Easily Hacked Phone PIN Codes You Should Avoid Using (And How To Better Secure Your Phone)

Guess how long it would take a computer to brute-force an 8-number password. The answer: instantly. That's according to Hive Systems' Password Table, which shows how shockingly quick passwords of varying complexity can be cracked using available hardware. The longer a password is, and the more complexity it has (numbers, letters, and symbols), the longer it takes; an 8-character password, using a healthy mix of all those things, could take up to 2,000 years to crack. Now think about your smartphone. Most people store their entire lives on their phone, and yet protect it with only a 4-digit PIN code. See the problem?

To be fair, in most cases someone who's trying to break into your phone will be guessing codes by hand, without the help of a computer. The problem is that too many people reuse the same 4-digit code as millions of others out there. Thieves try those first, which means the doors to your digital life get blown wide open if you went with "1234." Let's take a look at not just the most common PIN codes that you should be avoiding, but other ways to lock down your phone and make it hard — or next to impossible — for a thief or hacker to compromise it.

Nick Berry of DataGenetics made headlines when he released his PIN analysis. In it, he discussed the most common 4-digit PIN codes. To be clear, Berry is not talking specifically about phone PIN codes, but rather about PIN codes in general — such as for credit cards or computer logins. Since we tend to reuse credit card PINs on phones, and vice versa, his findings still apply. You should never choose these PIN codes to lock your phone:

1234

1111

0000

1212

7777

1004

2000

4444

2222

6969

Berry found that a shocking 11% of people were using "1234." Still, you shouldn't use any of the above for your phone. Further, you also shouldn't use any easy-to-guess pattern: no multiple repeating numbers (1111), alternating numbers (1212), number pairs (1122), or reverse-counting numbers (4321). Other examples, like popular years (1984), should be avoided. The same goes for birthdays, anniversaries, and other information that a thief could guess about you based on public information. And if you're someone who uses a PIN based on button positions (2580, tapping straight down), then this is a warning for you, too.

Using simple passwords is one of the worst cybersecurity mistakes you're probably making, so changing a too-simple phone PIN code is one step in shoring up your defenses. And don't just change your phone's PIN code. Change those repeat passwords and start using a password manager. Some of the worst data breaches in internet history happened because of weak database passwords.

While it's a good start to avoid using the most common 4-digit PIN numbers, it's also important to note that, as we've made clear, 4-digit passwords of any kind are very, very weak. In fact, a 4-digit code only has 10,000 possible combinations. Even if you did try to use a more complicated one, you'd inevitably use the same one as someone out there — or multiple someones. In a very roundabout way, we're saying that you shouldn't use a 4-digit PIN, period. If you insist on using a PIN and not a password (as we'll discuss later on), then at least change to a 6-digit PIN. Just those extra two digits increase the complexity of a PIN code from 10,000 possible combinations to 1,000,000.

To change to a 6-digit PIN code on Android, go to Settings > Security > Screen Lock and change your PIN code to one that's six digits long. You can do the same on iPhone by going to Settings > Face ID & Passcode > Change Passcode. We recommend doing the same if you have a smartwatch, like the Apple Watch. Go to Settings > Passcode and disable the Simple Passcode option. This enables a 6-digit rather than 4-digit passcode. We'd recommend doing the same thing for any other devices you have, like a tablet or a Steam Deck — but on computers, definitely stick with a password.

Best security practice for your phone is to use a full-fledged password — not a PIN code — for obvious reasons. A sufficiently strong password will be effectively impossible for a random person to guess, and it's harder for them to figure out if they're shoulder surfing. They'd need the help of AI to crack your passwords at that point. This doesn't need to be an extremely complex password with letters, numbers, and special characters like you might use to secure an account, either; passwords with letters are inherently stronger than passwords with numbers, so putting "slashgear" as your password blows even the most uncommon 6-digit PIN out of the water.

On Android, you can do this in Settings > Security > Screen Lock by changing your PIN to an alphanumeric password. On iPhone, go to Settings > Face ID & Passcode > Change Passcode > Passcode Options and choose the custom alphanumeric code option. Instead of using the big keypad, you'll now get your normal keyboard whenever you try to unlock your phone.

Now, we only recommend using a password if you unlock your phone with biometrics, like a Samsung fingerprint scanner or Apple's Face ID. Then you only have to put in the password on rare occasions. It's an annoying inconvenience, make no mistake, but again, this is a device that has access to everything. You'll have to decide for yourself what ratio of security to convenience is best for you.

