Skip to main content

iOS 9's new longer PIN means brute-force attacks will take days instead of hours

iOS 9's new longer PIN means brute-force attacks will take days instead of hours

Share this story

iOS 9 is coming with some unexpected good news for iPhone security buffs: the standard four-digit PIN will be six digits long in iOS 9. The measure is meant to protect against brute-force attacks, in which attackers attempt to unlock a stolen phone by guessing every possible password. iOS is designed to brick any iPhone that registers more than ten wrong guesses in a row, but security researchers have been creative in finding a way around that protection, including one recent system from MDSec that powered down the phone before it could register a wrong guess. Government analysis has also raised concerns more complicated attacks staged by software running on the phone itself.

Update: Read the iOS 9 review.

Adding more digits to the password isn't a perfect solution, but the small change would mean a huge headache for anyone attempting to stage a brute-force attack in iOS 9, resulting in 100 times as many possible passwords to check. Current brute force PIN attacks take hours to work: ranging from 12 hours for simple attacks to a maximum of 117 hours for MDSec's more complex power-down attack. In each case, there's always the chance that attackers will get lucky and stumble on the password in an early guess. Adding the extra two digits increases the response time to the scale of days, giving victims ample time to use Apple's powerful anti-theft tools to either track down their phone or brick it remotely.

The only downside is that password-protected users will have to punch in an extra two digits, but TouchID means that isn't as onerous as it might be. Phones can still be unlocked with a successful fingerprint match, cutting out the need for a PIN at all.

Apple WWDC 2015: Everything you need to know from WWDC 2015