A look at the iPhone passcode lock feature

The iPhone includes a passcode lock feature.  About a year ago, when iPhone Software 2.0 was out, Apple received bad publicity because there was an easy way to bypass the passcode just by double-clicking the home button.  That flaw was fixed last year and there have been other updates to the iPhone passcode lock feature in iPhone Software 3.1, so I thought this would be a good time to take a close look at this feature.

You enable the feature by going to Settings –> General –> Passcode Lock.  The default is to have a four character passcode, all numbers (although as noted below, this can be changed to something more complicated).  When the passcode lock is turned on, a person who picks up your iPhone cannot use it (except for emergency calls) without entering the four digit password.  The passcode lock is a nice first level of security for your iPhone just in case it is picked up by a “bad guy” or, for that matter, a child.

A person who picks up an iPhone with the passcode lock enabled has 10 chances to enter the correct code, but that doesn’t mean that he can just try 10 different codes in a row.  After six incorrect attempts, the person must wait one minute before trying again.  If the seventh attempt is wrong, the person must wait 5 minutes before trying again.  If the eighth attempt is wrong, the person must wait 15 minutes before trying again.  If the ninth attempt is wrong, the person must wait 60 minutes before trying again.  After 10 incorrect attempts, what happens next depends upon your settings.  By default, after 10 incorrect attempts the iPhone tells you that you must connect the iPhone to iTunes to unlock it and does not allow you to try to guess the password again.  Alternatively, in Settings –> General –> Passcode Lock you can turn on the “Erase Data” after 10 failed passcode attempts feature.  With this on, after 10 incorrect attempts, the iPhone will erase all data.  On an iPhone 3GS, this happens instantly because the 3GS simply removes the encryption key to all data on the device.  On the original iPhone and the iPhone 3G, the iPhone erases all data by writing over the data, a process that can take two hours or more.  (You can’t use the iPhone while this is taking place.)  Note that one danger of telling your iPhone to erase all data after 10 incorrect attempts is that you will no longer be able to use MobileMe to track your iPhone’s location, send messages to the iPhone, etc.  If you accidentally erase all data on your iPhone, you can still restore the data by using iTunes to apply your latest backup.

You can set how long it takes for the iPhone’s passcode lock to be enabled.  The choices are immediately (every time you wake the iPhone), after 1 minute, 5 minutes, 15 minutes, 1 hour or 4 hours.  However, starting with iPhone Software 3.1, if you are syncing with a Microsoft Exchange server for e-mail, contacts or calendar, you may find that you have fewer options.  For example, here are two screen shots of the Require Passcode setting.  The one on the left is from my iPhone; the one on the right is from another lawyer’s iPhone who does not work at my law firm.  Both of us are using Exchange and both of us are running iPhone 3.1, but you can see that I have fewer options:

  

I am more limited because my law firm’s Exchange server imposes a “maximum inactivity time lock” on mobile devices.  (I believe that ours is set to 20 minutes, and when you combine the up to 5 minutes before an iPhone auto-locks plus up to 15 minutes for a passcode lock, that is a maximum of 20 minutes of inactivity to lock the iPhone.)  Before iPhone Software 3.1, the iPhone did not pay attention to an Exchange Server’s maximum inactivity time lock.  This was a security flaw, one that was pointed out to Apple by iPhone users at PepsiCo, Intel Corporation, Edward Jones and Agilent Technologies.  When Apple fixed this issue in 3.1, it explained what it had done on this page and gave credit to the individuals at those companies who pointed out the flaw.  So if you, too, are looking to become famous on an Apple security page, let them know if you find another security flaw.  

