Post by drcard on Nov 25, 2020 15:42:10 GMT -5
iPhone – Increase Security of Your Passcode
Overview:
Most iPhone users still use a passcode with the default number of digits for that version of iPhone (4 digits for older versions and 6 digits for newer versions). These passcodes with 4 or 6 numerical digits are not very secure and are easy to crack to gain full access to the phone. What follows is background on the security strength of the passcode, analysis of your security needs, daily use of a strengthen passcode, and instructions on how to change the passcode to a stronger passcode.
Background:
How secure is the information you keep on your iPhone if it is lost or stolen? In other words, how hard is it to crack your passcode and have access to all the data in the phone? There are two basic ways the passcode for an iPhone is cracked. 1. A thief watches (takes a video) you entering your passcode when you use the phone, steals your phone when you are not looking or distracted, and then enters the passcode that you entered earlier gaining full access to your phone. OR 2. Software is used to crack the passcode and gain full access to the phone. For either of these ways, the longer and/or more complex the passcode is; the more difficult it is to crack it. How much more difficult does it need to be? Law enforcement agencies (and the bad guys too) use software called GrayKey to crack iOS passcodes. In 2018, cryptographer Matthew Green of John Hopkins posted estimated passcode cracking times with GrayKey based upon the number of numerical digits used in the passcode as follows:
• 4 digits = average of 6.5 minutes to crack
• 6 digits = average of 11.1 hours to crack
• 8 digits = average of 46 days to crack
• 10 digits = average of 4,629 days (12.7 years) to crack
These figures from 2018 are the latest I could find, so the current software versions will crack the passcode even faster. The key to understand is that the longer and/or more complex you make the passcode, the harder it is to crack. The 10-digit number passcode above will take on average over 12 years to crack (who’s going to try that long). Complexity of the passcode will strengthen the passcode exponentially and give more strength than increasing the number of digits in the passcode. Example: There are 10,000 possible combinations for a 4-digit passcode consisting of numbers only, but there are over 4.5 billion combinations for a 4-digit passcode consisting of both numbers and letters (alphanumeric). It is easy to see that an alphanumeric passcode would be very difficult to crack even with only 4 digits.
Analysis of Security Needs
Before you change your passcode you should consider what you have on your phone that requires security and how much security is needed. Make an answer list to these questions: Is there anything on the phone that can be used to get your identity or money from you such as ID and password to online banking, credit card, investment accounts, or Social Security number in a text, e-mail, voice mail, or document? Apps and phone storage areas that require a biometric (fingerprint or face ID) are still protected if the phone’s passcode is cracked. This includes iCloud accounts and password protected Notes documents. If the answer to any of the above questions is yes, then you need to strengthen your passcode to protect your data. If you are not sure if any of this information would be available if the passcode was cracked, then test the phone and find out.
To test a phone to see what information would be available if the passcode was cracked, turn the phone off and then turn it on. Now operate the phone using ONLY the passcode. Do not use Touch or Face IDs. Open all files and apps that you can using only the passcode. Many areas where sensitive data could be held, the phone requires biometric confirmation to access; thus not accessible with the passcode only. If you can access information that could be used for identity theft or stealing your money with just the passcode, then the passcode needs to be strong. If such information is not accessible without additional passwords or biometrics, then a moderately strong passcode is sufficient.
Extremists would advise to make the passcode as strong as possible, but having to enter a long and complex passcode every time you open your phone will get old quick. The result is over time the users finds ways around the strong passcode by leaving the phone on all the time or changing the passcode back to something easy to put in (back to a weak passcode). True security comes from finding a balance in the hassle required for the security and the amount of security that hassle provides. That balance will be different for each user, but you will know you have reached it when you don’t mind the hassle because doing it makes you feel safer and at ease. The hassle for the extra security can be minimized by having a strong passcode, but using Touch or Face ID to operate your phone and the apps on your phone results in having to enter the stronger passcode very seldom. Choosing a stronger passcode, but not the strongest can minimize the hassle of the stronger passcode such as using the 8-digit passcode consisting of numbers which took on average over a month to crack. If my phone was lost or stolen, I could change all accounts passwords before the phone could be cracked. To make remembering this new 8-digit passcode easy, I would use an old 4-digit passcode (that I already know by heart) twice.
