How to make your iPhone Passcode more secure without changing it.
Apple released Stolen Device Protection (SDP) in response to criminals successfully ruining people’s lives by using an iPhone’s password to reset the victim’s iCloud password.
In 2023 the New York Times did a report on this new tactic, summarized on TidBITS:
Watch the video, but in short, a ne’er-do-well gets someone in a bar to enter their iPhone passcode while they surreptitiously observe (or a partner does it for them). Then the thief steals the iPhone and dashes off. Within minutes, the thief has used the passcode to gain access to the iPhone and change the Apple ID password, which enables them to disable Find My, make purchases using Apple Pay, gain access to passwords stored in iCloud Keychain, and scan through Photos for pictures of documents that contain a Social Security number or other details that could be used for identity theft. After that, they may transfer money from bank accounts, apply for an Apple Card, and more, all while the user is completely locked out of their account.
And yes, they’ll wipe and resell the iPhone too. Almost no crimes like this have been reported by Android users, with a police officer speculating that it was because the resale value of Android phones is lower. In the video, Joanna Stern said a thief with the passcode to an Android phone could perform similar feats of identity and financial theft.
Apple’s response? Stolen Device Protection:
With Stolen Device Protection, some features and actions have additional security requirements when your iPhone is away from familiar locations such as home or work. These requirements help prevent someone who has stolen your device and knows your passcode from making critical changes to your account or device.
• Face ID or Touch ID biometric authentication: Some actions such as accessing stored passwords and credit cards require a single biometric authentication with Face ID or Touch ID — with no passcode alternative or fallback — so that only you can access these features.
• Security Delay: Some security actions such as changing your Apple Account password also require you to wait an hour and then perform a second Face ID or Touch ID authentication.
In the event that your iPhone is stolen, the security delay is designed to prevent a thief from performing critical operations so that you can mark your device as lost and make sure your Apple account is secure.
Thieves can still come after you if they see you entering your passcode because they’re hoping you don’t have this feature enabled, or they might not be aware of it themselves.
The goal shouldn’t be to prevent thieves from breaking into your accounts and your life, the goal is to prevent them from taking your iPhone in the first place. Even if you have all the safety measures in place and your phone gets swiped, you’re still without a phone, which will be expensive to replace and will take hours to get everything synced up again.
The best way to stop this is to hide your password when typing it in, but sometimes we might be in a hurry and forget to keep our guard up. Not to mention this type of attack is common in bars, so your guard is already lowered.
The next best thing? Change your password to an alphanumeric one.
You don’t have to actually change your password, but you do have to add something at the end of it. Like a period.
Say your passcode was “090708”. You can change your passcode and add a period, so your password is now “090708.” If the potential thief does see you entering your passcode, they will see the alphanumeric keyboard and will be more likely to skip past you because it’s almost impossible to really see what someone is typing. The keyboard is small enough, even on the Pro Max models, that your “fat finger” will obscure what you’re typing, compared to the huge numeric keypad.
It also helps to turn off haptics when typing in your code since people can’t hear how long your password is.
Over time, you’ll actually get faster at typing the alphanumeric code since it is all number based, but no one would know you would do such a thing…unless they read my blog.
I tried to be even slicker and just keep the exact same password even though I selected an alphanumeric option and keyboard, but the iPhone defaults back to a numeric keypad, so I had to add the period.