Passcodes
By setting up a device passcode, the user automatically enables Data Protection. iOS and iPadOS support six-digit, four-digit, and arbitrary-length alphanumeric passcodes. In addition to unlocking the device, a passcode provides entropy for certain encryption keys. This means an attacker in possession of a device can’t get access to data in specific protection classes without the passcode.
The passcode is entangled with the device’s UID, so brute-force attempts must be performed on the device under attack. A large iteration count is used to make each attempt slower. The iteration count is calibrated so that one attempt takes approximately 80 milliseconds. This means it would take more than five and one-half years to try all combinations of a six-character alphanumeric passcode with lowercase letters and numbers.
The stronger the user passcode is, the stronger the encryption key becomes. Touch ID and Face ID can be used to enhance this equation by enabling the user to establish a much stronger passcode than would otherwise be practical. This increases the effective amount of entropy protecting the encryption keys used for Data Protection, without adversely affecting the user experience of unlocking an iOS or iPadOS device multiple times throughout the day.
To further discourage brute-force passcode attacks, there are escalating time delays after the entry of an invalid passcode at the Lock screen. If Settings > Touch ID & Passcode > Erase Data is turned on, the device automatically wipes after 10 consecutive incorrect attempts to enter the passcode. Consecutive attempts of the same incorrect passcode don’t count toward the limit. This setting is also available as an administrative policy through a mobile device management (MDM) solution that supports this feature and Microsoft Exchange ActiveSync, and can be set to a lower threshold.
On devices with Secure Enclave, the delays are enforced by the Secure Enclave coprocessor. If the device is restarted during a timed delay, the delay is still enforced, with the timer starting over for the current period.
Specifying longer passcodes
If a long password that contains only numbers is entered, a numeric keypad is displayed at the Lock screen instead of the full keyboard. A longer numeric passcode may be easier to enter than a shorter alphanumeric passcode, while providing similar security.
Users can specify a longer alphanumeric passcode by selecting Custom Alphanumeric Code in the Passcode Options in Settings > Passcode.
Delays between passcode attempts
Attempts | Delay enforced |
|---|---|
1–4 | None |
5 | 1 minute |
6 | 5 minutes |
7–8 | 15 minutes |
9 | 1 hour |