There seems to be some renewed interest in selecting phone passcodes that are difficult to crack. I don’t know why! But here’s a tweet from a while back that might help.
I guess for people who aren’t deeply technical and are just coming to this, it might be helpful to explain the reasoning behind selecting phone passcodes. So here’s a thread. 1/
Modern phones (iPhones and recent Androids) encrypt much of the data on your device. This is done using your phone passcode. I think most people know this part. 2/
So if your phone falls into the hands of someone who might want your data, they have to know (or guess) your passcode to decrypt it. (This assumes you’ve shut the phone down to biometrics like face/fingerprint. More on that later.) 3/
Most passcodes are weak. This isn’t your fault. Phones typically want you to pick a 6-digit code, and there are only a million of those. In the computing world “one million” (approx 2^20) is a small number. Computers can eat that for lunch. 4/
But it’s even worse if you choose your own passcode, rather than picking one truly at random. Because people are terrible at picking passcodes. They choose stuff like 111111, 222222 and 420420 and every smart cracker is going to try those first. 5/
Despite this, most modern phones have a nice way to slow cracking down. They include specialized processors (or the equivalent) that limits the number of guesses an attacker can make. In an iPhone this is done in a Secure Enclave Processor (SEP). This is great! 6/
The bad news is that private companies have found ways to bypass the Secure Enclave Processor on iPhones. This means they can guess as many times as they want. This is done with specialized tools like the “GrayKey” box. 7/ 
GrayKey has managed to find its way into police stations across the country. This means anyone in those stations can potentially open up your phone. How you should feel about this depends on how you feel about your local police department. 8/
So if you want to feel secure in your phone, you need to do two things. First, pick a strong passcode. The way these phones are built, cracking must happen on the phone, and it takes about 90ms to test one passcode attempt. So pick a passcode that takes many attempts. 9/
A long numeric passcode works well. This list shows how long it will take to crack different length passcodes. 10/
Finally, and this part is much more difficult, remember that current generation phones won’t kick all the encryption keys out just because you lock the phone. To really make them secure, it’s important to turn them off if you can. 11/
Finally, there’s the matter of disabling fingerprints and face recognition, which are both alternative ways to get into a phone without a passcode. On a iPhone, you can press the power button five times. On Android it’s... more complicated. google.com/amp/s/lifehack… 12/
The thing to note here is that doing this last thing does *not* necessarily evict all the encryption keys from memory. So it’s much safer to turn your phone off all the way. TL;DR: good passcode, phone off. That’s it. 13/13