Android has a number of features that allow your phone to intelligently keep itself unlocked for up to four hours when certain conditions are met, known as Extend Unlock. Extend Unlock keeps your phone unlocked when it's on your person, such as in your pocket; when it's at a trusted place, such as your home or workplace; or when it's connected to a trusted device, such as your pair of the best Bluetooth headphones. All of these are highly convenient, but one can imagine plausible situations where they could be exploited.

For the on-person setting, you might not realize when a thief has taken your phone out of your back pocket, and the phone might think it's still on you. Having your workplace as a trusted place means an unscrupulous co-worker could access your device. It doesn't take much imagination to think of other scenarios. If you're going to use these auto-unlock features, then be extremely judicious about which ones you turn on and how you use them.

The Apple ecosystem only has one auto-unlock feature: An unlocked Apple Watch or unlocked iPhone can unlock the opposite device. If you are going to use these features, then we advise against allowing your Apple Watch to unlock your iPhone, since this could allow a thief to access it if you are nearby.

While we did warn you about Extend Unlock, Android's new anti-theft features could likely mitigate the risk of using it. The coolest is Theft Detection Lock, which, according to Google, "uses AI, your device's motion sensors, Wi-Fi, and Bluetooth to detect if someone unexpectedly takes your device and runs away." Pretty self-explanatory. This setting is not enabled by default, so go to Settings > Google > All Services > Theft Protection and turn it on. It's important to note that Theft Detection Lock is not bulletproof. The phone is only guessing it's been stolen based on sudden movement; sudden movements include your morning run or accelerating in your car, not just theft.

In the same Theft Protection settings, we recommend turning on Offline Device Lock. If a thief turns off your internet connectivity, the phone auto-locks. The same goes for Identity Check, which adds an extra biometric layer of authentication any time you try to make sensitive changes, like looking at your passwords, changing screen lock settings, and so on.

iPhone is behind on anti-theft features. It has one, though, that you should absolutely enable: iPhone's stolen device protection feature. Similar to Identity Check, Stolen Device Protection limits making certain sensitive changes — like replacing the passcode — if you're not at a trusted location. It also demands biometrics for password access, without the fallback option to use your passcode. To enable it, go to Settings > Face ID & Passcode > Stolen Device Protection and turn it on.

If your device has been stolen, there's still a lot you can do to mitigate the damage a thief does to your digital life. On Android, immediately head to your Google account from another device. Under Security > Your devices > Manage Devices, choose your stolen device — you'll see it's location and if it's being used. Even if there's a chance you might get it back, sign out of your phone. You don't want the thief accessing your Google account, which likely holds your Google Password Manager, payment information, and a whole lot more. Better yet, remotely factory reset your device: Go to Find Hub and choose "Factory reset (your device's name)."

The same can be done for an iPhone. Head to iCloud.com/find. You can see your device's location even if it doesn't have a Wi-Fi connection, thanks to Find My Network. If it's nearby, consider using the "Play Sound" option, in case you've simply misplaced it. Otherwise, we recommend marking your device as lost. Doing so not only locks the device, but it suspends payments, and a thief can't disable it without biometric authentication. Choose "Erase This Device" to remotely wipe it — but don't remove it from your account, as this disconnects it from your Apple ID and would allow thieves to use it for themselves. Also, Apple says that keeping the device connected to your account is key for claiming Theft and Loss reimbursement under AppleCare+.

Most phones, whether Android or iPhone, have an automatic security feature where, after too many failed passcode attempts, your phone will prevent further attempts for increasingly longer periods of time. You've probably seen a couple of cases online where someone locked themselves out of an iPhone for months or years. iPhones specifically have a feature where the phone completely wipes itself after too many of these failed attempts. For iPhone users, we recommend enabling this. Although very unlikely, having repeated passcode attempts gives a phone thief the chance to eventually guess your passcode and access your data. Go to Settings > Face ID & Passcode, enter your passcode, and then toggle on the Erase Data setting.

Naturally, for some people, this is going to seem like a terrible idea. What if your kids are playing with your phone, or you tend to fat-finger the wrong passcode a lot? Rest assured, it's highly unlikely that this will happen, thanks to the increasing timeouts between attempts. If it does, though, you can set up automatic iPhone backups through iCloud, then you can easily restore your iPhone later.

Having said all that, we readily admit that this is an advanced user setting. Only a relatively small subset of our readership should enable this. If you're particularly concerned about the security of your data and not too worried about entering the wrong passcode multiple times, then you lose nothing by enabling this.

