Sorry, iPhone users: your six digit numeric passcode isn’t enough anymore. Use a longer alphanumeric code if you really want to lock things down.

Try to guess an iPhone’s passcode and it will eventually require you to wait before you can enter a new one. This is intended to stop brute forcing, a form of hacking where a machine guesses every possible passcode in order to get in. The idea is the delay will make this method take too long to be worthwhile.

Police departments around the USA are buying a device called GrayKey, which bypasses the delay entirely and reveals the passcode. Thomas Reed at Malwarebytes has pictures of the device, and outlines how it works, so check that out for the details. Here’s Reed explaining how the cracking works:

Two iPhones can be connected at one time, and are connected for about two minutes. After that, they are disconnected from the device, but are not yet cracked. Some time later, the phones will display a black screen with the passcode, among other information. The exact length of time varies, taking about two hours in the observations of our source. It can take up to three days or longer for six-digit passcodes, according to Grayshift documents, and the time needed for longer passphrases is not mentioned. Even disabled phones can be unlocked, according to Grayshift.

RELATED: How to Use a More Secure iPhone Passcode

It seems like, with enough time, this device can discover your password on current versions of iOS. You can’t fix this yourself, but you can potentially slow things down by using a more secure iPhone passcode that combines numbers and letters. This will make phase two of the cracking take a lot longer—potentially months or even years. Longer passcodes are annoying, of course, but TouchID and FaceID mean you won’t have to enter them often.

Right now only police departments have access to the GreyKey, so you might not be concerned. But history shows us that such technology tends to fall into the wrong hands eventually. Apple is presumably working on a patch that will lock down the whole thing, but we fully expect the cat and mouse game to continue after that. Stay tuned.

Image credit: Thomas Reed/Malwarebytes

Profile Photo for Justin Pot Justin Pot
Justin Pot has been writing about technology for over a decade, with work appearing in Digital Trends, The Next Web, Lifehacker, MakeUseOf, and the Zapier Blog. He also runs the Hillsboro Signal, a volunteer-driven local news outlet he founded.
Read Full Bio »