so common or easy to guess that a hacker or intruder will have no issue breaking in. Make sure you're mixing things up to keep your "one in 10 billion" number secure.
As you can see from previously leaked databases of user passwords, 1234567890 is a very common password. In fact, it was the fifth most common used for the social media service VK. Other long number passwords used on VK included 123456789, 1234567, 12345678, 7777777, and 987654321, all of which appeared in the top 22 passwords for the service. These will be the first ones hackers and government officials try when attempting to break into your iPhone, as will others like them.
If you're concerned about remembering a long string of numbers, come up with a short phrase — nothing easy to guess, mind you — that you can turn into a number via the keypad. Each key except for 1 and 0 have corresponding letters associated with them. So FOLDTOYSTREET becomes 365386978338. There's no need to memorize that long assortment of numbers — just remember those words.
Unfortunately, while numeric passcodes are easy to remember, they still can't match alphanumeric passcodes. The steps above will dramatically decrease the time it takes to get hacked, but there are better options to keep out infiltrators.
Since there are only 10 digits (0–9) in our base 10 number system, even a numbered password with 10 characters only amounts to 10 billion possibilities to brute-force. Compare that to an eight-character all lowercase password with 208 billion combinations, and it would be 20 times easier to crack your 10-digit numerical password than the 8-character lowercase one.
That brings us to alphanumeric passcodes, a combination of letters, numbers, and special characters. They're the same kind of password you would use for your computer, Facebook login, etc. Alphanumeric passcodes vehemently expand the number of possible options, making it that much harder to crack. Of course, it makes it that much harder to type, but who can put a price on security?
You can set one of these ultra-secure passcodes the same way as you can with custom numeric passcodes. Just select "Custom Alphanumeric Code" instead of just "Custom Numeric Code" when changing your passcode. Like long numeric codes, when you're done typing out your alphanumeric passcode on your lock screen, you'll have to tap "Done" on the keyboard instead of it just recognizing the last character. This is less annoying that tapping "OK" for a numbers-only one though.
Here the thing — alphanumeric passcodes are only as good as you make them. Without the proper precautions, hackers won't find your hard-to-type passcode any more challenging than one with six numeric digits. Make sure you're following the rest of the tips below to maximize your security.
This principle is one of the cardinal rules of passcode creation, and one that many people entirely ignore. People often use these types of words for their passcodes, which means hackers and those in law and security businesses try those first when attempting to break into your data.
In fact, there is an astonishing amount of programs out there tailored to helping hackers break passwords with dictionary words, so don't underestimate them — if you choose, say, "computer," "library" or, heaven forbid, "password," assume your data has already been stolen from wherever it is you used them.
Your best bet is a string of random letters, numbers, and special characters. Some programs can generate these types of passcodes for you, but let's be real — you're not going to remember a passcode like that, and you're going to need to type that code into your iPhone potentially every time you unlock it. So you're going to want to try a different approach.
Your IT department isn't trying to ruin your day — including all available character types in a passcode really will protect your iPhone. Uppercase, lowercase, numbers, and special characters — these additional variations force hackers and their equipment to work much longer than with a weaker passcode.
Here's a little math — an eight-lettered lowercase passcode has 208 billion possible combinations. That's certainly more than the 1 million options a six-digit numeric code will offer, however, it's still not too many for a hacker to burn through. Now, add at least one of every required character, and that eight-character passcode jumps to over 1 quadrillion possibilities.
No hacker is going to want to waste time on your iPhone with a passcode like that, and they will probably give up after a few days or weeks have passed.
However, you'll want to make sure you avoid Leetspeak, which involves replacing letters with lookalike numbers and characters. Don't think "p@$$w0r&" is going to do you much more good than "password" — hackers are already on top of that scheme. Just remember to keep things random.
Instead of using a string of random and non-memorizable characters, try a passphrase, which is a simple code made up of different words. For our purposes, you're going to want to choose three or four random, uncommon, and unrelated words, then relate them together in a way that makes sense to you. Then, all you need to do is think of the relation, and the words will come to you.
For example, you can turn outer, pomegranate, and zenith into the passphrase "outerpomegrantezenith." If you think to yourself "the outer portion of a pomegrante is its zenith," you'll be able to remember it much easier than a complicated, random passcode. Even better — add in at least one number, uppercase letter, and special character, perhaps like "ou%erPome_grante1zenith." That way, your potential hacker will have a much harder time using their usual tricks on your iPhone.
If you have a hard time coming up with a good passphrase, you can create a truly random one using Diceware, a method of using dice to come up with random words from a list. The longer the passphrase, the better.
Generating a seven-word passphrase using this method has at least 90.4 bits of entropy, which is enough to be considered unbreakable by today's standards.
Using the steps above, you've put so much effort into your new, secure passcode. Why do you need to change it? Well, that great passcode is only as great as it is anonymous. If someone figures it out, its game over for not just your iPhone, but the way you make your passcodes. That will only make it easier for someone to break into your device next time.
To avoid this, change up your passcode frequently. Make sure that, while you use a variety of characters, you avoid using the same format each time. That way, hackers won't be able to train wordlists to your iPhone, giving yourself an extra layer of security. This isn't as important for numerical passcodes, as there are less stylistic elements to contend with.
Changing your passcode isn't the only way to keep your iPhone and its data out of the hands of law enforcement officials or hackers. You can adjust the amount of time before your iPhone requires a passcode to unlock, (preferably, you want your iPhone to ask for a passcode every time).
In a pinch, you can quickly disable Touch ID and Face ID to keep intruders from forcing you to biometrically unlock your iPhone, which the law can make you do with a warrant. Passcodes are protected by the Fifth Amendment, so a warrant would never be issued.
Even wiping your iPhone's display regularly can erase smudges and fingerprints that give away the numbers involved in a passcode. You wouldn't believe how smudges can make cracking passcodes easier.
Of course, your iPhone's passcode is just the beginning. There are a lot of passwords on your device to contend with. Instead of using the same password over and over or writing down your hundreds of codes, the best way to deal with them is to use a password manager. Check out our guide below to learn about which ones you should be using on your iPhone.
Have an iPhone? Check out all 200+ new features coming in iOS 13.