Passwords are probably the oldest authentication method. Despite their age, passwords remain the most popular authentication method in today’s digital age. Compared to other authentication mechanisms, they have many tangible benefits. They can be as complex or as easy to remember as needed; they can be easy to use and secure at the same time (if used properly).
The number of passwords an average person has to remember is growing exponentially. Back in 2017, an average home user had to cope with nearly 20 passwords (presumably they would be unique passwords). An average business employee had to cope with 191 passwords. Passwords are everywhere. Even your phone has more than one password. Speaking of Apple iPhone, the thing may require as many as four (and a half) passwords to get you going. To make things even more complicated, the four and a half passwords are seriously related to each other. Let’s list them:
- Screen lock password (this is your iPhone passcode)
- iCloud password (this is your Apple Account password)
- iTunes backup password (protects backups made on your computer)
- Screen Time password (secures your device and account, can protect changes to above passwords)
- One-time codes (the “half-password” if your account uses Two-Factor Authentication)
In this article, we will provide an overview on how these passwords are used and how they are related to each other; what are the default settings and how they affect your privacy and security. We’ll tell you how to use one password to reset another. We will also cover the password policies and describe what happens if you attempt to brute force the forgotten password.
Screen Lock Passcode
This is the most important and most profound password (or, rather, a passcode). This is the password most (if not all) users set when they set up their new iPhone. By default, the length of the screen lock passcode is 6 digits. If you try hard, you can still opt to use the “old style” 4-digit PIN, or select a custom alphanumeric password if you believe you have something to hide. While you can technically set up your device without a password, making this choice will limit your ability to access some of the iPhone features such as Apple Pay. Without a screen lock password, you won’t be able to sync your Web site passwords, messages and Health data to iCloud.
We had a comprehensive review of iPhone passwords in Protecting Your Data and Apple Account If They Know Your iPhone Passcode (link), and a follow-up (which also includes some info on biometric usage) in Passcode vs. Biometrics: Forensic Implications of Touch ID and Face ID in iOS 12 (link).
If you forget your screen lock passcode
If you are an ordinary user, you won’t be able to unlock your iPhone, period. You can, however, reset the iPhone, thus getting rid of the passcode and all of your data. (Make sure you have backups in iCloud and/or on your computer.) Once you have successfully reset your iPhone, your iCloud password will be absolutely required to set it up. (See? There you are, the first relationship.)
- You can wipe the device to reset the screen lock passcode. However, you will require your iCloud password to re-activate the device afterwards.
- You may be able to attack the screen lock password if you work for the law enforcement, have access to some very restricted software or services and the device is compatible. Even then, there could be multiple issues, and many, if not most devices may not be unlocked in reasonable time.
If you know the screen lock passcode
If you know the screen lock passcode, you can do all of the following:
- Unlock the device even after cold boot
- Connect to USB accessories (unlocking the device disables USB restrictions)
- Pair the device with the new computer and make a new local backup
- Change the iCloud password and trusted phone number (only on 2FA accounts; one-time 2FA password not required)
- Reset (remove) the iTunes backup password (if Screen Time password is not set)
- iOS 13: Change or set new iTunes backup password
- Update iOS
- Reset the device to factory settings
- View passwords saved in the keychain
- Access certain types of data from iCloud (iCloud password and one-time 2FA password required). This includes iCloud keychain, Health data, synced messages, Screen Time data
- Perform physical analysis. If the device screen lock passcode is known and there are no Screen Time restrictions on installing apps, you may be able to jailbreak the device, extract the file system and decrypt the keychain with iOS Forensic Toolkit. The keychain obtained as a result of physical extraction will contain the Screen Lock password and the iCloud password among other things.
The ifs and buts
- iCloud password can only be changed if the user did not set a Screen Time restriction on Apple Account changes (this can be turned off if you know the Screen Time password; there, another relationship)
- If the user has a Screen Time password, you will need it (in addition to the screen lock passcode) in order to reset the iTunes backup password
- Once you set or change your passcode, the device will attempt to connect to iCloud (Confirm iPhone Passcode). This is required to add the device to the Trusted circle. Failure to do so will disable iCloud Keychain and break sync of protected data categories (Health, Messages, Screen Time).
Complicated? This is just the beginning.
If you are using iCloud, this password is always set. If you ever downloaded an app from the App Store, you also have this password as your Apple ID password. It is hard to imagine a person who has an iPhone and does not have an Apple ID/iCloud password.
Apple enforces certain minimum requirements on password complexity; all other types of passwords described in this article are usually simpler. In addition to password complexity, users are not allowed to set Apple ID/iCloud passwords matching Apple ID/iCloud passwords they previously used.
The purpose of the Apple ID/iCloud password is protecting access to the user’s online account such as their iCloud data (including iCloud photos and backups), as well as protecting the iPhone against theft. The iCloud password serves as part of an extremely reliable Factory Reset Protection system that makes iPhone theft far less attractive.
