Just how vulnerable are you if you use an iPhone. Spoiler Alert, More vulnerable than you think!

Is a 6 digit code enough to protect your whole digital/financial life.

Definitely removing my Bank password from the Apple password manager.

I had not really considered the affect of someone changing your Apple ID and then locking you out of all of your information.

If they then go change your recovery account contact it would seem that you’re screwed.

If they have your passcode, can they get into your locked Apple notes?

Besides having good back ups, What else can you do to protect yourself.

If they changed your Apple ID password would that affect your access to time machine back ups?

Apple needs needs a process to get your Apple ID back into your own hands, you would think a visit to the Genius Bar with your drivers license would be enough.

After watching this video what are you going to do to protect yourself?

1 Like

I have set up additional Apple ID protection . Not sure this would help to alleviate the vulnerability

Also , I use more than 6-digit unlock code on the iPhone , hope this makes it safer

1 Like

More discussion here:

Nothing more than I did before. First of all, those headlines, videos, reports are clickbait. I don’t say that this isn’t true but what is the conclusion? Just don’t loose your phone and use a better passcode. I mean she admitted in the video that she just had her iPhone lying around in a public place without paying attention. Then she put in the passcode without paying attention to her surroundings. This is just… would you go to an ATM, enter the passcode while a person is looking over your shoulder and then let your credit card / bank card laying around carelessly on a bar? I dont think so.
If you let the key of your house on the stairs in front of your house you can lock yourself in as much as you want, it won’t help.
The only thing I’m curious about: Aren’t bank accounts in the US protected by 2FA? In my country every banking app has a second app with 2FA and either you have to unlock it with faceID or with a separate password. It wouldn’t be possible to unlock it with your AppleID or Pin.


Yep, i need my face or bank pwd to be able to open the app.

I think the point of the news report is how much access your iphone pin code gives to your digital life. It’s looking to minimise the damage that can be done should someone ever get hold of it.

It also highlights that apple need to change the power that the iphone pin code has in the apple eco system.

1 Like

It’s a good reminder. I reverted back to a six-digit PIN during the Covid-period I was wearing a mask daily. Of course, I never reset my passcode as the need for masks mainly went away in my area.

Back to a stronger passcode now, thanks!


Yes, but most use SMS. So if someone has your phone and your passwords thats all they need.

1 Like

Please not. I disagree with the idea of implementing stricter security measures on phones due to the carelessness of some individuals who leave their phones unattended in public. It is unlikely that such measures would improve their behavior. Additionally, it is unfair for all users to suffer the inconvenience of constant pop-ups or additional security measures because of the actions of a few careless individuals.

Do they choose to use SMS or are they forced to by their banks? If they choose to do so, it’s their fault, imho. SMS Pins got forbidden where I live. I’m glad, it is not a secure system and can easily be abused.


This is not just carelessness, but targeted attacks on individuals.

I really think you’ve missed the point of the video. It’s highlighting that a pin to unlock your phone should not be able to change your apple ID password.

There are also a whole swathe of people who use iPhones with pins that are simple, not because they’re ignorant, but because they have disabilities or struggle with remembering complex passwords.

This is trying to mitigate the increasing targeted attacks on people.

Apple allowing the iphone pin to change the ownership of an apple ID is ludicrous. This does need to change, not because some people might not be as cautious as others, but because this is a security design flaw.


Is this really increasing, or is it just spreading more due to social media!?
And it does not really matter, if your Passcode could change something, or not!
Those people who are being reckless with their passcode, are doing the same with their passwords, so the vulnerability would not change for those people.

But it is of course a very nice “excuse” for those, who do not care for their privacy, and expect always others to take care of that!


The “blame the user” vibe is strong in this thread. I’m not sure every person who has ever had their passcode observed and then phone stolen while out is stupid, reckless, or lazy.

Yes, I try to practice good security hygiene, but those who think it could never happen to you have more self-confidence than I.

To the question above - yes, in the US many financial institutions only offer SMS as a two-factor option. I use Authy and rotating codes wherever possible but…Authy is on my phone. If someone steals it and knows where to look, they have the 2F codes as well.


same here: Complex password on iPhone (work requirement) and Yubikeys on AppleID/iCloud. Also secondary/different App passwords for banking and other critical apps.

No face ID on critical apps as well.

You can’t protect yourself against all scenarios, but at least make it as hard as possible.

I just tried to log in to my bank account w/out FaceID - it defaults to asking for the bank password. That’s stored in 1Password, which is also set to FaceID. When no FaceID is present, the only option is to manually enter my 1PW master password. There is no option for just switching from FaceID over to my iPhone passcode witihout first entering my app-specific password.

This is all still true even when logged in to my iPhone via passcode.

My conclusion is that this isn’t an Apple problem, it’s an app developer problem. Examples:

  1. Bank and 1PW apps are secure from this hack.
  2. Fastmail app is not secure, by default. While 2FA is on to prevent a thief from changing my password, my device is already ‘trusted’ so they could use my email address for all sorts of password reset shennanigans. Simply put this behind a FaceID prompt and the problem goes away.

As an added layer of security, I did change my unlock passcode to alpha-numeric. Not as convenient, but since I use FaceID I won’t have to do it that often. Other than that it’s all about situational awareness.

1 Like

In general, while some banks/credit card/investment companies offer some kind of non-SMS 2FA, almost all have SMS and/or email as an option. :frowning:

In the case of a 1PW user that may be true.

However, people who keep their passwords in Keychain are screwed. If the bad guy can’t use the bank app he just logs in using Safari. IMO, this is definitely an Apple problem.

OTOH law enforcement must be loving this. If they can get a warrant they can just follow someone around until they get his passcode, then just walk up and take the phone.

1 Like

Yes, you are doing the smart thing by having a password manager with a different passcode than your iPhone access. Access to your phone is not access to everything.

But, for those who use Keychain, access to the iPhone is access to everything, including changing your Apple ID. This is the weakness that Apple should address.


I think that only asking for a pin to change your Apple ID password is to simple. I think maybe asking your current password would be safer.


Just want to point out that someone with your passcode can reset your FaceID and use his/her face instead of yours to unlock stuff.

Some apps, like 1Password, have implemented code that recognizes FaceID was reset and will ask you for your password before enabling you to log into it. Many more, unfortunately, don’t.

That’s yet one more thing to point out developers should be doing a better job in designing security UX, even at the OS level.

One could also hack a “second passcode” via Screen Time (othird-partyarty app such as AppBlock) to block some critical apps. It is only one more deterrence, though, but may de worth it to someone.

I feel the same about this and other threads on the same topic here. But I think we, as a community, do better if we try to keep a positive attitude and just ignore comments that are not helpful. Let’s just hope positive comments prevail and the community stays sane.


What an appalling and discriminatory comment, and you’re not the only one in this thread; sad to say.

Let’s hope that people do not treat you with the same disdain you treat them when you make a mistake.