If you own an up-to-date iPhone, iPad, or iPod, you are already running full disk encryption. iOS devices ship from the factory with non-user configurable encryption – “non-user configurable” means you can’t turn it off even if you want to. As you may remember from the “FBiOS” debate a few months ago, iOS full disk encryption is pretty good. It took the full might of the US Government several months to get into an iPhone 5C – an older device that lacks some of the crypto hardware found in newer devices. There have been more recent attacks, as well, but these are also effective only on older hardware. Because there isn’t much you can do to enable, disable, or improve the encryption on the iPhone, today I’m going to talk about passcodes.
iOS Full Disk Encryption & Passcodes
Your passcode is an extremely important part of your iOS device’s security. To set up a passcode for the first time navigate to Settings//Touch ID & Passcode//Turn Passcode On. If you are changing your passcode, navigate to Settings//Touch ID & Passcode//Change Passcode. This will bring up a screen prompting you to enter a six-digit passcode. If you wish to use a six-digit passcode, enter it now. If you wish to use another option, tap the blue “Passcode Options” label. This will bring up the additional passcode options.
Four-digit Numeric Code: This option is not recommended under any circumstance. A four-digit passcode offers only the barest layer of security for your phone and the information on it. There are only 10,000 possible combinations (0-0-0-0 through 9-9-9-9) in a four-digit numerical passcode.
Six-digit Numeric Code: The six-digit passcode is a substantial upgrade over a simple four-digit passcode, offering over a million possible combinations. This may be sufficient for your needs if you have Erase Data enabled. If you do choose to use a six-digit passcode, I recommend repeating one or two (but no more) digits in the passcode. If the numbers used in the combination are discovered (i.e., through the fingerprints left on your screen), and they are all different, there are only 760 possible combinations. If you repeat one digit, the number of possible combinations is increased to 1,800. If you repeat two of the digits (or one digit twice) and only use four different numbers in your six-digit passcode, there are 1,560 combinations in the passcode. If more than two digits are used, the point of diminishing returns is reached.
Custom Numeric Code: The custom numeric passcode is the option I recommend for most users. This option hits the “sweet spot” between security and convenience. It allows you to use a very long passcode (I have successfully tested up to 40 characters) while still being able to use the numeric-only keypad. This keypad is much easier to manipulate than the full keyboard (see Figure 1.02). This passcode also offers another layer of protection: it does not tell an attacker how many digits are in the passcode, unlike four- and six-digit passcodes.
How long should your passcode be? Even a seven- or eight-digit passcode is a substantial upgrade over a six-character passcode because there are more combinations, and because the attacker doesn’t know how many digits are in the passcode. He or she only knows that there are more than six. Ten digits is my recommended minimum. This is based on the time it would take to crack your passcode. At 12.5 guesses per second, a six-character passcode could protect your data for a maximum of 22 hours – this is the length of time it would take to test every possible combination.
By making your passcode longer by one digit, you increase its strength by a power of ten. While it would take only 22 hours to test all of the combinations in a seven-digit passcode, it would take 220 hours, or over nine days, to test all the combinations in a seven-digit passcode. With a ten-character passcode there are 10,000,000,000 possible combinations and it would take over 25 years to test them all. Be forewarned that your passcode will (hopefully) be somewhere near the middle of the pool of potentials. This will ensure that any data on the phone is no longer actionable by the time it is recovered.
You may also wish to avoid making your passcode too long. For many months I had a passcode that was thirty characters long. While this provided excellent security, it also had some unintended consequences. First, such a passcode was excessively prone to failed attempts which cumulatively cost a huge amount of time. Second, such a long password actually tended to draw attention to me. While trying to share contact information or show a picture to someone it was not uncommon that they would notice the length of my passcode and comment on it. This attention was obviously unwelcome. Shortening it somewhat still allows me to enjoy a level of security that I am comfortable with, but also far fewer incorrect attempts, and less unwanted attention. This one was so long it made it to YouTube and eventually to the popular comedy show Tosh.0.
To be clear, the custom numeric passcode is a compromise. It does allow an attacker to confine his or her guesses to numerical-only combinations which significantly reduces the strength of the passcode. There are some reasons I still believe this is an acceptable option however. If the passcode requirements are overly onerous, users will not want to enter it frequently. As a result, users may increase the Auto-Lock and Require Passcode intervals to longer periods, or take other shortcuts that could compromise security. I believe that with the other protections available in iOS, like the 80-millisecond delay between passcode attempts and Erase Data, this still provides an acceptable layer of security.
Custom Alphanumeric Code: This passcode option provides the strongest security of all. This option should be considered if security is your primary goal. It should also be considered for some other scenarios: if you leave your device unattended, or if your device is at high risk of loss, theft, or capture. A custom alphanumeric passcode should also be used if you use Touch ID to unlock your iOS device and only rarely enter the passcode. This option has one significant downside: it requires the passcode to be entered on the full alphanumeric keyboard. This tiny keyboard offers the most complexity, but is incredibly tedious to work with, especially when you are in a hurry.
You can make a custom alphanumeric passcode even more secure by using some special characters on the iOS keyboard. The letters A, C, E, I, L, N, O, S, U, Y, and Z all contain special characters. For instance, the letter “a” contains the following special characters: à, á, â, ä, æ, ã, å, and ā. To access them, press the desired letter and hold. A pop-up menu will appear. Slide your finger to the desired character and release. Because of the immensity of the iOS keyboard’s character set, incredibly complex passcodes are possible.
iOS full disk encryption is only as strong as the passcode you use to protect it, so choose a good one. I recommend a six-digit numeric, but only if you can’t tolerate anything longer. If you can, I say go with a 10 to 12-digit numeric.
If you enjoyed this article and would like exclusive content, sign up for the Operational-Security Newsletter.