This password (and the second authentication factor for 2FA accounts) limits the ability to access iCloud data. Even if you know the Apple ID/iCloud password, this may not be enough to access some types of data. For example, accessing the iCloud Keychain, iCloud Messages, Health and Screen Time data, you will need the device screen lock passcode as well.
Is it possible to access the iCloud without a password? Yes, at least for some data; read Accessing iCloud With and Without a Password in 2019 for more information.
If you forget your iCloud password
What if you forget your iCloud password? Apple has a comprehensive writeup on the subject: If you forgot your Apple ID password. You may be able to reset the iCloud password right from your device (if you know the device screen lock passcode and the account uses two-factor authentication). In addition, you can extract the iCloud password from several sources such as Web browsers with Internet Password Breaker (Windows), macOS keychain with Password Digger, or encrypted device backups (if, in turn, you know the iTunes backup password) with Phone Breaker.
If you forgot your iCloud password, your options are:
- Reset from your Apple device (screen lock passcode required, two-factor authentication must be on, but no 2FA code asked)
- Reset from somebody else’s Apple device (screen lock passcode required, two-factor authentication must be on, one-time 2FA code will be required)
- Reset via Web browser (different procedures for accounts with or without 2FA; for 2FA accounts, you will be required to enter the one-time 2FA code delivered as a text message to your trusted phone number).
If you know the iCloud password
If you know the iCloud password, you can do all of the following:
- Regain access to your own device if you forgot its screen lock passcode: reset device via Recovery mode, then enter your iCloud password when prompted during setup
- Authorize App Store purchases (if biometric identification is not enabled for purchases)
- Authorize app updates (if prompted, which is seemingly random)
- Sign in to App Store (for accounts with two-factor authentication accounts, one-time 2FA code required)
- Extract some types of data from iCloud (accounts without two-factor authentication)
- Extract some more data from iCloud (two-factor authentication accounts, one-time 2FA code required)
- Extract even more data from iCloud (such as iCloud Keychain, iCloud Messages, Health and Screen Time) (two-factor authentication accounts, one-time 2FA code required, device screen lock passcode required)
- Disable iCloud lock, turn off Find my iPhone, perform factory reset
- Sign in to your Apple Account (for accounts with two-factor authentication accounts, one-time 2FA code required)
- Remotely locate, lock or erase your devices via Find My (even for 2FA accounts, one-time 2FA codes are NOT required)
- Change your Apple ID/iCloud password
- Sign in on Apple devices to make them trusted (for accounts with two-factor authentication accounts, one-time 2FA code required)
The ifs and buts
- iCloud password can only be changed if the user did not set a Screen Time restriction on Apple Account changes (this can be turned off if you know the Screen Time password)
- If your Apple account uses two-factor authentication, the iCloud password is almost completely pointless. If you have access to your second authentication factor (trusted iPhone, trusted phone number/SIM card), you can easily change your iCloud password. If, however, you still know your iCloud password but lost access to your second authentication factor, you will be unable to access to your account. There is an extremely lengthy and complex procedure for reinstating your Apple ID, but the result is never guaranteed. In the tests we performed, we had close to a 50-50 chance of success when recovering 2FA accounts without access to the second factor. Maybe this, and not the second factor, should become the one-half Apple password?
iTunes backup password
This password is optional and not set by default. We already covered this topic in The Most Unusual Things about iPhone Backups (link) in detail, but there are some important notes.
The obvious thing is that you’ll need this password to restore the device from a backup. If you do not have the original device with data but only have the backup files, you will need to break the password by using a range of smart and brute-force attacks (e.g. using Elcomsoft Distributed Password Recovery). These attacks aren’t very efficient due to the very strong protection. Expect to recover only the short and simple passwords in reasonable time.
If, however, you have access to the iOS device itself, you can reset the backup password prior to making a new backup. This feature is available in iOS 11 and all newer versions of iOS. You’ll need the device screen lock passcode to reset the iTunes backup password. The Screen Time password, if configured, will prevent your ability to do it, so you’ll need the Screen Time password in addition to the screen lock passcode in order to reset the iTunes backup password.
If the device is running iOS 13, you will also need to enter the device screen lock passcode to set or change the backup password.
If you forget your iTunes backup password
- If you have the original iOS device, you can attempt to reset the iTunes backup passcode (iOS 11 and newer). For this, you’ll need the device screen lock passcode. In addition, if the Screen Time password is set, you’ll need the Screen Time password as well.
- If you only have the backup files, and the backup is protected with an unknown iTunes backup password, you will need to brute-force the password (which can be very slow). You can accelerate the recovery by using GPU-assisted and/or distributed attacks, or opting to do a dictionary attack instead of brute force.
- You can also analyze/restore the device by using an iCloud backup; you will need the iCloud password and 2FA code to restore/download a cloud backup. If, however, you restore an iCloud backup to a new device (or use Elcomsoft Phone Breaker to download it), the keychain will be lost; all saved passwords will be gone.
