By my last count, since you can't use emoji in your passcode (yet), a 4-character passcode with the iOS keyboard is a little over 1 billion combinations.
The formula is n^x, where n is how many possible values a character can have, and x is the number of such characters, that can be independently chosen.
So, for alpha numerical combination containing a..z, A..Z, 0..9 and special symbols like `~!@#$%^&*()_+-=;:'"[]{}.,
By my last count, since you can't use emoji in your passcode (yet), a 4-character passcode with the iOS keyboard is a little over 1 billion combinations.
The formula is n^x, where n is how many possible values a character can have, and x is the number of such characters, that can be independently chosen.
So, for alpha numerical combination containing a..z, A..Z, 0..9 and special symbols like `~!@#$%^&*()_+-=;:'"[]{}.,
Alpha-numeric 4 characters: 59,969,536 combinations - 7 days to unlock (at most).
Alpha-numeric 6 characters: 464,404,086,784 combinations - at most 147 YEARS to unlock (at most).
Alpha-numeric 8 characters: 3,596,345,248,055,296 combinations - - at most 1,140,393 YEARS to unlock (at most)....lol.
You missed a lot. Remember this is an iOS virtual keyboard, not some crappy website which still has a link for "Webmaster" at the bottom of the page so you can do a long hold on many of the characters to get considerably more options within a fraction of a second. For example, you can create the following password:
And that's just by having the American English keyboard enabled. I assume that if you have others you add all those Unicode characters to the password palette, but I have yet to test that, hence my statement of more than 1 billion for 4 characters if you enable the full keyboard. Some take too long to enter, like the 'ā' (the small letter 'a' with a macron, U+010) because you have to press the 'a' (Latin small letter 'a', U+0061) on the left side of the keyboard and then go to the 9th option to the right, but most are very fast and easy.
edit: A quick and dirty recount brings it to around 210 character options for the American English keyboard with iOS 11.3, with around 97 of them being being visible without a long-hold. If that count is correct, that brings the American English iOS keyboard to over 1.9 billion options with just 4 characters. I do have a much longer passphrase for my iPhone since it's not something I have to type in often, but it does employ at least one of the very special characters because the effort required is nearly non-existent.
Since 4 characters is fairly unrealistic, if we even assume a short, 8-cahracter passcode I think that would bring the total possibilities to 3,782,285,936,000,000,000 (3.7 quintillion?), and excluding the very special characters to 7,837,433,594,376,960 (7.8 quadrillion?).
It's actually more of an effort to not have the 4-digit PIN on my Watch, which I do have to input daily. The reason for this is that only the 4-digit PIN on watchOS will auto-submit. Any other length, be it 3 or 5 or more digits require you to hit 'OK' before it tries to authenticate. Since I use it to unlock my Mac I'm fine with an extra second of tapping on my Watch every day.
Currently, a friend or associate, as a cruel prank, or your kid, not knowing the implications could enter password after password in an attempt to unlock your phone. So having the wipe my phone clean after 10 consecutive failed attempts is a dangerous option to enable.
I’d prefer there be a second ‘security’ password, required to be at least 16 characters long and alphanumeric. After 10 consecutive failed attempts at your normal, presumably conveniently short password, it locks that password until the longer security password is entered. And perhaps the wipe my phone clean after... setting would apply to that password, but after say 10,000 attempts, sufficiently high to prevent someone doing so as a prank, but sufficiently few attempts to give little opportunity for unlock to a Greykey type device.
By my last count, since you can't use emoji in your passcode (yet), a 4-character passcode with the iOS keyboard is a little over 1 billion combinations.
The formula is n^x, where n is how many possible values a character can have, and x is the number of such characters, that can be independently chosen.
So, for alpha numerical combination containing a..z, A..Z, 0..9 and special symbols like `~!@#$%^&*()_+-=;:'"[]{}.,
Alpha-numeric 4 characters: 59,969,536 combinations - 7 days to unlock (at most).
