Your iPhone Passcode Isn’t Secure

If you have an iPhone, you likely unlock it with Face ID or Touch ID. However, after enough time, we all need to punch in our four or six-digit passcodes to gain access. As it turns out, that passcode is a key to just about everything on your iPhone, including your iCloud Account.

Let’s explore the following scenario: You’re out at a busy coffee shop. While you’re waiting for your drink, you pick up your iPhone to check-in on some messages. You punch in your passcode without paying much attention, check your messages, then accidentally set the phone down on your table when you hear your name. When you return, the phone is gone.

As it happens, a potential thief spotted you taking out your iPhone, and made careful note of your passcode. Since it’s only a handful of digits, it wasn’t a hard number to memorize. As soon as they saw an opportunity, they took it, swiping your iPhone and disappearing into the crowd.

Once they enter the passcode, they’re in your phone. But they don’t care about your photos or messages. They head straight for your Apple ID settings, specifically the option to reset your password. The issue here is, they know your iPhone passcode, but they don’t know your iCloud password, so you should have some protection, right? Wrong. If you don’t know your iCloud password, Apple simply asks for your iPhone passcode to confirm your identity. They know that, so they enter it. Soon enough, they’ve changed your iCloud password, allowing them to lock you out of both iCloud and any Apple devices attached to it. Not only have you lost your iPhone, you just your Mac or iPad as well.

Next up, they target your Passwords in Settings. While they’re protected by Face ID, enough failed attempts triggers a passcode request. They know the passcode, so they’re in again. Now, they search for any banking apps you might use. They find your bank, open its website, then autofill your password into the login page. You might think 2FA will protect you here, but if you use SMS-based 2FA, the bad actor has access to your messages on your iPhone, and can easily pass that checkpoint. You can see where this is going.

Bad passcode practice can cost you your iPhone, your Apple account, and your money. It happens, and it will continue to happen so long as bad actors have a short passcode to memorize before stealing your iPhone.

The easiest thing you can do to prevent this from happening is to take care whenever entering your passcode in public. Treat it like an ATM PIN: Make sure no one can see your iPhone when entering the code.

However, you can do better if you’re up for it. Instead of using a four or six-digit passcode, switch to an alphanumeric passcode, which allows you to use numbers, letters, and characters like any other password. It’s more of a pain to enter, since you have to use a full keyboard to punch in your password, but it’s much more secure, and much more difficult for bad actors to memorize. Plus, you don’t enter your passcode every time you unlock your iPhone, so it’s an occasional thing.