When Apple released iOS 9 in 2015, it changed the default length of the passcode needed to unlock the device from 4 to 6 digits for all devices with a Touch ID sensor. This increased the odds of guessing a passcode from 1 in 10,000 to 1 in 1,000,000. And while some folks groaned at having to remember two additional numbers, hopefully most attorneys using iPhones realized that if you are going to keep confidential and privileged information on an iPhone, you need to take reasonable steps to keep that device secure.
This week I saw a link by John Gruber of Daring Fireball to an article posted last month by Thomas Reed of the security firm Malwarebytes Labs. The article describes a device called GrayKey, a small box with two lightning cables coming out of the front of it which can supposedly crack the passcode of an iOS device. Apparently, the box is only sold to law enforcement. If someone tries to hack your passcode on an iPhone itself, there is a delay after the wrong passcode is entered. You have probably encountered this delay yourself at some point. But it seems that GrayKey has a way around this and can quickly try multiple passcodes. And according to an article by Lorenzo Franceschi-Bicchierai of Motherboard, the only thing slowing down the hack is the length of your passcode. He quotes statistics from Matthew Green, an assistant professor and cryptographer at the Johns Hopkins Information Security Institute. Green says that a 4 digit passcode can be cracked in 13 minutes or less, a 6 digit passcode can be cracked in 22.2 hours or less, an 8 digit passcode can be cracked in 92.5 days or less, and a 10 digit passcode can be cracked in 9,259 days or less.
Obviously, then, you can improve the security of your passcode by using more digits. You can also improve the security of your passcode by making the characters more complicated by using letters and/or symbols in addition to numbers. Open the Settings app, go to Touch ID & Passcode or Face ID & Passcode (depending upon what device you are using), tap Change Passcode, and then on the next screen tap Passcode Options. Here, you have the option to change to a custom numeric passcode (more than 6 digits) or a custom alphanumeric code (letters, symbols, and/or digits).
Using a longer passcode is less convenient. First, it takes longer to enter the passcode, and the additional length increases the chance that you will make a mistake while typing. If you use Touch ID or Face ID, that limits the number of times that you have to type the passcode, but you still need to type it from time to time.
Second, it is harder to remember a longer passcode, especially because the strongest passcodes are long and don't use words that are in a dictionary. There are some tricks you can use to help you remember more secure passcodes. For example, you can remove the vowels from words to create something that you can remember but which would be hard to guess. "Drew Brees #9 Saints" becomes DrwBrs#9Snts, a 12-character passcode lacking words found in a dictionary, and which would take a ridiculously long time to crack using current technology. Or you can use the first letters from the words of a memorable line from a song or poem or other saying. "The hills are alive with the Sound of Music" becomes ThaawtSoM, a nine-character passcode lacking dictionary words.
Hopefully, it won't be a problem for you that some police officers now have the ability to use a device like the GrayKey. But what worries me is that if the police have it, perhaps certain bad actors have access to similar devices — criminals who might have a reason to try to access the confidential information that you have on your device about your clients.
Apple is constantly improving the security of its devices, and that's why I encourage all attorneys to update their iPhones and iPads when Apple comes out. A GrayKey-type device that works today may not work after the next iOS update. But Apple has been improving iPhone security ever since the first iPhone was released in 2007, and for over a decade now, clever folks have found new ways to circumvent security measures.
Do you need to change your six digit passcode to something stronger? Well, that's up to you. Hopefully, the chance that your device will ever be connected to something like GrayKey is extremely remote. But for what it's worth, I'm currently using 12-character passcodes on my iPhone and iPad. After about a week, I got used to the longer passcodes. And while I am entering the passcode, I think to myself "take that you evil hackers!" which, if nothing else, helps to fill up some of that extra time that it takes to type 12 characters instead of 6 numbers.