“iPhones protected by a six-digit pass code may no longer be safe thanks to a cheap tool being marketed to police that can unlock a smartphone in just days,” James Hetherington reports for Newsweek.
“Grayshift has developed an iPhone decryption device called GrayKey that can break through some devices in just two hours,” Hetherington reports. “Presumably, the device is able to skip Apple’s imposed wait times between pass code attempts.”
“Apple used to require only a four-digit pass code but bumped up the minimum to six in 2015, via iOS 9. Users are now also given the option to enter letters in a 10 letter/number pass code,” Hetherington reports. “If you have the patience and memory to install a 10-digit pass code (just numbers, no letters), the average unlock will take someone almost 13 years to hack in.”
Read more in the full article here.
MacDailyNews Take: Johns Hopkins Information Security Institute cryptographer Matthew Green explains via Twitter:
Guide to iOS estimated passcode cracking times (assumes random decimal passcode + an exploit that breaks SEP throttling):
4 digits: ~13min worst (~6.5avg)
6 digits: ~22.2hrs worst (~11.1avg)
8 digits: ~92.5days worst (~46avg)
10 digits: ~9259days worst (~4629avg)—
Obviously, those concerned with security and privacy should use an alphanumeric passcode that’s seven characters – even longer is better – and mixes numbers, letters, and symbols.
To change your password in iOS:
Settings > Face ID & Passcodes > Change Passcode > Passcode Options: Custom Alphanumeric Code — MacDailyNews, April 16, 2018SEE ALSO:
GrayKey box can guess a six-digit iPhone password in 11 hours on average – April 16, 2018
SEE ALSO:
Police around the U.S. can now unlock iPhones – April 12, 2018
Law enforcement uses ‘GrayKey’ box to unlock iPhones – March 16, 2018
The man who wrote those password rules has a new tip: N3v$r M1^d! – August 8, 201
[Thanks to MacDailyNews Reader “TS” for the heads up.]
Apple just needs to make the wait times unhackable andvproblem solved.
When changing your password, iOS 11.3 now states:
Your password must be a least 8 characters, include a number, an upper case letter, and a lowercase letter.
When deliberately making a ludicrously long password, keep in mind that adding repeating character filler (00000…) can save on required human memory while blasting cracking time into infinity. Just be sure you’re using this ‘haystacks’ method on ludicrously long passwords. Repeating characters within relative short passwords is a very bad idea.
MEANWHILE: Apple has to close the loophole that is allowing GrayKey cracking devices to implant executable code onto any iOS device. That’s an outrageous security hole that is strictly verboten on any form of UNIX, the basis of iOS. Only logged in users and administrators are given permission to install or run executable code.
Get Anti-Cracking Apple!
Keep iOS devices the safest and most private on the market!
I just tried to reset my passcode under iOS 11.3 and it did not provide this scenario. It starts with a 6 digit option and offers three other options…custom numeric, custom alpha-numeric, or 4-digit. Perhaps you are thinking of a new AppleID password which Apple does require to have the requirements you cited?
You are correct. I’m having a bad semantics comprehension day. I think my problem is concussion acquired at the Todd Rundgren’s Utopia concert I attended last night. 😉
[Kids: It’s a headbanger, post-hippy reference.]
I thought the iPhone had a feature that locked you out after so many password attempts?
If you set it, yes.
I’m not so worried about acronyms getting into my phone, but if they can do it, then any nefarious person or group looking for my credit and bank information can.That’s the scary part for me.
Precisely. You have grasped an obvious fact which law enforcement at almost all levels either does not understand or has chosen to ignore. I’m not sure which is worse.
How does it get around the ten wrong passwords and you’re out routine(s) ?
Cheap?!?!?!?? They make it sound like anyone can just spend $20 bucks and get one of these… but then again, no one would read a story about a $15,000 or $30,000 device.
Pennies for someone looking to make a lot of money! Think about it…
Not only do they have to have a $15,000 device; they also have to have physical access to your iPhone for several hours, and keep it in a Faraday cage so you can’t remotely wipe it.
in the future, i’ll just think of my mom and dad having sex. the disgust i feel deep down in my abdomen in conjunction with the peculiar and awful mental imagery will provide an unbreakable passcode that no one will be able to duplicate. there. i’ve said it.
I don’t see the alphanumeric option in my iPhone 7 (running 11.3).
Also, what does “return missed calls” do? Just noticed my is checked on.
According to Frank Abagnale [“Catch Me If You Can” (2002)], he’s trying to work on eliminating passwords altogether. See Trusona.com for details.