By John Gruber

• Archive
• The Talk Show
• Dithering
• Projects
• Contact
• Colophon
• Feeds / Social
• Sponsorship

Can Thieves Crack 6-Digit iPhone Passcodes?

Henrique Prange, on Twitter:

Stop using 6-digit iPhone passcodes! Do you think I am overly paranoid? Keep reading.

Last week, a friend of mine had his iPhone stolen. What follows is the sequence of events that started as an unfortunate event and ended up with $30,000 in unauthorized wire transfers, $2,500 spent on the AppStore, and accounts of multiple services compromised. […]

So, how could the wrongdoers do all of that in less than 5 hours? After considering many options, the only reasonable explanation is they cracked the 6-digit passcode on the stolen iPhone using some kind of device like the GrayKey.

The passcode gave them access to the keychain. They searched for the iCloud credentials, disabled the Lost Mode, and turned off the Find My.

This is an interesting but alarming story. Did the thieves crack his 6-digit passcode with a GrayKey or GrayKey-like device? Impossible to say. But it’s worth thinking about it. We know GrayKey exists, and if it exists, thieves could have it. It’s also easier for a would-be thief to snoop a target entering a 6-digit passcode than an alphanumeric passphrase.

I mention this in the wake of the aforelinked piece on Face ID vs. face masks because months ago, when I first started grocery shopping while wearing a mask, I switched my iPhone from an alphanumeric passphrase back to a 6-digit passcode for convenience. I did so thinking, basically, that even though a 6-digit passcode is less secure, anything truly dangerous like disabling Find My iPhone requires my iCloud password as well.

It simply never occurred to me that if a thief (or law enforcement, or any adversary) has the device passcode, and your iCloud password is in your keychain, they can get your iCloud password from your keychain. All you need is the device passcode to access all of the passwords in iCloud keychain. Try it — you can.

So I’m back on an alphanumeric passphrase, inconvenience while wearing a mask be damned. Remember too: you don’t need to make an alphanumeric device passphrase long or complicated to make it very secure — a 6-character alphanumeric passphrase would take on average 72 years to crack by brute force because it takes 80-milliseconds for the secure enclave to process each guess.

★ Monday, 24 August 2020