There has been a lot of (justified) kerfuffle about a recent article by Joanna Stern in the Wall Street Journal regarding a relatively easy method for someone to “shoulder surf” to see your four-digit passcode and from there be able to steal your entire Apple ID. Android users have the same problem — with the PIN a bad actor with your phone can change your Google account password as well.
Just in case you haven’t heard about the issue, I’ll briefly describe the method (on iOS) and the repercussions. Then I’ll give you a solution that may be easier for you than some others you might have heard about.
On iOS devices, you can use a passcode or a password to unlock your phone (and additionally use biometrics with Touch ID or Face ID). The passcode defaults to four digits but you can also choose to make it 6 digits, or you can choose to use an alphanumeric password.
If you use a long password to protect your phone, it’s unlikely that someone looking over your shoulder could determine what the password is, but a short numerical code (especially 4 digits) is incredibly easy to ascertain. Let’s say someone learns your code, and then subsequently steals your phone.
Now here’s the discovery that Joanna Stern discovered, or at least reported. If you open Settings on your phone and then tap on your avatar at the top to go into Apple ID, iCloud+, Media and Purchases. From there go into Password & Security, and at the top, you’ll see Change Password.
On every system I’ve ever used in my life, the option to Change Password requires knowledge of the current password. But not on iOS. Instead of being prompted for the current password, you’re only asked for the code to unlock the phone.
Think about that. You’ve gone to great trouble to use a long, strong password to protect your Apple ID, but someone with knowledge of the simple code to unlock your iPhone or iPad now owns you. It’s a reasonable assumption that your Apple ID is also your main email address. Guess what goes to your email address? Password resets on other services.
Now someone can change your Apple ID password, log into it on iCloud.com, go to your banking website, and change your password there too.
If you use iCloud Keychain to store your passwords, they now have all of those without even bothering to change them.
They literally will have stolen the Crown Jewels just by knowing your passcode to your phone.
I think often about the 4-digit passcode in other contexts. Have you ever used the same code to disarm your house alarm? Is it the same code as on your ATM? Is it the same code on your gym locker? If any of these are the same it’s a pretty easy thing to steal even more than your Apple ID access.
But What Can We Do About It?
Ok, enough alarming talk. What’s the best thing to do to protect yourself? The best thing you can do is change your phone’s passcode to a long alphanumeric password. The longer and more complicated it is, the harder it is for someone to see what you’re typing and remember it.
While this is definitely the best thing, it may not be practical for you, or you may weigh the probability of this happening to you against how annoying that tiny keyboard is to type on accurately and choose not to use an alphanumeric password.
Another option is to choose a 6-digit passcode instead of the default of 4 digits. While 6 is harder to watch and memorize than 4, it’s not that much harder. The shoulder surfer can also see before you start typing that there are 6 dots to fill in rather than 4, so they can be ready to watch for all 6.
So the numeric passcode is too easy to spot, and the alphanumeric password is too hard to type … but there’s actually a middle ground.
It turns out you can create a passcode of indeterminate length!
If you go into Settings and choose Face ID & Passcode, then choose Change Passcode, you’ll be asked to enter your current passcode/password. Once you get past that prompt, it will offer you three options.
- Custom Alphanumeric Code
- Custom Numeric Code
- 4-Digit Numeric Code
After that you enter a numeric code of any length you choose (longer being of course better). The cool part about the indeterminate length is how it changes the look of your lock screen. Instead of showing 4 dots for a 4-digit passcode or 6 dots for a 6-digit passcode, it just says Enter Passcode with a text box under it. No one but you knows how many digits you have in your code.
Clearly, a long numeric code is not as good as an alphanumeric passcode. The same reason it’s hard to type on the alphanumeric keyboard is the reason it’s hard for someone to figure out what you’re typing. But for me, it’s a good compromise because I find it incredibly difficult to type on that tiny alphanumeric keyboard.
Bottom Line
The bottom line is that there is a vulnerability we didn’t know about before in the way Apple and Google protect our most precious password. Evidently left open this easy method to reset your password because so many people forget their Apple ID passwords. Maybe it was a lot of work for Apple to deal with people saddened by the loss of access to all of their data. I wish those of us with good password hygiene (such as using a third-party password manager) could turn this “feature” off. Remember, iCloud Keychain passwords are vulnerable if someone knows the passcode to your phone.
I hope whatever you do, you type your passcode or password into your phone in a way that no one can see what you’re typing!
Minor correction: vulnerable if they know your passcode AND have the device that uses that passcode. (Also, all my devices share the same passcode).
Good point Philip!
Scary. I think, if a thief has your iPhone and passcode, then it is also possible for that person to get into your 1Password vault. The thief can change your biometrics to her/his face and then unlock 1Password with Face ID. Am I correct?
I looked at the website of 1Password and could not find information about this or an option to set a pin for 1Password on iOS. It is hard to switch off Face ID for 1Password, because typing my whole secure 1Password password is a PITA on an iPhone keyboard.
Hi Frank, that’s a great question. Luckily, it doesn’t work that way. In the Face ID instructions for 1Password it says that you need to unlock with your master password if you change your Face ID.
https://support.1password.com/face-id/
Thanks, for the information. That’s good to hear.