Strengthen iPhone Passcode
• You must change the passcode to strengthen it.
• From the Home Screen select the Settings button.
• Scroll down the Settings page and select Touch ID (or Face ID) & Passcode.
• Enter your current passcode.
• Scroll down and select Change Passcode.
• On the Change Passcode page enter your current (old) passcode.
• The page will present a place to enter a new 6-digit passcode, but do not enter a new passcode and press Passcode Options button.
• You will be presented with 4 options – listed below with explanation of each option:
o Custom Alphanumeric Code – a passcode consisting of numbers and letters. The number of characters (digits) that make up the passcode can be as few as 4 (minimum required by the phone) up to 32 (maximum number of characters (digits) recognized by the phone). When this option is selected a standard keyboard is presented to enter the passcode. The passcode can be all letters, combination of numbers and letters, or all numbers. If this option is selected, a standard keyboard will be presented anywhere on the phone where you have to enter the passcode. Once the new passcode is entered, press Next and re-enter the same passcode a second time to verify it to the phone and press Done when finished.
o Custom Numeric Code – a passcode consisting of numbers only. The number of digits that make up the passcode can be as few as 4 (minimum required by the phone) up to 32 (maximum number of digits recognized by the phone). When this option is selected a standard 10 key numeric pad is presented to enter the passcode numbers. Once you enter the new passcode, press the Next button and re-enter the new passcode to verify it to the phone and press Done when finished.
o 4-Digit Numeric Code – a passcode consisting of 4 numbers. Once entered the passcode has to be re-entered to verify it to the phone and press Done when finished.
o Cancel – No changes are made and the old passcode is still the active passcode.
• After verifying and pressing Done the phone will update all components of the phone and the new passcode is now the passcode for the phone.
Strengthen your passcode, but do so in a way you can still use your phone without a lot of hassle.
Overview:
Most iPhone users still use a passcode with the default number of digits for that version of iPhone (4 digits for older versions and 6 digits for newer versions). These passcodes with 4 or 6 numerical digits are not very secure and are easy to crack to gain full access to the phone. What follows is background on the security strength of the passcode, analysis of your security needs, daily use of a strengthen passcode, and instructions on how to change the passcode to a stronger passcode.
Background:
How secure is the information you keep on your iPhone if it is lost or stolen? In other words, how hard is it to crack your passcode and have access to all the data in the phone? There are two basic ways the passcode for an iPhone is cracked. 1. A thief watches (takes a video) you entering your passcode when you use the phone, steals your phone when you are not looking or distracted, and then enters the passcode that you entered earlier gaining full access to your phone. OR 2. Software is used to crack the passcode and gain full access to the phone. For either of these ways, the longer and/or more complex the passcode is; the more difficult it is to crack it. How much more difficult does it need to be? Law enforcement agencies (and the bad guys too) use software called GrayKey to crack iOS passcodes. In 2018, cryptographer Matthew Green of John Hopkins posted estimated passcode cracking times with GrayKey based upon the number of numerical digits used in the passcode as follows:
• 4 digits = average of 6.5 minutes to crack
• 6 digits = average of 11.1 hours to crack
• 8 digits = average of 46 days to crack
• 10 digits = average of 4,629 days (12.7 years) to crack
These figures from 2018 are the latest I could find, so the current software versions will crack the passcode even faster. The key to understand is that the longer and/or more complex you make the passcode, the harder it is to crack. The 10-digit number passcode above will take on average over 12 years to crack (who’s going to try that long). Complexity of the passcode will strengthen the passcode exponentially and give more strength than increasing the number of digits in the passcode. Example: There are 10,000 possible combinations for a 4-digit passcode consisting of numbers only, but there are over 4.5 billion combinations for a 4-digit passcode consisting of both numbers and letters (alphanumeric). It is easy to see that an alphanumeric passcode would be very difficult to crack even with only 4 digits.