Speaking of iPhones and Exchange servers, the following Exchange ActiveSync password policies are supported in iPhone Software 3.1:

  • Require a password
  • Minimum password length
  • Maximum failed password attempts
  • Require both numbers and letters in the password
  • Inactivity time in minutes
  • Allow or prohibit simple password
  • Password expiration
  • Password history
  • Minimum number of complex characters in password

Even if a company doesn’t use Exchange, a company can set these settings by using device profiles.  The following comes from the Apple Enterprise Deployment Guide (PDF link), which explains what the different passcode settings mean:

  • Require passcode on device:  Requires users to enter a passcode before using the device.  Otherwise, anyone who has the device can access all of its functions and data.
  • Allow simple value:  Permits users to use sequential or repeated characters in their passcodes.  For example, this would allow the passcodes “3333” or “DEFG.”
  • Require alphanumeric value:  Requires that the passcode contain at least one letter character.
  • Minimum passcode length:  Specifies the smallest number of characters a psscode can contain
  • Minimum number of complex characters:  The number of non-alphanumeric characters (such as $, &, and !) that the passcode must contain.
  • Minimum passcode age (in days):  Requires users to change their passcode at the interval you specify
  • Auto-Lock (in minutes):  If the device isn’t used for this period of time, it automatically locks.  Entering the passcode unlocks it.
  • Passcode History:  A new passcode won’t be accepted if it matches a previously used passcode.  You can specify how many previous passcodes are remembered for comparison.
  • Grace period for device lock:  Specifies how soon the device can be unlocked gain after use, without re-prompting for the passcode.
  • Maximum number of failed attempts:  Determines how many failed passcode attempts can be made before the device is wiped.  If you don’t change this setting, after six failed passcode attempts, the device imposes a time delay before a passcode can be entered again.  The time delay increases with each failed attempt.  After the eleventh failed attempt, all data and settings are security erased from the device.  The passcode time delays always begin after the sixth attempt, so if you set this vlue to 6 or lower, no time delays are imposed and the device is ereased when the attempt value is exceeded.

Another passcode lock change in iPhone Software 3.1 is that, if you use MobileMe, you can now jump on the MobileMe website and tell your iPhone to immediately lock itself and even supply a new four digit code, which will override any passcode previously set on the iPhone.  This could be useful if someone gets access to your iPhone and knows your
prior passcode.  I tested this feature and it works great; a fraction
of a second after I told MobileMe to lock my iPhone, my iPhone
immediately went into Auto-Lock mode and wouldn’t allow access until I entered
the new code.  Of course, for this feature to work, your iPhone must be on and must be on the network.  A smart thief could remove the SIM chip, which prevents MobileMe from finding the iPhone, or just turn off MobileMe on the iPhone.  (By the way, in my tests, after removing the SIM chip, sending a lock command via MobileMe, then reinserting the SIM chip, it took a full 15 minutes before the MobileMe-initiated iPhone lock took effect.)  But thieves are often not very smart, and there are many stories of people finding stolen or misplaced iPhones thanks to MobileMe (such as 1, 2, 3).  Thus, with MobileMe, you have a possible solution to a lost iPhone that otherwise would not exist.

Does the use of a passcode lock mean that no bad guys could ever access your personal data on the iPhone?  Unfortunately, no.  Security experts such as Jonathan Zdziarski have come up with ways for law enforcement agents to recover data from an iPhone notwithstanding the iPhone’s built-in security features.  If cops know how to do it, you can bet that there are some bad guys who also know.  A garden-variety thief won’t know how to do this, but a smart and dedicated hacker can probably find a way to access data on your iPhone if he tries hard enough.  (For example, see this article from Wired.)  

While the passcode lock is not a perfect security solution for your iPhone, I still believe it is worthwhile feature to enable and I encourage you to do so if you are an attorney or otherwise have confidential information on your iPhone (such as in your emails).  It is a minor annoyance to have to enter a passcode after 15 minutes (or up to 4 hours) of non-use, but it provides you with security that will stop all but a few elite hackers from gaining access to you e-mail and other personal data if your iPhone falls into the wrong hands.

[UPDATE 4/22/10Here is an article from the Apple Knowledge Database on understanding the passcode lock feature.]

21 thoughts on “A look at the iPhone passcode lock feature”

  1. I would like to reset my autolock for 1 hour and can’t seem to find this option on my iPhone 3GS. It only allows for 15 mins tops.
    Where can I find the feature for the 1 hour autolock?
    Thank you,
    [Jeff responds: Debbie, I suspect that you are using Exchange at your law firm, and the Exchange security settings don’t allow it go to that long.]

