{"id":27965,"date":"2023-03-16T14:20:00","date_gmt":"2023-03-16T21:20:00","guid":{"rendered":"https:\/\/www.podfeet.com\/blog\/?p=27965"},"modified":"2023-03-16T14:20:00","modified_gmt":"2023-03-16T21:20:00","slug":"ios-long-numeric-passcod","status":"publish","type":"post","link":"https:\/\/www.podfeet.com\/blog\/2023\/03\/ios-long-numeric-passcod\/","title":{"rendered":"How to Have a Long (but Numeric) Passcode on iPhone\/iPad"},"content":{"rendered":"

There has been a lot of (justified) kerfuffle about a recent article by Joanna Stern in the Wall Street Journal<\/a> regarding a relatively easy method for someone to \u201cshoulder surf\u201d to see your four-digit passcode and from there be able to steal your entire Apple ID. Android users have the same problem<\/a> \u2014 with the PIN a bad actor with your phone can change your Google account password as well.<\/p>\n

Just in case you haven\u2019t heard about the issue, I\u2019ll briefly describe the method (on iOS) and the repercussions. Then I\u2019ll give you a solution that may be easier for you than some others you might have heard about.<\/p>\n

On iOS devices, you can use a passcode or a password to unlock your phone (and additionally use biometrics with Touch ID or Face ID). The passcode defaults to four digits but you can also choose to make it 6 digits, or you can choose to use an alphanumeric password.<\/p>\n

If you use a long password to protect your phone, it\u2019s unlikely that someone looking over your shoulder could determine what the password is, but a short numerical code (especially 4 digits) is incredibly easy to ascertain. Let\u2019s say someone learns your code, and then subsequently steals your phone.<\/p>\n

Now here\u2019s the discovery that Joanna Stern discovered, or at least reported. If you open Settings on your phone and then tap on your avatar at the top to go into Apple ID, iCloud+, Media and Purchases. From there go into Password & Security, and at the top, you\u2019ll see Change Password.<\/p>\n

On every system I\u2019ve ever used in my life, the option to Change Password requires knowledge of the current password. But not on iOS. Instead of being prompted for the current password, you\u2019re only asked for the code to unlock the phone<\/em>.<\/p>\n

\n
\"Allison
Choose Password & Security<\/figcaption><\/figure>\n
\"Change
Change Passcode<\/figcaption><\/figure>\n
\"iPhone
Passcode Can Change Apple ID Password<\/figcaption><\/figure>\n<\/div>\n

Think about that. You\u2019ve gone to great trouble to use a long, strong password to protect your Apple ID, but someone with knowledge of the simple code to unlock your iPhone or iPad now owns<\/em> you. It\u2019s a reasonable assumption that your Apple ID is also your main email address. Guess what goes to your email address? Password resets on other services.<\/p>\n

Now someone can change your Apple ID password, log into it on iCloud.com, go to your banking website, and change your password there too.<\/p>\n

If you use iCloud Keychain to store your passwords, they now have all<\/em> of those without even bothering to change them.<\/p>\n

They literally will have stolen the Crown Jewels just by knowing your passcode to your phone.<\/p>\n

I think often about the 4-digit passcode in other contexts. Have you ever used the same code to disarm your house alarm? Is it the same code as on your ATM? Is it the same code on your gym locker? If any of these are the same it\u2019s a pretty easy thing to steal even more than your Apple ID access.<\/p>\n

But What Can We Do About It?<\/h3>\n

Ok, enough alarming talk. What\u2019s the best thing to do to protect yourself? The best thing you can do is change your phone\u2019s passcode to a long alphanumeric password. The longer and more complicated it is, the harder it is for someone to see what you\u2019re typing and remember it.<\/p>\n

While this is definitely the best thing, it may not be practical for you, or you may weigh the probability of this happening to you against how annoying that tiny keyboard is to type on accurately and choose not to use an alphanumeric password.<\/p>\n

Another option is to choose a 6-digit passcode instead of the default of 4 digits. While 6 is harder to watch and memorize than 4, it\u2019s not that<\/em> much harder. The shoulder surfer can also see before you start typing that there are 6 dots to fill in rather than 4, so they can be ready to watch for all 6.<\/p>\n

So the numeric passcode is too easy to spot, and the alphanumeric password is too hard to type \u2026 but there\u2019s actually a middle ground.<\/p>\n

It turns out you can create a passcode of indeterminate length!<\/p>\n

If you go into Settings and choose Face ID & Passcode, then choose Change Passcode, you\u2019ll be asked to enter your current passcode\/password. Once you get past that prompt, it will offer you three options.<\/p>\n

    \n
  • Custom Alphanumeric Code<\/li>\n
  • Custom Numeric<\/em> Code<\/li>\n
  • 4-Digit Numeric Code<\/li>\n<\/ul>\n

    After that you enter a numeric code of any length you choose (longer being of course better). The cool part about the indeterminate length is how it changes the look of your lock screen. Instead of showing 4 dots for a 4-digit passcode or 6 dots for a 6-digit passcode, it just says Enter Passcode with a text box under it. No one but you knows how many digits you have in your code.<\/p>\n

    \n
    \"Settings
    Choose Face ID & Passcode<\/figcaption><\/figure>\n
    \"Choose
    Choose Change Passcode<\/figcaption><\/figure>\n
    \"Choose
    Choose Custom Numeric Code<\/figcaption><\/figure>\n
    \"Lock
    Lock Screen Doesn’t Reveal # of Digits<\/figcaption><\/figure>\n<\/div>\n

    Clearly, a long numeric code is not as good as an alphanumeric passcode. The same reason it\u2019s hard to type on the alphanumeric keyboard is the reason it\u2019s hard for someone to figure out what you\u2019re typing. But for me, it\u2019s a good compromise because I find it incredibly difficult to type on that tiny alphanumeric keyboard.<\/p>\n

    Bottom Line<\/h3>\n

    The bottom line is that there is a vulnerability we didn\u2019t know about before in the way Apple and Google protect our most precious password. Evidently left open this easy method to reset your password because so many people forget their Apple ID passwords. Maybe it was a lot of work for Apple to deal with people saddened by the loss of access to all of their data. I wish those of us with good password hygiene (such as using a third-party password manager) could turn this \u201cfeature\u201d off. Remember, iCloud Keychain passwords are vulnerable if someone knows the passcode to your phone.<\/p>\n

    I hope whatever you do, you type your passcode or password into your phone in a way that no one can see what you\u2019re typing!<\/p>\n","protected":false},"excerpt":{"rendered":"

    There has been a lot of (justified) kerfuffle about a recent article by Joanna Stern in the Wall Street Journal regarding a relatively easy method for someone to \u201cshoulder surf\u201d to see your four-digit passcode and from there be able to steal your entire Apple ID. Android users have the same problem \u2014 with the […]<\/p>\n","protected":false},"author":1,"featured_media":27967,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[147],"tags":[5718,134,50,4586],"class_list":["post-27965","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog-posts","tag-iphone-passcode","tag-password","tag-security","tag-vulnerability"],"jetpack_featured_media_url":"https:\/\/www.podfeet.com\/blog\/wp-content\/uploads\/2023\/03\/Enter-Passcode-Indeterminate-Length.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/27965","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/comments?post=27965"}],"version-history":[{"count":2,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/27965\/revisions"}],"predecessor-version":[{"id":27968,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/posts\/27965\/revisions\/27968"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media\/27967"}],"wp:attachment":[{"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/media?parent=27965"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/categories?post=27965"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.podfeet.com\/blog\/wp-json\/wp\/v2\/tags?post=27965"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}