After the launch of a relatively cheap iPhone passcode cracker called GreyKey from the company GreyShift, it might be time to consider using longer, harder to guess and crack alphanumeric passphrases.
A new report from Motherboard details new estimates from a security researcher in regards to the GrayKey, the new digital forensics device that is now in active use by many U.S. law enforcement agencies.
According to Matthew Green, an assistant professor and cryptographer at the Johns Hopkins Information Security Institute, the device is capable of “bruteforcing” an iPhone with a six-digit passcode in an average of 11.1 hours, or up to 22.2 hours in a worst-case scenario.
The device can crack an iPhone with an 8-digit code in a few as 46 hours or up to 92 days, while the figures jump to 25 years, or 12 years on average, for strong 10-digit passcodes made up of random numbers.
Guide to iOS estimated passcode cracking times (assumes random decimal passcode + an exploit that breaks SEP throttling):
4 digits: ~13min worst (~6.5avg)
6 digits: ~22.2hrs worst (~11.1avg)
8 digits: ~92.5days worst (~46avg)
10 digits: ~9259days worst (~4629avg)— Matthew Green (@matthew_d_green) April 16, 2018
Interestingly, Green’s estimates are much faster than those reached in previous reports, which estimated a six-digit passcode would take “days” to crack.
With these figures in mind, it might be time to consider ditching that six digit passcode altogether. According to Harlo Holmes, a digital security trainer at Freedom of the Press Foundation, the best choice is to use a passcode that’s between 9 and 12 characters and combines both letters and numbers.
“People should use an alphanumeric passcode that isn’t susceptible to a dictionary attack and that is at least 7 characters long and has a mix of at least uppercase letters, lowercase letters, and numbers,” says Ryan Duff, a researcher who’s studied iOS and the Director of Cyber Solutions for Point3 Security, told me in an online chat. “Adding symbols is recommended and the more complicated and longer the passcode, the better.”
While the GrayKey device is only marketed to law enforcement at the moment, it might be time to change your iPhone passcode. Here’s how to do it:
Want to see more of our stories on Google?
P.S. Want to keep this site truly independent? Support us by buying us a beer, treating us to a coffee, or shopping through Amazon here. Links in this post are affiliate links, so we earn a tiny commission at no charge to you. Thanks for supporting independent Canadian media!
Code changed to 10 digits: “Let the tigers come with their claws!” (Hope I’m not too old to cite this 😉
I’ve switched over to a full-on password, too… one that howsecureismypassword.net says would take 7 QUADRILLION YEARS to bruteforce haha. Good luck with that, GrayKey.
But I’m sure if someone really wants to get your password, they’ll just start beating you with a wrench.
Basically a guess based upon nothing, he has no idea. Also, the fact that max time is always double the average is odd. If he knew the actual algorithm used, he would have invented the box. If you can’t solve the puzzle, you can’t guess how long it will take to finish it!