Analysis of Security Needs
Before you change your passcode you should consider what you have on your phone that requires security and how much security is needed. Make an answer list to these questions: Is there anything on the phone that can be used to get your identity or money from you such as ID and password to online banking, credit card, investment accounts, or Social Security number in a text, e-mail, voice mail, or document? Apps and phone storage areas that require a biometric (fingerprint or face ID) are still protected if the phone’s passcode is cracked. This includes iCloud accounts and password protected Notes documents. If the answer to any of the above questions is yes, then you need to strengthen your passcode to protect your data. If you are not sure if any of this information would be available if the passcode was cracked, then test the phone and find out.
To test a phone to see what information would be available if the passcode was cracked, turn the phone off and then turn it on. Now operate the phone using ONLY the passcode. Do not use Touch or Face IDs. Open all files and apps that you can using only the passcode. Many areas where sensitive data could be held, the phone requires biometric confirmation to access; thus not accessible with the passcode only. If you can access information that could be used for identity theft or stealing your money with just the passcode, then the passcode needs to be strong. If such information is not accessible without additional passwords or biometrics, then a moderately strong passcode is sufficient.
Extremists would advise to make the passcode as strong as possible, but having to enter a long and complex passcode every time you open your phone will get old quick. The result is over time the users finds ways around the strong passcode by leaving the phone on all the time or changing the passcode back to something easy to put in (back to a weak passcode). True security comes from finding a balance in the hassle required for the security and the amount of security that hassle provides. That balance will be different for each user, but you will know you have reached it when you don’t mind the hassle because doing it makes you feel safer and at ease. The hassle for the extra security can be minimized by having a strong passcode, but using Touch or Face ID to operate your phone and the apps on your phone results in having to enter the stronger passcode very seldom. Choosing a stronger passcode, but not the strongest can minimize the hassle of the stronger passcode such as using the 8-digit passcode consisting of numbers which took on average over a month to crack. If my phone was lost or stolen, I could change all accounts passwords before the phone could be cracked. To make remembering this new 8-digit passcode easy, I would use an old 4-digit passcode (that I already know by heart) twice.
Strengthen iPhone Passcode
• You must change the passcode to strengthen it.
• From the Home Screen select the Settings button.
• Scroll down the Settings page and select Touch ID (or Face ID) & Passcode.
• Enter your current passcode.
• Scroll down and select Change Passcode.
• On the Change Passcode page enter your current (old) passcode.
• The page will present a place to enter a new 6-digit passcode, but do not enter a new passcode and press Passcode Options button.
• You will be presented with 4 options – listed below with explanation of each option:
o Custom Alphanumeric Code – a passcode consisting of numbers and letters. The number of characters (digits) that make up the passcode can be as few as 4 (minimum required by the phone) up to 32 (maximum number of characters (digits) recognized by the phone). When this option is selected a standard keyboard is presented to enter the passcode. The passcode can be all letters, combination of numbers and letters, or all numbers. If this option is selected, a standard keyboard will be presented anywhere on the phone where you have to enter the passcode. Once the new passcode is entered, press Next and re-enter the same passcode a second time to verify it to the phone and press Done when finished.
o Custom Numeric Code – a passcode consisting of numbers only. The number of digits that make up the passcode can be as few as 4 (minimum required by the phone) up to 32 (maximum number of digits recognized by the phone). When this option is selected a standard 10 key numeric pad is presented to enter the passcode numbers. Once you enter the new passcode, press the Next button and re-enter the new passcode to verify it to the phone and press Done when finished.
o 4-Digit Numeric Code – a passcode consisting of 4 numbers. Once entered the passcode has to be re-entered to verify it to the phone and press Done when finished.
o Cancel – No changes are made and the old passcode is still the active passcode.
• After verifying and pressing Done the phone will update all components of the phone and the new passcode is now the passcode for the phone.
Strengthen your passcode, but do so in a way you can still use your phone without a lot of hassle.