it wasn’t so long ago that 4 digit passcodes were the norm.
Now 6 digit passcodes are obsolete.
GrayKey, the new kid on the block offering low cost cracking of iPhones up to and including the iPhone X requires users who are concerned about that to change their password habits.
Pricing on Graykey, supposedly, is $15,000 to unlock 300 phones ($50 a phone) or $30,000 to unlock an unlimited number of phones.
At that price, the cops are falling over themselves to buy these things. DHS is interested, along with the FBI. The Maryland State Police has bought some as has Cincinnati. My guess is that, at that price, there are lots of other agencies that have bought them. This likely means that the conversation about “going dark” is a bit overblown.
In fact, Congress asked the FBI to ‘splain itself. As the FBI is saying that they need to weaken device and app security by adding back doors that are unlikely to stay secret for long (you may remember that the master keys that DHS has for those travel locks on your luggage were ALL compromised when some genius at DHS allowed reporters to take pictures of the keys for an article), Congress is asking if they have used products like GrayKey to try unlocking those devices.
Since, for the most part, people choose short, obvious PINs (1234 or maybe 123456), those tools likely work pretty well.
6 digit passcodes (I gather this means 6 numbers) can be cracked in 11 hours on average (double that, worst case) using the software.
According to noted Johns Hopkins Cryptographer Matthew Green, an 8 digit passcode would take 92 days worst case (46 days on average) and a 10 digit passcode would take 9,259 days.
Information for this post came from Motherboard.
What this means for the user is that, if you care about privacy, longer passcodes are better. Alphanumeric passwords are better. Words not in the dictionary are better. Combining upper case, lower case and numbers is a somewhat random way (Monkey123 doesn’t count as a strong even though it technically meets most of the criteria) is the best strategy.
It’s really pretty simple. Longer is better. The Graykey software cracked some passwords in 30 seconds.