Alpha-numeric 6 characters: 464,404,086,784 combinations - at most 147 YEARS to unlock (at most).
Alpha-numeric 8 characters: 3,596,345,248,055,296 combinations - - at most 1,140,393 YEARS to unlock (at most)....lol.
You missed a lot. Remember this is an iOS virtual keyboard, not some crappy website which still has a link for "Webmaster" at the bottom so you can do a long hold on many of the characters to get considerably more options within a second. For example, you can a password with the following characters: ₽㧰
And that's just by having the English keyboard enabled. I assume that if you have others you add all those Unicode characters to the password palette, but I have yet to test that, hence my statement of more than 1 billion for 4 characters.
1. I did not miss anything. I simply stated that for 88 possible values per character, those would be the numbers, given the assumptions I made.
2. Not sure if extended character sets are supported by the encryption algs. By the looks if it, accented letters are not accessible from the English keyboard when iOS asks for an alpha-numerical password, so my guess is that it might not be. That is why I went with a safe bet that always works.
Currently, a friend or associate, as a cruel prank, or your kid, not knowing the implications could enter password after password in an attempt to unlock your phone. So having the wipe my phone clean after 10 consecutive failed attempts is a dangerous option to enable.
I’d prefer there be a second ‘security’ password, required to be at least 16 characters long and alphanumeric. After 10 consecutive failed attempts at your normal, presumably conveniently short password, it locks that password until the longer security password is entered. And perhaps the wipe my phone clean after... setting would apply to that password, but after say 10,000 attempts, sufficiently high to prevent someone doing so as a prank, but sufficiently few attempts to give little opportunity for unlock to a Greykey type device.
That would not work if there is a virtual version of that phone, on which you try various pass codes. That is because a 4 digit passcode is the weakest link that will be broken long before a 16-character passcode protection kicks in. The same with data wiping protocol. You need only only one attempt to try the code. If it isn't the right one - reset everything and try again. That will make "wipe after 10 attempts" condition unreachable, as well.
In short, there should be no fallback mechanism. A long enough password MUST BE the one we use every day!
From what I can see in all these articles, it is quite clear that iPhones are being brute-forced. That means, that the only way to prevent that brute-force breaking of the passcode would be by making the code long enough and complex enough, so no one would have even a shred of hope of unlocking it before the end of the times.
By my last count, since you can't use emoji in your passcode (yet), a 4-character passcode with the iOS keyboard is a little over 1 billion combinations.
The formula is n^x, where n is how many possible values a character can have, and x is the number of such characters, that can be independently chosen.
So, for alpha numerical combination containing a..z, A..Z, 0..9 and special symbols like `~!@#$%^&*()_+-=;:'"[]{}.,
Alpha-numeric 4 characters: 59,969,536 combinations - 7 days to unlock (at most).
Alpha-numeric 6 characters: 464,404,086,784 combinations - at most 147 YEARS to unlock (at most).
Alpha-numeric 8 characters: 3,596,345,248,055,296 combinations - - at most 1,140,393 YEARS to unlock (at most)....lol.
You missed a lot. Remember this is an iOS virtual keyboard, not some crappy website which still has a link for "Webmaster" at the bottom so you can do a long hold on many of the characters to get considerably more options within a second. For example, you can a password with the following characters: ₽㧰
And that's just by having the English keyboard enabled. I assume that if you have others you add all those Unicode characters to the password palette, but I have yet to test that, hence my statement of more than 1 billion for 4 characters.
1. I did not miss anything. I simply stated that for 88 possible values per character, those would be the numbers, given the assumptions I made.
2. Not sure if extended character sets are supported by the encryption algs. By the looks if it, accented letters are not accessible from the English keyboard when iOS asks for an alpha-numerical password, so my guess is that it might not be. That is why I went with a safe bet that always works.
Let's revisit what you wrote: "where n is how many possible values a character can have" which you then followed up way claiming it would be roughly 88 potential characters. I understand if you've never thought about it before (I doubt many have), but after the facts are presented to you to then claim that you purposely chose not to consider all those possible characters is just shameful.
And it's not like your defense was that the long-hold is too long as you still failed to account for many characters that don't require a long hold to access. For example, in your list of special characters you choose the '~' (tilde, U+007E) as an option (as is commonly allowed), but not the '|' (vertical bar, U+007C) to its immediate left or the '<' (less-than sign, U+003C) to its immediate right on the iOS keyboard which tells me you didn't even look at the iOS keyboard before claiming how many possible options there were. You very clearly looked at this from the PoV of a web login, not iOS.
“Do the best you can until you know better. Then when you know better, do better.” —Maya Angelou.
Has anyone bought a GrayKey and tried it? Dies it actually work as advertised?
With an entry-level cost of $15K, which has to be connected to the internet, used on one location, and only allows for 300 devices to be cracked (which is only $50 per device), I'd be surprised if any tech review sites will pony up the cash… assuming they'd be allowed to buy it at all.
I can't help but wonder if this is a flash-in-the-pan product that Apple could quickly make obsolete with the next iOS update. The only reported screenshot I've seen of the device was cracking an iPhone X running iOS 11.2.5; which isn't to say that it won't work with the current iOS 11.3, or later versions.
It'll be interesting to see if this has legs. Maybe they'll at least be able to do what jailbreakers have been doing for a decade by chasing each new iOS revision after the fact.
By my last count, since you can't use emoji in your passcode (yet), a 4-character passcode with the iOS keyboard is a little over 1 billion combinations.
That's a real interesting concept. With some sort of character disbursement into your 6-digit code it could be almost unbreakable.
Has anyone bought a GrayKey and tried it? Dies it actually work as advertised?
With an entry-level cost of $15K, which has to be connected to the internet, used on one location, and only allows for 300 devices to be cracked (which is only $50 per device), I'd be surprised if any tech review sites will pony up the cash… assuming they'd be allowed to buy it at all.
I can't help but wonder if this is a flash-in-the-pan product that Apple could quickly make obsolete with the next iOS update. The only reported screenshot I've seen of the device was cracking an iPhone X running iOS 11.2.5; which isn't to say that it won't work with the current iOS 11.3, or later versions.
It'll be interesting to see if this has legs. Maybe they'll at least be able to do what jailbreakers have been doing for a decade by chasing each new iOS revision after the fact.
I don't think it will be illegal to purchase, although the sellers may not want it to be reviewed.... I was just wondering whether anyone on this site has bought one just for kicks (there are a lot of very wealthy people on this site).
By my last count, since you can't use emoji in your passcode (yet), a 4-character passcode with the iOS keyboard is a little over 1 billion combinations.
That's a real interesting concept. With some sort of character disbursement into your 6-digit code it could be almost unbreakable.
Besides adding more options, I would bet from an Accessibility standpoint that certain people would be better at remembering and/or seeing long and/or complex passcodes if they included ideograms.
I just did a very, very rough count and came up with 2,802 emoji options in iOS 11.3. I'm not even going to run the numbers since that's clearly excessive.
One unique thing with emoji characters—at least on iOS and macOS—that would likely reduce the number of options is that when you select a non-Simpson's yellow skin tone it will save that option as the default. I know emoji have Unicode values, but I don't know if the skin tone is a unique Unicode character or if's it some sort of special addendum to the original Unicode that gets applied in text when it follows a certain order.
There's also the issue if this gets applied to a website. If, for example, you go to log into Twitter via Safari on your Mac using your Emoji-capable passcode and then try to log in on Android or Windows if you'll have an issue because the ideograms look different.
For the most part it should be pretty obvious and future websites could design the options with ones that are absolutely recognizable across platforms, but it's still a consideration that would need to well vetted. But for to suggest websites adding this as an option isn't a realistic option at this point considering how limited so many are right now in both character options and length.
Has anyone bought a GrayKey and tried it? Dies it actually work as advertised?
With an entry-level cost of $15K, which has to be connected to the internet, used on one location, and only allows for 300 devices to be cracked (which is only $50 per device), I'd be surprised if any tech review sites will pony up the cash… assuming they'd be allowed to buy it at all.
I can't help but wonder if this is a flash-in-the-pan product that Apple could quickly make obsolete with the next iOS update. The only reported screenshot I've seen of the device was cracking an iPhone X running iOS 11.2.5; which isn't to say that it won't work with the current iOS 11.3, or later versions.
It'll be interesting to see if this has legs. Maybe they'll at least be able to do what jailbreakers have been doing for a decade by chasing each new iOS revision after the fact.
I don't think it will be illegal to purchase, although the sellers may not want it to be reviewed.... I was just wondering whether anyone on this site has bought one just for kicks (there are a lot of very wealthy people on this site).
Oh, I don't mean illegal to sell, just that that they may not want to sell to just anyone. That said, I can see a scenario where they would want it to be a law enforcement agency buying the device as gangs move into the lucrative ID theft business which might bite them in the arse, at least with legal fees -or- not wanting Apple to get their hands on it to figure out how to keep it from working.
For most people, the danger here is not from law enforcement -- but from private thieves who steal phones and then unlock them to uncover personal/financial info that can used or sold...
Currently, a friend or associate, as a cruel prank, or your kid, not knowing the implications could enter password after password in an attempt to unlock your phone. So having the wipe my phone clean after 10 consecutive failed attempts is a dangerous option to enable.
I’d prefer there be a second ‘security’ password, required to be at least 16 characters long and alphanumeric. After 10 consecutive failed attempts at your normal, presumably conveniently short password, it locks that password until the longer security password is entered. And perhaps the wipe my phone clean after... setting would apply to that password, but after say 10,000 attempts, sufficiently high to prevent someone doing so as a prank, but sufficiently few attempts to give little opportunity for unlock to a Greykey type device.
That would not work if there is a virtual version of that phone, on which you try various pass codes. That is because a 4 digit passcode is the weakest link that will be broken long before a 16-character passcode protection kicks in. The same with data wiping protocol. You need only only one attempt to try the code. If it isn't the right one - reset everything and try again. That will make "wipe after 10 attempts" condition unreachable, as well.
In short, there should be no fallback mechanism. A long enough password MUST BE the one we use every day!
From what I can see in all these articles, it is quite clear that iPhones are being brute-forced. That means, that the only way to prevent that brute-force breaking of the passcode would be by making the code long enough and complex enough, so no one would have even a shred of hope of unlocking it before the end of the times.
Clearly Apple makes the assumption that the ‘wipe after 10 consequetive failed attempts’ would be adequate, meaning they assume nobody would be able to virtualization the phone. That fact greykey can, using a jailbreak-like exploit, is something Apple would consider a security hole and presumably would work to patch. Once patched, we’re back to the context within which I made my suggestion. Unless we should simply abandon the idea of that context as eventually being unbreakable. I’d rather Apple continue to attempt to secure the iPhone against any and all exploits, because if they try then maybe they’ll actually accomplish that objective one day. If they don’t try, then you’re advice is best; just use long passwords that may contain a large selection of characters to make brute forcing the thing realistically impossible. Well, until a quantum computer of sufficient capability renders even the longest password moot.
That's the advantage of using face id or touch id, you don't need to put those silly short passwords for convenience sake.
Except you’re required by law to use your fingerprint or face to unlock your device under penalty of felony. A passcode has to be hacked like this. Also, cops can’t beat you up and use a part of your unconscious body to type in a passcode if they wanted to abuse the law. There’s no advantage, legal or otherwise.
Fingerprint or face? Only in response to an appropriate warrant.
Or probable cause. If an officer stops you and smells alcohol on your breath, or sees something "suspicious" (real or imagined, the judge will believe him, not you) in your car, that constitutes probable cause to search you and your car at that point in time, without a warrant. If your phone is in your possession, or in the possession of a passenger, or in your car, it's included in the search, and if you have it secured only with your fingerprint or face, you are legally required to unlock it.
I'd also like a feature where if anybody yelled in anger near my phone that it would not unlock without then requiring BOTH, else it would require just biometric.
How about if facial recognition could let me program in a winking pattern or funny face or something? Better, it could give me a clue of WHICH of the facial actions were required. I'd know if the image on the screen raised an eyebrow that I'm supposed to frown. or some such.
The cost of implementing these fringe case methods vs the payoff to customers vs confusion and accidental use is such that it will never happen.
Currently, a friend or associate, as a cruel prank, or your kid, not knowing the implications could enter password after password in an attempt to unlock your phone. So having the wipe my phone clean after 10 consecutive failed attempts is a dangerous option to enable.
I’d prefer there be a second ‘security’ password, required to be at least 16 characters long and alphanumeric. After 10 consecutive failed attempts at your normal, presumably conveniently short password, it locks that password until the longer security password is entered. And perhaps the wipe my phone clean after... setting would apply to that password, but after say 10,000 attempts, sufficiently high to prevent someone doing so as a prank, but sufficiently few attempts to give little opportunity for unlock to a Greykey type device.
That would not work if there is a virtual version of that phone, on which you try various pass codes. That is because a 4 digit passcode is the weakest link that will be broken long before a 16-character passcode protection kicks in. The same with data wiping protocol. You need only only one attempt to try the code. If it isn't the right one - reset everything and try again. That will make "wipe after 10 attempts" condition unreachable, as well.
In short, there should be no fallback mechanism. A long enough password MUST BE the one we use every day!
From what I can see in all these articles, it is quite clear that iPhones are being brute-forced. That means, that the only way to prevent that brute-force breaking of the passcode would be by making the code long enough and complex enough, so no one would have even a shred of hope of unlocking it before the end of the times.
Clearly Apple makes the assumption that the ‘wipe after 10 consequetive failed attempts’ would be adequate, meaning they assume nobody would be able to virtualization the phone. That fact greykey can, using a jailbreak-like exploit, is something Apple would consider a security hole and presumably would work to patch. Once patched, we’re back to the context within which I made my suggestion. Unless we should simply abandon the idea of that context as eventually being unbreakable. I’d rather Apple continue to attempt to secure the iPhone against any and all exploits, because if they try then maybe they’ll actually accomplish that objective one day. If they don’t try, then you’re advice is best; just use long passwords that may contain a large selection of characters to make brute forcing the thing realistically impossible. Well, until a quantum computer of sufficient capability renders even the longest password moot.
Well, even the quantum computer is limited by the interface it attaches to. So, it wouldn't help unless it has access to the encrypted disk maybe.
By my last count, since you can't use emoji in your passcode (yet), a 4-character passcode with the iOS keyboard is a little over 1 billion combinations.
The formula is n^x, where n is how many possible values a character can have, and x is the number of such characters, that can be independently chosen.
So, for alpha numerical combination containing a..z, A..Z, 0..9 and special symbols like `~!@#$%^&*()_+-=;:'"[]{}.,
Alpha-numeric 4 characters: 59,969,536 combinations - 7 days to unlock (at most).
Alpha-numeric 6 characters: 464,404,086,784 combinations - at most 147 YEARS to unlock (at most).
Alpha-numeric 8 characters: 3,596,345,248,055,296 combinations - - at most 1,140,393 YEARS to unlock (at most)....lol.
You missed a lot. Remember this is an iOS virtual keyboard, not some crappy website which still has a link for "Webmaster" at the bottom so you can do a long hold on many of the characters to get considerably more options within a second. For example, you can a password with the following characters: ₽㧰
And that's just by having the English keyboard enabled. I assume that if you have others you add all those Unicode characters to the password palette, but I have yet to test that, hence my statement of more than 1 billion for 4 characters.
1. I did not miss anything. I simply stated that for 88 possible values per character, those would be the numbers, given the assumptions I made.
2. Not sure if extended character sets are supported by the encryption algs. By the looks if it, accented letters are not accessible from the English keyboard when iOS asks for an alpha-numerical password, so my guess is that it might not be. That is why I went with a safe bet that always works.
Let's revisit what you wrote: "where n is how many possible values a character can have" which you then followed up way claiming it would be roughly 88 potential characters. I understand if you've never thought about it before (I doubt many have), but after the facts are presented to you to then claim that you purposely chose not to consider all those possible characters is just shameful.
"I understand if you've never thought about it before" I am pretty sure I did, given my background and master's degree in computer science. But, what do I know. Combinatorics is definitely beyond my understanding. /s
"but after the facts are presented to you to then claim that you purposely chose not to consider all those possible characters is just shameful." This is complete nonsense! What I gave was just ONE example, with all the assumptions CLEARLY STATED. Nowhere I claimed that that example covers all possible cases, nor I stated that that was an example of the most secure system, using the largest possible variability of characters for the pass code. That was just you pulling those assumptions from your arse right there, and then trying to "gotcha" me on that.
Show me, where I stated that 88 possible values for one character is the largest set one can get in iOS, please! Point to a specific line in my comment, that states what you implied/said it states! Thank you!
Currently, a friend or associate, as a cruel prank, or your kid, not knowing the implications could enter password after password in an attempt to unlock your phone. So having the wipe my phone clean after 10 consecutive failed attempts is a dangerous option to enable.
I’d prefer there be a second ‘security’ password, required to be at least 16 characters long and alphanumeric. After 10 consecutive failed attempts at your normal, presumably conveniently short password, it locks that password until the longer security password is entered.
It probably wouldn't help for this device, but they really should have it progressively delay entry for a longer time period for each failed attempt. It's silly to have such a simplistic, 10 tries and it erases. That means most people aren't going to even use it, as anyone with kids would have their phone erased far too often. It wouldn't solve these special hardware-crack methods, but it would make the feature way more usable.
anton zuykov said: From what I can see in all these articles, it is quite clear that iPhones are being brute-forced. That means, that the only way to prevent that brute-force breaking of the passcode would be by making the code long enough and complex enough, so no one would have even a shred of hope of unlocking it before the end of the times.
Yes, the base one needs to be, complex enough, and then the erase data feature needs to be useable for non-hardware-crack based life.
beowulfschmidt said: Or probable cause. If an officer stops you and smells alcohol on your breath, or sees something "suspicious" (real or imagined, the judge will believe him, not you) in your car, that constitutes probable cause to search you and your car at that point in time, without a warrant. If your phone is in your possession, or in the possession of a passenger, or in your car, it's included in the search, and if you have it secured only with your fingerprint or face, you are legally required to unlock it.
Yep, our whole system is based on some level of civility and morality in order to function. While there has always been corruption, if is a relatively small percentage, the system still operates with a case here or there that gets unfairly decided. But, the time isn't that far away where the corruption is going to touch the every-day person.
Currently, a friend or associate, as a cruel prank, or your kid, not knowing the implications could enter password after password in an attempt to unlock your phone. So having the wipe my phone clean after 10 consecutive failed attempts is a dangerous option to enable.
I’d prefer there be a second ‘security’ password, required to be at least 16 characters long and alphanumeric. After 10 consecutive failed attempts at your normal, presumably conveniently short password, it locks that password until the longer security password is entered. And perhaps the wipe my phone clean after... setting would apply to that password, but after say 10,000 attempts, sufficiently high to prevent someone doing so as a prank, but sufficiently few attempts to give little opportunity for unlock to a Greykey type device.
That would not work if there is a virtual version of that phone, on which you try various pass codes. That is because a 4 digit passcode is the weakest link that will be broken long before a 16-character passcode protection kicks in. The same with data wiping protocol. You need only only one attempt to try the code. If it isn't the right one - reset everything and try again. That will make "wipe after 10 attempts" condition unreachable, as well.
In short, there should be no fallback mechanism. A long enough password MUST BE the one we use every day!
From what I can see in all these articles, it is quite clear that iPhones are being brute-forced. That means, that the only way to prevent that brute-force breaking of the passcode would be by making the code long enough and complex enough, so no one would have even a shred of hope of unlocking it before the end of the times.
Clearly Apple makes the assumption that the ‘wipe after 10 consequetive failed attempts’ would be adequate, meaning they assume nobody would be able to virtualization the phone. That fact greykey can, using a jailbreak-like exploit, is something Apple would consider a security hole and presumably would work to patch. Once patched, we’re back to the context within which I made my suggestion. Unless we should simply abandon the idea of that context as eventually being unbreakable. I’d rather Apple continue to attempt to secure the iPhone against any and all exploits, because if they try then maybe they’ll actually accomplish that objective one day. If they don’t try, then you’re advice is best; just use long passwords that may contain a large selection of characters to make brute forcing the thing realistically impossible. Well, until a quantum computer of sufficient capability renders even the longest password moot.
Agree. I wanna see how fast Apple is able to address it. I am pretty sure, they are planning on getting their hands on one such device (if not already).
Comments
₽㧰
₽ :: U+20BD :: https://en.wiktionary.org/wiki/₽ă :: U+0103 :: https://en.wiktionary.org/wiki/ă
§ :: U+00A7 :: https://en.wiktionary.org/wiki/§
° :: U+00B0 :: https://en.wikipedia.org/wiki/Degree_symbol
And that's just by having the American English keyboard enabled. I assume that if you have others you add all those Unicode characters to the password palette, but I have yet to test that, hence my statement of more than 1 billion for 4 characters if you enable the full keyboard. Some take too long to enter, like the 'ā' (the small letter 'a' with a macron, U+010) because you have to press the 'a' (Latin small letter 'a', U+0061) on the left side of the keyboard and then go to the 9th option to the right, but most are very fast and easy.
edit: A quick and dirty recount brings it to around 210 character options for the American English keyboard with iOS 11.3, with around 97 of them being being visible without a long-hold. If that count is correct, that brings the American English iOS keyboard to over 1.9 billion options with just 4 characters. I do have a much longer passphrase for my iPhone since it's not something I have to type in often, but it does employ at least one of the very special characters because the effort required is nearly non-existent.
Since 4 characters is fairly unrealistic, if we even assume a short, 8-cahracter passcode I think that would bring the total possibilities to 3,782,285,936,000,000,000 (3.7 quintillion?), and excluding the very special characters to 7,837,433,594,376,960 (7.8 quadrillion?).
It's actually more of an effort to not have the 4-digit PIN on my Watch, which I do have to input daily. The reason for this is that only the 4-digit PIN on watchOS will auto-submit. Any other length, be it 3 or 5 or more digits require you to hit 'OK' before it tries to authenticate. Since I use it to unlock my Mac I'm fine with an extra second of tapping on my Watch every day.
Currently, a friend or associate, as a cruel prank, or your kid, not knowing the implications could enter password after password in an attempt to unlock your phone. So having the wipe my phone clean after 10 consecutive failed attempts is a dangerous option to enable.
I’d prefer there be a second ‘security’ password, required to be at least 16 characters long and alphanumeric. After 10 consecutive failed attempts at your normal, presumably conveniently short password, it locks that password until the longer security password is entered. And perhaps the wipe my phone clean after... setting would apply to that password, but after say 10,000 attempts, sufficiently high to prevent someone doing so as a prank, but sufficiently few attempts to give little opportunity for unlock to a Greykey type device.
That would not work if there is a virtual version of that phone, on which you try various pass codes. That is because a 4 digit passcode is the weakest link that will be broken long before a 16-character passcode protection kicks in. The same with data wiping protocol. You need only only one attempt to try the code. If it isn't the right one - reset everything and try again. That will make "wipe after 10 attempts" condition unreachable, as well.
And it's not like your defense was that the long-hold is too long as you still failed to account for many characters that don't require a long hold to access. For example, in your list of special characters you choose the '~' (tilde, U+007E) as an option (as is commonly allowed), but not the '|' (vertical bar, U+007C) to its immediate left or the '<' (less-than sign, U+003C) to its immediate right on the iOS keyboard which tells me you didn't even look at the iOS keyboard before claiming how many possible options there were. You very clearly looked at this from the PoV of a web login, not iOS.
“Do the best you can until you know better. Then when you know better, do better.” —Maya Angelou.
I can't help but wonder if this is a flash-in-the-pan product that Apple could quickly make obsolete with the next iOS update. The only reported screenshot I've seen of the device was cracking an iPhone X running iOS 11.2.5; which isn't to say that it won't work with the current iOS 11.3, or later versions.
It'll be interesting to see if this has legs. Maybe they'll at least be able to do what jailbreakers have been doing for a decade by chasing each new iOS revision after the fact.
I just did a very, very rough count and came up with 2,802 emoji options in iOS 11.3. I'm not even going to run the numbers since that's clearly excessive.
One unique thing with emoji characters—at least on iOS and macOS—that would likely reduce the number of options is that when you select a non-Simpson's yellow skin tone it will save that option as the default. I know emoji have Unicode values, but I don't know if the skin tone is a unique Unicode character or if's it some sort of special addendum to the original Unicode that gets applied in text when it follows a certain order.
There's also the issue if this gets applied to a website. If, for example, you go to log into Twitter via Safari on your Mac using your Emoji-capable passcode and then try to log in on Android or Windows if you'll have an issue because the ideograms look different.
For the most part it should be pretty obvious and future websites could design the options with ones that are absolutely recognizable across platforms, but it's still a consideration that would need to well vetted. But for to suggest websites adding this as an option isn't a realistic option at this point considering how limited so many are right now in both character options and length.
Or probable cause. If an officer stops you and smells alcohol on your breath, or sees something "suspicious" (real or imagined, the judge will believe him, not you) in your car, that constitutes probable cause to search you and your car at that point in time, without a warrant. If your phone is in your possession, or in the possession of a passenger, or in your car, it's included in the search, and if you have it secured only with your fingerprint or face, you are legally required to unlock it.
"I understand if you've never thought about it before"
I am pretty sure I did, given my background and master's degree in computer science. But, what do I know. Combinatorics is definitely beyond my understanding. /s
"but after the facts are presented to you to then claim that you purposely chose not to consider all those possible characters is just shameful."
This is complete nonsense!
What I gave was just ONE example, with all the assumptions CLEARLY STATED. Nowhere I claimed that that example covers all possible cases, nor I stated that that was an example of the most secure system, using the largest possible variability of characters for the pass code.
That was just you pulling those assumptions from your arse right there, and then trying to "gotcha" me on that.
Show me, where I stated that 88 possible values for one character is the largest set one can get in iOS, please!
Point to a specific line in my comment, that states what you implied/said it states!
Thank you!
Yes, the base one needs to be, complex enough, and then the erase data feature needs to be useable for non-hardware-crack based life.
Yep, our whole system is based on some level of civility and morality in order to function. While there has always been corruption, if is a relatively small percentage, the system still operates with a case here or there that gets unfairly decided. But, the time isn't that far away where the corruption is going to touch the every-day person.