After the launch of a relatively cheap iPhone passcode cracker called GreyKey from the company GreyShift, it might be time to consider using longer, harder to guess and crack alphanumeric passphrases.
A new report from Motherboard details new estimates from a security researcher in regards to the GrayKey, the new digital forensics device that is now in active use by many U.S. law enforcement agencies.
According to Matthew Green, an assistant professor and cryptographer at the Johns Hopkins Information Security Institute, the device is capable of “bruteforcing” an iPhone with a six-digit passcode in an average of 11.1 hours, or up to 22.2 hours in a worst-case scenario.
The device can crack an iPhone with an 8-digit code in a few as 46 hours or up to 92 days, while the figures jump to 25 years, or 12 years on average, for strong 10-digit passcodes made up of random numbers.
Guide to iOS estimated passcode cracking times (assumes random decimal passcode + an exploit that breaks SEP throttling):
4 digits: ~13min worst (~6.5avg)
6 digits: ~22.2hrs worst (~11.1avg)
8 digits: ~92.5days worst (~46avg)
10 digits: ~9259days worst (~4629avg)
— Matthew Green (@matthew_d_green) April 16, 2018
Interestingly, Green’s estimates are much faster than those reached in previous reports, which estimated a six-digit passcode would take “days” to crack.
With these figures in mind, it might be time to consider ditching that six digit passcode altogether. According to Harlo Holmes, a digital security trainer at Freedom of the Press Foundation, the best choice is to use a passcode that’s between 9 and 12 characters and combines both letters and numbers.
“People should use an alphanumeric passcode that isn’t susceptible to a dictionary attack and that is at least 7 characters long and has a mix of at least uppercase letters, lowercase letters, and numbers,” says Ryan Duff, a researcher who’s studied iOS and the Director of Cyber Solutions for Point3 Security, told me in an online chat. “Adding symbols is recommended and the more complicated and longer the passcode, the better.”
While the GrayKey device is only marketed to law enforcement at the moment, it might be time to change your iPhone passcode. Here’s how to do it:
- Go to Settings.
- Click on Touch ID & Passcode (You will have to enter your current passcode here)
- Click on Change Passcode (enter your current passcode again)
- Click on Password options at the bottom of the screen.
- Click on Custom Alphanumeric Code
- Enter your new passcode, which can now include letters, numbers and symbols.