Should you use a PIN or a password to secure your iPhone?

Earlier today, I provided some figures which showed how secure iPhones with the Secure Enclave (Touch ID) are, and how even Apple cannot break into a locked phone if it has that protection.

That assumes, of course, that your passcode is not easy to guess. As iPhones can use either numeric (PIN) passcodes or regular passwords, you might wonder which is the more secure. As ever, the answer is not simple. It depends on the search space which an attacker has if they are to guess the passcode/password.

There are two important properties of this search space which determine whether it is feasible to unlock your iPhone: the size of the space, and its evenness. Switching from a 4 to a 6 digit numeric passcode makes the search space much bigger, and 6 digits provides a search space sufficiently large as to make unlocking impractical.

Consider the very simple example of a single digit passcode. There are only 10 different passcodes, 0-9, so if the search space is even, the average number of guesses required is going to be 5. In reality, humans tend to favour certain numbers, and you could expect that the number 7 was more likely to be chosen than the others. So by guessing 7 first, the average number of guesses will be less than 5.

A 6 digit numeric passcode provides 1,000,000 possible passcodes. If they are all equally probable, the average number of guesses required would be 500,000. At one guess every hour, the task is not worth bothering with.

To match that same search space size using alphanumeric passwords, assuming that only the upper and lower case unaccented letters and digits are used (a total of 62 different characters), you would need a password length of 4 characters. That actually provides a total of nearly 15 million passwords, but 3 characters would only provide 238,328, which falls short.

So a password of equal search space size can be much shorter than a numeric passcode, as you would expect. But that assumes that the search space is even: in reality it is very unlikely to be.

When using digits only, we tend to use numbers which we can recall easily because they mean something else, like a date of birth. These are easy to use for 4 and 6 digit PINs. If the attacker knows nothing about you, they can use this to reduce the effective size of the search space, but not by much. If the attacker is a law-enforcement or security agency – or a criminal who already has the rest of your handbag/purse/wallet – they can easily get lucky in their guessing using your bank card PINs, date of birth, and so on. This can make the search space very uneven, in their favour, and they might guess the passcode within the first few dozen attempts.

When using alphanumeric characters, even as few as 4, we also tend to create very uneven search spaces. These make the protection amenable to dictionary (and other ‘intelligent’) attack, which again can work strongly in favour of the attacker. It is very hard to recall truly random sequences of characters, even as few as 4.

To compensate for this unevenness in the search space, alphanumeric passwords are usually made longer, typically 8 characters, and include some punctuation marks and other symbols.

So looked at on the basis of security alone, there is probably little difference between using a 6 digit numeric passcode and an 8 character alphanumeric password – provided that no attacker will be able to narrow the search field by using other personal data, such as bank card PIN, date of birth, or phone numbers.

The final and most practical consideration for an iPhone is the ease of passcode/password entry. Here 6 digit numeric passcodes win easily over any password which requires a full keyboard, etc.

Whichever you choose, the most important factor is that you make it impossible for an attacker to read, guess, or deduce your passcode from anything else that they may have in their possession. Otherwise that century to crack into your iPhone could become a few minutes.

Finally, should you change your passcode/password every month or so?

The case made for changing passwords at regular intervals is based on others getting to know them. This commonly happens on networks in workplaces, and ensures that every month or so, anyone who has shared (intentionally or not) their password is set back to a state of security. You must of course change any passcode or password if you suspect that it may have become compromised.

But that should never happen with your iPhone. So long as it doesn’t, you are better off using a more secure passcode/password which may be harder to remember, and not writing it down anywhere where it is likely to be accessed by a potential attacker. Changing passwords frequently does not make them any more secure, but it may drive you to use easier to remember passwords which are more easily guessed, or to write them down on a note which could itself be stolen.