    Reply
  2. I would like to allow 4 hours for reset. I was able to edit my activesync settings in the exchange 2007 console to allow 60 minutes (was previously limited to 15) however it seems like 60 minutes is the maximum it will allow, when I tried to enter 240, it wouldn’t allow it.
    Any suggestions?

    Reply
  3. My Iphone no longer has the option to turn off the pass code. If I completely renew the phone it is there but when I bring back my backup to the phone the inability to turn it off returns. any advice
    [Jeff responds: Are you syncing with an Exchange server? If so, the administrator may have that option turned off for security reasons.]

    Reply
  4. Is there a way to lock the phone immediately, instead of waiting for the phone to timeout? For example, I just called someone, but now I’m setting the phone down and want to password lock it.

    Reply
  5. I am on holiday and I have my iPhone synced to my Mac at home I am on the 10th go and don’t know what to do I don’t mind losing all the data as I have it all backed up I just want to use SMS and phone but I am not sure if I have erase all data if I do this and have erase all data on can I access my phone or do I need to connect it to itunes

    Reply
  6. An important question that is not answered in this article…
    What if a passcode locked iPhone is connected to iTunes (a new iTunes that doesn’t know this iPhone), would iTunes require a passcode to begin syncing?
    If not, it seems that anyone could simply “sync” your phone with their iTunes library and just sift through the backup that iTunes makes at their leisure… Thus accessing all your data without needing any elite hacker skills.. (just an iPhone backup browser software that is freely available)

    Reply
  7. I think what Randy wants (and me too) is a “quick way to immediately lock my iPhone so that it requires a code to unlock” not as the default set up… but only to be used in rare occasions.
    I like that I can go in and out of my phone for a while without entering the code. But once in a while you want to leave it on a table and know that it’s been immediately locked. And its a pain to adjust setting for this rare occasion.
    Solution? Is there an app for that?

    Reply
  8. Turns out I’ ve typed my passcode (I think it was the right one) and the device just went inactive for 5 minutes. There was no incorrect attempt! Is this a bug? I heard once iPhone ‘ d pick up past incorrect attempts and randomly lock but don’ t know if its true. Thx!

    Reply
  9. My company wants a 5 character passcode on my iPhone. How do I set that up?
    [Jeff responds: If you are using Microsoft Exchange for e-mail at your company, your IT department can set requirements for passwords including iPhone passwords. Otherwise, you can use a utility from Apple called the “iPhone Configuration Utility” to change the length and to allow both letters and numbers. Details are here: http://support.apple.com/kb/DL851 ]

    Reply
  10. Hi Guys,
    Ive just recently found my iPhone 4 after loosing it when moving house, now that i have this i would like to start uysing it again, but i dont have a computer with iTunes on it nor did i ever have an iTunes account, but i cant erase all data or reset the phone, because it asks me to enter my ‘restrictions’ code, and obviously i havnt got that.
    Can anyone please please please help me…!!
    Thanks Chris,

    Reply
  11. I want to set a passcode lock on my phon but kids keep locking it up and it takes forever to get back into my phone after they locked it up and I need to call sombody or something

    Reply
  12. I had a friend use the 10 incorrect and erase to mess with me, and now it just goes to the turn on screen (the apple) then doesn’t turn on, any help?

    Reply
  13. I forgot my password and can’t remember it. I don’t want to reset my iphone either. Is there anything I can do????

    Reply
  14. My daughter updated her Iphone and somehow set a passcode. She has no idea what it is. So I can not even get to settings to disable it. What do I do?

    Reply
  15. I would like to be able to lock my email separately from the main lock so kids can play games but not have access to my email. Is this possible?

    Reply
  16. You cannot do that with the built-in Mail app. Apple doesn’t provide controls for sharing a single iPhone or iPad with multiple users. I believe that there are some third party apps that let you do this, such as sandboxing apps that some corporations use, but I haven’t tried them.
    -Jeff

    Reply
  17. The circles on my passcode are purple on the iPad and blue on the iPhone 6.
    My wife’s are white. How do you change the colors of the circles??

    Reply

Leave a Comment