With police departments and federal agencies lining up to buy technology from two companies whose products can bypass iPhone security mechanisms, experts said users concerned about privacy should use a strong passcode to help prevent unwanted access to data.
That's also true for enterprise users with iPhones that access potentially sensitive coporate data.
Simply put, complex passcodes are always better for security, according to Phil Hochmuth, IDC's program director for enterprise mobility. Common best practices for creating a hard-to-crack passcode includes using both upper- and lower-case characters, numbers and uncommon words.
"I expect enterprises with high security concerns and large iOS corporate deployments will start requiring this and enforcing it via their MDM/EMM platforms," Hochmuth said via an email.
iPhone cracking technology now in use
Both Israel-based technology vendor Cellebrite and Atlanta-based Grayshift have developed relatively inexpensive technology for unlocking iPhones.
Grayshift's GrayKey de-encrypting device is a 4-in. x 4-in. box with two iPhone-compatible lightening cables. It can reportedly unlock an iPhone in about two hours – if the owner used only a four-digit passcode. (A six-digit passcode can take three days or longer to crack.)
One GrayKey box retails for US$15,000 and is geofenced to a specific location, requiring an internet connection that enables up to 300 unlocks. There is also a $30,000 GrayKey model that can be used independent of internet connectivity and offers an unlimited number of device unlocks, according to Motherboard.
Cellebrite provides an iPhone unlocking service to law enforcement agencies; it reportedly charges $5,000 per device.
Last week, Motherboard reported that local and regional U.S. police departments and the federal government have been purchasing the technologies in earest.
While both companies claim they only sell to police and government law enforcement agencies, it's virtually impossible to keep that genie in the bottle, according to Nate Cardozo, a senior staff attorney with the Electronic Frontier Foundation (EFF), a non-profit digital rights group.
"If you believe the only people will access to GreyKey or Celebrate are the cops, I've got a bridge to sell you," Cardozo said.
More digits means better iPhone security
At a minimum, consumers and businesses should use a six-character alphanumeric passcode or a pass phrase, which addresses risks associated with the leak of personal and enterprise data, according to Gartner research director Dionisio Zumerle.
"In terms of risk assessment, everyone should assume that the tools are improving. Security is a moving target and people need to move with it," said Gartner research vice president John Girard. "Using stronger PINs and passwords, phtases and so on is a necessary step forward."
While Apple's Touch ID and Face ID help with security as well, they don't preclude the use of a passcode to unlock a phone.
Apple's iOS 9 operating system boosted the default iPhone passcode from four digits to six; but an even stronger option, an alphanumeric passcode, is more secure.
How to change your passcode
If you're ready to change your passcode, here's how to do it:
- Go to Settings
- Click on Touch ID & Passcode (You will have to enter your current passcode here)
- Click on Change Passcode (enter your current passcode again)
- Click on Password options at the bottom of the screen
- Click on Custom Alphanumeric Code
- Enter your new passcode, which can now include letters, numbers and symbols.
Final word of advice: Make sure you use a phrase or a combination of letters, numbers and symbols that's easy to remember.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.