Passcodes provide an essential layer of security and privacy on iPhones by preventing unauthorized access. When enabled, users must enter the correct numeric passcode or passphrase on the lock screen to gain entry into the iPhone. This protects sensitive content and data stored on the device, such as contacts, photos, messages, and apps. Without the passcode, the iPhone cannot be unlocked or used. Implementing a strong and unique passcode is one of the best ways iPhone users can secure their device.
Default Attempts
By default, an iPhone running iOS 16 is configured to allow up to 10 consecutive failed passcode attempts before the device is disabled. After the sixth failed attempt, users must wait one minute before trying again. After the seventh failed attempt, the delay increases to five minutes. The eighth attempt results in a 15-minute lockout. On the tenth failed attempt, the iPhone disables itself entirely.
According to Apple’s support documentation, “If you enter the wrong passcode too many times, you’ll see a message that your iPhone is disabled. You’ll need to erase your iPhone, which deletes all of your data and settings.” [1]
This default setting of 10 attempts is designed to balance security and usability. It allows some room for honest mistakes while strongly discouraging brute force passcode cracking attempts.
Failed Attempts
iOS implements an escalating timeout after each failed passcode attempt to deter brute force attacks. After the first failed attempt, there is no delay. However, after the second failed attempt, there is a 1 minute delay before another attempt can be made. This increases to 5 minutes after the third failed attempt, 15 minutes after the fourth, and 1 hour after the fifth failed attempt.
According to Apple’s support documentation, after 10 consecutive failed passcode attempts, the iPhone will erase all data and settings. This is to protect sensitive user data in case the device falls into the wrong hands.
Some sources indicate the maximum number of failed attempts may be less than 10 depending on the model and iOS version. In any case, the increasingly long delays are designed to deter brute forcing of simple or weak passcodes.
Data Erasure
After 10 consecutive failed passcode attempts, an iPhone will automatically erase all data and settings (Erase data after 10 failed attempts, 2022). This security measure is enabled by default to protect personal information if the device ends up in the wrong hands.
Specifically, the following data will be erased after 10 failed passcode attempts:
- Contacts
- Photos
- Messages
- Call history
- Calendars
- Reminders
- Apps
- Music
- Settings and preferences
Basically all personal content and customized settings will be wiped. The iPhone storage will be reset to factory settings. This makes it difficult for someone to access private data if they find or steal an iPhone and don’t know the passcode.
Brute Force Attacks
A brute force attack is a method of gaining access to a device or system by trying many passcode permutations. The attacker tries every possible passcode combination until the correct one is found. With the iPhone’s 10 failed attempt limit before data erasure, brute forcing passcodes seems infeasible. However, research has shown ways to bypass this restriction.
In 2016, Cambridge researcher Sergei Skorobogatov demonstrated the viability of NAND mirroring to bypass passcode limits on an iPhone 5c. By mirroring the NAND flash memory chip, he could restore the phone to its pre-failed attempt state to brute force passcodes offline without limitations (Threatpost). More recently in 2021, researchers at Johns Hopkins University conducted an analysis of brute forcing 4-digit iPhone passcodes. They determined that all 10,000 combinations could be tested in as little as 7 hours depending on variables. This suggests brute force attacks are possible despite Apple’s safeguards (Let’s Take it Offline: Boosting Brute-Force Attacks on iPhone Passcodes).
Mitigations
There are several ways that Apple has built in mitigations to prevent brute force attacks on iPhones when entering incorrect passcodes. According to Apple’s iOS security guide, after a certain number of failed passcode attempts, the iPhone will automatically erase all data on the device as a security precaution (https://support.apple.com/guide/iphone/use-built-in-privacy-and-security-protections-iph6e7d349d1/ios). This prevents an attacker from endlessly trying different passcode combinations. The automatic erasure after too many failed attempts serves as a strong deterrent against brute force cracking methods.
Another mitigation is to use longer, more complex passcodes. The default 4-digit passcode only provides 10,000 possible combinations. But by using a 6-digit passcode, the number of potential combinations increases to 1 million, making it much harder for an attacker to guess. According to security experts, longer alphanumeric passcodes provide the highest level of protection against brute forcing (https://arstechnica.com/civis/threads/iphone-security-%E2%80%93-best-practices.1490271/). Enabling longer and more complex passcodes is a simple way to improve iPhone security against unauthorized access attempts.
Custom Settings
Admins and IT professionals have the ability to customize passcode attempt limits and other policies through mobile device management (MDM) solutions like Apple Business Manager. According to Apple’s support documentation, custom passcode policies can be enforced for managed devices.
For enterprise organizations that manage a large number of iPhones and iPads, custom passcode configurations allow admins to tailor security settings based on their needs. This includes setting a custom maximum number of failed passcode attempts before data is erased. Passcode policies can also enforce requirements for passcode length, complexity, history, grace periods, and more.
By leveraging Apple’s management tools and APIs, IT teams can balance security and usability for their environment. Custom policies provide enhanced control while still using the native iOS passcode system. According to Apple’s deployment guide, these custom payload settings allow enterprises to configure passcode behavior to meet their specific requirements.
Forgotten Passcodes
If you forget your iPhone passcode, there are a couple options to recover your data and reset the passcode.
You can reset the passcode through Find My iPhone if you have an Apple ID linked to the device. This allows you to erase the device remotely and remove the passcode without losing your data. According to Apple Support, you can erase and reset the passcode by putting your device in recovery mode and restoring from a backup (source).
Alternatively, you can take the device to an Apple Store or Apple Authorized Service Provider. They can reset the passcode for you if you provide valid proof of purchase and government-issued photo ID. This will allow you to recover your data while removing the forgotten passcode.
If you don’t have a backup or proof of purchase, the only option is to factory reset the device. This will erase all data and settings, removing the passcode but also all your personal content. You would need to set up the device again as new after the reset.
Face ID
The Face ID feature on iPhones allows a limited number of failed face recognition attempts before requiring the passcode. According to Apple Support, Face ID allows only five unsuccessful match attempts before requesting the device passcode. After five failed attempts, users must enter their passcode to gain access to the iPhone.
Face ID uses advanced technology to map the geometry of a user’s face and create a mathematical representation for authentication purposes. The probability of a false match is estimated to be about 1 in 1,000,000 with Face ID according to Apple (source). This makes it very secure against false acceptance while allowing a reasonable number of attempts.
If Face ID fails to recognize a user’s face after five attempts, the iPhone locks and requires passcode entry. Face ID will automatically reset after successful passcode entry or after 48 hours of non-use. There is no option to erase data after 10 consecutive failed Face ID attempts like there is for passcodes.
Conclusion
In summary, the default number of failed passcode attempts on an iPhone before it gets disabled is 6. At 5 attempts, users are given a 1 minute timeout before another attempt. After 6 failed attempts, the iPhone is disabled and requires connecting to iTunes to restore. However, users can enable Erase Data option to automatically wipe the device after 10 attempts. Though unlikely, brute force attacks are possible but can be mitigated through longer passcodes. If you forget your passcode, recovery options like resetting or Face ID may help regain access. Overall, the passcode lock provides robust security while giving users options to customize settings.
The key takeaways are:
- Default is 6 passcode attempts before disable
- Customizable Erase Data option after 10 attempts
- Use longer and complex passcodes
- Setup Face ID as a fallback
- Reset through iTunes if forgotten
Following these best practices will help maximize security while ensuring access to your device.
