Apple + Security & Privacy

6 Digits Are Better Than 4! iOS 9 to Boost Passcode Security

Posted on by

Passcode lock

As usual, the world’s technology press watched in anticipation at Apple’s keynote speech at WWDC this week, anxious to turn any titbits of information about upcoming new products and features into news stories.

And although there were plenty of new features announced for the upcoming upgrade to OS X — dubbed El Capitan — perhaps the security news which will impact the most iPhone and iPad users is that Apple will be beefing up security on iDevices running iOS 9, by requiring users to upgrade from a 4-digit passcode to one containing 6 digits.

Two extra digits. Can that really add a whole lot more security?

Well, actually yes.

You see, a six digit passcode has one million possible combinations instead of 10,000.

Here is how Apple describes the development in their iOS 9 preview:

Six-digit passcodes

The passcode you use on your Touch ID-enabled iPhone and iPad will now have six digits instead of four. If you use Touch ID, it’s a change you’ll hardly notice. But with one million possible combinations — instead of 10,000 — your passcode will be a lot tougher to crack.

Passcode announcement

Even if you were up against someone determined enough to use a brute force black box to guess your iPhone’s PIN, it is far less likely to be considered a practical option once there are a million combinations.

However, good as a six digit passcode is, my recommendation remains that you should use a complex alphanumeric passphrase, in combination with Touch ID, to secure your precious iPhone or iPad. Just make sure that it’s not a passphrase that you tell anyone else, or that could be easy to guess or crack.

If you like the sound of the additional security benefits that a longer passphrase could give you over a four (or indeed six) digit numerical code, go to to Settings > Touch ID & Passcode (on devices with Touch ID) or Settings > Passcode (on other devices). Once there, make sure that you have disabled Simple Passcode, to let you set a longer passphrase, including letters and symbols as well as numbers.

If you are particularly paranoid, you may wish to enable the Erase Data passcode setting, which should ensure that your phone will be wiped after 10 failed attempts to crack the code.

Apple’s decision to boost passcode security couldn’t come at a more appropriate time, thumbing the company’s nose at increasing demands from governments for tech firms to weaken security and water down encryption.

Apple’s move shouldn’t be shrugged off. It underscores that the company is keen to be seen taking the security and privacy of its customers more seriously.

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →