Passcodes and passwords
To protect user data from malicious attack, Apple uses passcodes in iOS, iPadOS, and visionOS, and passwords in macOS. The longer a passcode or password is, the stronger it is—and the easier it is to discourage brute-force attacks. To further discourage attacks, Apple enforces time delays (iOS, iPadOS, and visionOS) and a limited number of password attempts (Mac).
On an iPad, iPhone, and Apple Vision Pro, setting up a device passcode or password, the user automatically enables Data Protection. Data Protection is also enabled on other devices that feature an Apple system on a chip (SoC)—such as a Mac with Apple silicon, Apple TV, and Apple Watch. On devices with macOS, Apple uses the built-in volume encryption program FileVault.
Increasing security with strong passcodes and passwords
iOS, iPadOS, and visionOS support six-digit, four-digit, and arbitrary-length alphanumeric passcodes. Besides unlocking the device, a passcode or password provides entropy for certain encryption keys. This means an attacker in possession of a device can’t get access to data in specific protection classes without the passcode.
The passcode or password is entangled with the device’s UID, so brute-force attempts need to be performed on the device under attack. A large iteration count is used to make each attempt slower. The iteration count is calibrated so that one attempt takes approximately 80 milliseconds. In fact, it would take more than five and one-half years to try all combinations of a six-character alphanumeric passcode with lowercase letters and numbers.
The stronger the user passcode is, the stronger the encryption key becomes. And by using Optic ID, Face ID and Touch ID, the user can establish a much stronger passcode than would otherwise be practical. The stronger passcode increases the effective amount of entropy protecting the encryption keys used for Data Protection, without adversely affecting the user experience of unlocking a device multiple times a day.
If a passcode contains only numbers, a numeric keypad is displayed at the Lock Screen. A longer numeric passcode may be easier to enter than a shorter alphanumeric password, while providing similar security.
Users can specify a longer alphanumeric password by selecting Custom Alphanumeric Code in the Passcode Options in Settings > [Optic ID], [Face ID], or [Touch ID] & Passcode). If a password is alphanumeric, a full keypad is displayed at the Lock Screen.
Escalating time delays discourage brute-force attacks
On iPad, iPhone, Mac, and Apple Vision Pro, to further discourage brute-force passcode attacks, there are escalating time delays after the entry of an invalid passcode, password, or PIN (depending on the device and the state the device is in), as shown in the table below.
Attempts | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 or more |
|---|---|---|---|---|---|---|---|---|
iOS and iPadOS Lock Screen | None | 1 minute | 5 minutes | 15 minutes | 1 hour | 3 hours | 8 hours | Device is locked and must connect to a Mac or PC |
watchOS Lock Screen | None | 1 minute | 5 minutes | 15 minutes | 1 hour | 3 hours | 8 hours | Device is locked and must connect to an iPhone |
FileVault Login Window and Lock Screen | None | 1 minute | 5 minutes | 15 minutes | 1 hour | 3 hours | 8 hours | 8 hours |
macOS Recovery Mode | None | 1 minute | 5 minutes | 15 minutes | 1 hour | 3 hours | 8 hours | See “How escalating time delays discourage brute-force attacks in macOS” below |
FileVault with recovery key (Personal, Institutional, or iCloud) | None | 1 minute | 5 minutes | 15 minutes | 1 hour | 3 hours | 8 hours | See “How escalating time delays discourage brute-force attacks in macOS” below |
macOS Remote lock PIN code | 1 minute | 5 minutes | 15 minutes | 30 minutes | 1 hour | 1 hour | 1 hour | 1 hour |
If the Erase Data option is turned on for iPad, iPhone, or Apple Vision Pro (in Settings > [Optic ID], [Face ID], or [Touch ID] & Passcode), after 10 consecutive incorrect attempts to enter the passcode, all content and settings are removed from storage. Consecutive attempts of the same incorrect passcode don’t count toward the limit. This setting is also available as an administrative policy through a device management service that supports this feature and through Microsoft Exchange ActiveSync, and can be set to a lower threshold.
The delays are enforced by the Secure Enclave. If the device is restarted during a timed delay, the delay is still enforced, with the timer starting over for the current period.
Escalating time delays discourage brute-force attacks in macOS
To help prevent brute-force attacks, when a Mac starts up, no more than 10 password attempts are allowed at the Login Window, and escalating time delays are imposed after a certain number of incorrect attempts. The delays are enforced by the Secure Enclave. If a Mac is restarted during a timed delay, the delay is still enforced, with the timer starting over for the current period.
To help prevent malware from causing permanent data loss by trying to attack the user’s password, these limits aren’t enforced after the user has successfully logged in to the Mac, but they are reimposed after a restart. If the 10 attempts are exhausted, 10 more attempts are available after restarting into recoveryOS. And if those are also exhausted, then 10 additional attempts are available for the configured FileVault recovery mechanism (iCloud recovery, FileVault recovery key, and institutional key), for a maximum of 30 additional attempts. After those additional attempts are exhausted, the Secure Enclave no longer processes any requests to decrypt the volume or verify the password, and the data on the drive becomes unrecoverable.
To help protect data in an enterprise setting, IT should define and enforce FileVault configuration policies using a device management service. Organizations have several options for managing encrypted volumes, including institutional recovery keys, personal recovery keys (that can optionally be stored with a device management service for escrow), or a combination of both. Key rotation can also be set as a policy in a device management service.
On a Mac with the Apple T2 Security Chip, the password serves a similar function except that the key generated is used for FileVault encryption rather than Data Protection.