Google’s Android engineering team has quietly rolled out one of the platform’s most meaningful security upgrades yet: a far tighter limit on how many times someone can guess your unlock PIN. According to a post shared by Mishaal Rahman on X, Android 17 replaces the platform’s older, looser attempt-counting system with a much stricter one.
The goal is simple. Thieves and snoops who steal a phone often try guessing common PINs, like birthdays, before giving up. Under the new rules, that strategy becomes far less viable.
How Android 16 Handled Failed Attempts
Under Android 16, users could enter ten wrong PINs within a single minute before facing any delay. After that, the system allowed twenty attempts across six minutes, fifty across twenty-five minutes, and up to 110 within a full day.
For a truly random four- or six-digit PIN, this pace posed little risk. However, most people don’t choose random PINs. Many rely on birthdays, anniversaries, or other predictable numbers, so attackers with even a little personal information could narrow their guesses and raise their odds of success.
Android 17’s Stricter Rate Limits
Android 17 changes that math substantially. Google actually began rolling out the new limits earlier, starting with Android 16 QPR2, before making them standard across the platform.
The new caps are far lower: five attempts per minute, six within five minutes, seven within fifteen minutes, eight within thirty minutes, and eleven within twelve hours. Each of these counts applies to consecutive wrong entries, and the counter resets the moment someone unlocks the device correctly. If an attacker stays persistent, the system locks completely after twenty consecutive incorrect attempts.
Could Twenty Wrong Guesses Lock Out a Real Owner?
Technically, yes, but practically, it’s unlikely to happen by accident. Google’s tiered rate limiting means users can’t fire off attempts back-to-back forever. Each mistake extends the wait before the next try, and the delays grow substantially the further someone goes.
Reaching twenty consecutive failures could take an extraordinarily long time, especially given how the wait periods compound. For most legitimate users, this system won’t cause real friction. Anyone locked out because of a genuine memory lapse also has access to Google’s account recovery tools instead of continuing to guess blindly.
Retrying the Same Wrong PIN Doesn’t Count Twice
One especially thoughtful detail in this update deserves attention. If someone enters the same incorrect PIN more than once, the system only counts it as a single failed attempt.
For example, entering a wrong PIN on the first try and then trying that identical wrong PIN again later still counts as just one mistake, not two. Consequently, repeating an incorrect guess won’t accelerate a lockout. It simply extends the wait before another new attempt becomes possible.
Clearer Lockout Messaging
Google has also refined how lockout screens communicate wait times. Previously, users saw raw second counts, such as an instruction to try again after 1,800 seconds. Now, the interface displays a more digestible format, such as “try again in 30 minutes.”
This small adjustment prevents users from having to calculate wait times manually, which matters more than it might seem. In extreme cases, such as after eighteen consecutive failed attempts, the required wait can stretch to roughly three years, a delay far too long to express meaningfully in seconds alone.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.