A US federal judge has ordered Apple to help the FBI break into the iPhone of one of the attackers who killed 14 people in San Bernardino, California last December. Apple’s CEO, Tim Cook, said the company won’t help the FBI get past the passcode on the iPhone 5C belonging to one of the killers, Syed Rizwan Farook, as it would set a “dangerous precedent” for letting the government (and thus potentially anyone else) break into anyone’s phone.
But information from a 2015 court case in New York, uncovered by the Daily Beast, suggests that Apple may have cooperated with the government and unlocked phones up to 70 times in the past. In other words, Apple may now be taking a strong stance on privacy as a public-relations tactic, rather than a deep desire to protect the privacy of the average citizen. The Daily Beast’s report also implies the government might have developed its own ways of getting into at least some iPhones.
So if the Feds—or for that matter, criminals or other governments—can now or in the future crack iPhone passcodes, with or without Apple’s cooperation, how can you safeguard your data? The answer is pretty simple: just set a longer passcode.
First, enable the setting on your iPhone that erases all the phone’s data after 10 failed attempts to guess a passcode. The FBI doesn’t know whether Farook’s phone has that setting enabled (it’s off by default). What it wants from Apple is to create software that would turn the setting off, so it can try to break into the phone by using a “brute force” method: trying every possible passcode until it finds the one Farook chose.
However, the iPhone is built in such a way that even with brute-forcing, you can only try one passcode every 80 milliseconds (pdf, p. 12), or 750 tries a minute. The original iPhones had a four-digit numerical passcode, of which there are only 10,000 combinations. That would take a little over 13 minutes to crack. But on current iPhones you can use any combination of letters, numbers, and other characters, and as the passcode gets longer and more complex, the time taken to crack it rises pretty quickly:
|Kind of passcode||Passcode length||Time to crack|
|numbers only||4||13 minutes|
|numbers only||6||22 hours|
|numbers only||8||93 days|
|lowercase letters only||4||10 hours|
|lowercase letters only||6||41 weeks|
|lowercase letters only||8||529 years|
|lowercase letters and numbers||4||37 hours|
|lowercase letters and numbers||6||5.5 years|
|lowercase letters and numbers||8||7,152 years|
And if you used a wider range of symbols—including uppercase letters, for instance—it would take even longer. Even an eight-digit numerical code takes three months to crack, while an eight-letter word takes about 529 years—meaning by the time the FBI cracked your phone, it would be dealing with about the 20th generation of your offspring.