Experts say that only takes 11 hours to crack 6-digit iPhone Passcode

Do Son April 17, 2018 2 minutes read

A few days ago we reported that “The National Police Agency has the ability to crack iPhone.” At that time, it was mentioned that the police could use GrayKey to crack the iPhone’s 4-digit password in 6 minutes, and with 6 digits the password will take a few days to crack. According to the latest news, however, it may not take that long to crack the iPhone’s 6-digit password.

Matthew Green, an assistant professor and cryptographer at the John Hopkins School of Information Security, shared a tweet earlier today, claiming that using the vulnerability of the Apple password guessing protection, it takes an average of 6.5 minutes to crack the iPhone ‘s 4-digit password, and the 6-digit password can be 11 hours. It was calculated within half a day.

Guide to iOS estimated passcode cracking times (assumes random decimal passcode + an exploit that breaks SEP throttling):

4 digits: ~13min worst (~6.5avg)
6 digits: ~22.2hrs worst (~11.1avg)
8 digits: ~92.5days worst (~46avg)
10 digits: ~9259days worst (~4629avg)

— Matthew Green (@matthew_d_green) April 16, 2018

Apple has a built-in password protection mechanism for the iPhone. Ten password input errors will erase the contents of the iPhone. Entering more than five incorrect passwords will automatically extend the time for the next password attempt. However, GrayKey may seem to be able to bypass these protection mechanisms.

It is unclear, however, whether GrayKey’s actual performance is as mysterious as Professor Green said. But at least let everyone has realized that the iPhone’s 6-digit password is also not safe.

Apple changed the default 4-digit password to the 6-digit password when iOS 9 was released in 2015, but many users find it too cumbersome to enter 6-digit passwords each time. They also change the 4-digit password by setting them.

There are many security experts who recommend that users set the iPhone to an “alphanumeric code.” Over the input interface becomes a full keyboard, although not very convenient, but safe.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.