In an interview with the Wall Street Journal, professional phone thief Aaron Johnson described how easy it was for him to not just steal phones, but everything on them. One of Johnson's go-to tactics was simply looking over someone's shoulder — aka shoulder surfing — as they put in the passcode. With this passcode, he was able to access bank accounts, passwords, change Apple ID settings, or do virtually anything using Apple's Face ID/Passcode lock protection. Johnson was able to effectively gut a phone from top to bottom and resell it as a wiped device using just those six digits — leaving his victims penniless and phone-less. Although Johnson was targeting primarily Apple devices, this is a warning for Android users too.

The takeaway here is that the 6-digit passcode is a very weak form of security that safeguards so, so much. If you're not going to replace it with a password, then at least don't be too obvious when you put it in while in a public place. Enable Stolen Device Protection, too. We'd also recommend making it harder for thieves to maliciously use the things you type, such as passwords and other sensitive information; consider disabling those key press pop-ups (Character Preview) in Settings > General > Keyboard > Character Preview. Generally speaking, just be vigilant. Security researchers have found shockingly easy ways to figure out what someone is typing into their phone or computer keyboard, even without being able to see the keys.

Biometric authentication, like face unlock or fingerprint unlock, seems like the strongest form of authentication out there — and thus perfect for a phone. After all, sci-fi movies for years have depicted palm and iris scans as bulletproof security measures. In reality, scientists have already found ways to capture fingerprint data from a photo and get detailed scans of someone's iris from far away. For phones, they've been able to bypass face unlock with a printed picture of someone's face and steal fingerprint data. Researchers have discovered countless methods for bypassing it all. Case in point: Biometric authentication is not as strong as you might think.

Now, we aren't saying that you shouldn't use biometrics. Nobody wants to put in their passcode every time, and modern biometrics (such as ultrasonic fingerprint scanners or infrared face scanners) can't easily be bypassed by the average Joe. However, you should account for the weaknesses of this form of security. Over the years, stories have emerged of how even Face ID, regarded as the strongest face unlock method, has been spoofed by similar-looking relatives or even a pair of glasses. A cheap 3D printer can recreate your digits to bypass fingerprint unlock. Recognizing the weaknesses of biometrics, therefore, means not using it to secure everything. As one example, you might consider logging into your banking apps with your password rather than Face ID.

An ages-old prank is to open a friend's iPhone camera and then fill their photo library with a thousand silly pictures. It seems innocent, but when you think about it, it's mildly concerning that a literal stranger could access your camera and take pictures or video. Yet your camera is far from the only thing they can access via a locked iPhone. By default, someone can look at your Today View widgets, search your phone with Spotlight, open your Wallet, control your smart Home devices, talk to Siri, make phone calls, reply to texts, return missed calls, and more — all without ever unlocking your phone. We've used iPhone as an example, but Android isn't without its own weaknesses here, either.

On iPhone, we highly recommend going to Settings > Face ID & Passcode, then scrolling down to the section named "Allow Access When Locked." Think carefully about which items on this list have a justifiable reason to be accessible. It makes sense that you might want Control Center or Siri, but there's really no good reason to toggle on Reply with Message, Home Control, Wallet, and Return Missed Calls, for example. Imagine what a thief could do; they might be able to answer a confirmation text, return a call from the bank, unlock your front door, or search for passwords stored in unsecured notes, and they'd never need your passcode or biometrics to do it.

Given how much value phones hold, it's no surprise thieves are finding clever ways to steal and bypass them. Aaron Johnson's method of cozying up to bar-goers and sweet-talking the phone out of their hands is far from the only one. All over the world, organized thieves snatch phones right from people's hands. Even monkeys in Bali are stealing tourist smartphones, for crying out loud. And even with the security measures we've mentioned, black markets still thrive on stolen phones.

At risk of sounding paranoid, people need to exhibit a lot more vigilance with their phones when in public. You're making yourself an easy target if you put it in your back pocket or hold it loosely in your hand as you walk down a busy street. Handing it off to a stranger to take your picture is something you should do with great caution. Simply having your phone visible tells thieves you have something worth stealing, and they'll pay special attention if they see signs that it's an expensive one — like an iPhone Pro — and it's clear you're not paying attention.

None of this is to say that you should be on high alert during a relaxing stroll. However, being just a tiny bit more conscious about your surroundings, and where your device is, will go a long way. We've made it abundantly clear how much is at risk when it gets stolen.