- The Screen Time password may prevent you from resetting the iCloud password if the Account Changes restriction is set to Don’t Allow.
If you know the iTunes backup password
If you know the iTunes backup password (and have the backup files), you can do all of the following:
- Restore the original or new iOS device including keychain passwords
- Analyze the backup and obtain the Screen Time password (iOS 12 only) or the Restrictions password (older versions of iOS).
- Analyze the backup and obtain passwords from the keychain (may or may not contain the user’s Apple ID/iCloud password) *
The ifs and buts
- The iCloud password may or may not be available when analyzing local backups. The password may be also obtained if the user signed in to their Apple account from the Safari browser. *
- The Screen Time password cannot be obtained from a local backup if one was produced by an iOS 13 device.
- If you reset the iTunes backup password via the Settings app, the device screen lock passcode is also reset. That means that you lose some data such as Apple Pay transactions and cached mail for some accounts (e.g. Exchange). In addition, you will be unable to reset the iCloud password and you may lose access to iCloud keychain until you set up a new device screen lock passcode.
* The ability to extract Apple ID/iCloud passwords from password-protected iTunes backups depends on whether the corresponding record exists in the backup file. In our experience, more often than not the Apple ID/iCloud password is available and easily extractable from encrypted local backups with Elcomsoft Phone Breaker. The actual records to analyze are:
apple.account.iTunesStore.password and apple.account.AppleAccount.password (previously used bus still worth a look)
When analyzing the keychain, check out the following entries when looking for Apple ID/iCloud passwords:
Screen Time password
Screen Time is a recent feature that appeared in iOS 12. Screen Time can be enabled with or without a password. If you opt to have a password, it is always comprised of exactly four digits.
If the Screen Time password is set, it blocks changes to any restrictions specified in the Screen Time settings. In addition, the Screen Time password prevents users from resetting device settings. This in turn means that you will be unable to reset the backup password if you don’t know the Screen Time password.
In addition, users can configure restrictions on installing apps. In this case, the Screen Time password will block the ability to install new apps, meaning that you might be unable to install a jailbreak. Jailbreaking generally allows to extract the full content of the device including the full keychain (which includes the iTunes backup password, Screen Time password and Apple ID/iCloud password).
If you forget your Screen Time password
- You will be unable to turn off Screen Time, disable or bypass the restrictions
- You will be unable to turn on the “Share across devices” feature, which is required if you want to obtain the Screen Time password from iCloud
- iOS 12: recover the Screen Time password by analyzing a password-protected backup (iTunes backup password required).
- iOS 12 and 13: extract the Screen Time password from iCloud (requires all three of: iCloud password, 2FA code, device screen lock password)
If you know the Screen Time password
- You can remove individual Screen Time restrictions, turn off Screen Time or just disable the Screen Time password
- If you know the device screen lock password, you can reset the iTunes backup password
The ifs and buts
- iOS 12: you need a password-protected backup to extract the Screen Time password. If the backup password is not specified, setting a new backup password is required.
- iOS 13: Screen Time password is not available in iTunes backups. Use cloud extraction instead.
- Screen Time password can be only extracted from iCloud if the “Share across devices” feature is already enabled. If it is not, you won’t be able to activate it without a valid Screen Time password.
- If you know the iCloud password, have the 2FA code, and know the screen lock passcode or system password of at least one device participating in the “Share across devices” feature, you will be able to extract all Screen Time passwords to all devices participating in the sharing.
- How To Access Screen Time Password and Recover iOS Restrictions Password (link)
- How to Extract Screen Time Passcodes and Voice Memos from iCloud (link)
Two-Factor Authentication codes
Speaking of Web services, password protection is definitely not enough to secure accounts. A good example is Celebgate, which forced Apple to accelerate work on two-factor authentication). Today, we strongly believe that iCloud accounts must be protected with the second factor. Apple’s implementation of two-factor authentication is pretty good. The owner receives an immediate push notification on all registered devices once someone attempts to access their account. There is the ability to generate 2FA codes offline or receive them in a text message.
However, with Apple’s implementation of 2FA, the device itself may be less secure compared to devices without two-factor authentication. That’s why we consider 2FA codes as a half-password.
In real world, Apple emphasizes two-factor authentication significantly. You must have two-factor authentication on your Apple account if you want any of the following features:
- The ability to synchronize passwords in iCloud (iCloud keychain)
- Sync Health, Messages and Screen Time through iCloud
- The ability to reset forgotten Apple ID/iCloud passwords
If you forget your Apple ID/iCloud password, you can always reset it if you have access to a trusted device (that device is considered your second authentication factor). If, however, you lose access to all of your trusted devices and your trusted phone number (effectively losing access to two-factor authentication), you will be locked out of your Apple ID/iCloud account. There is an extremely lengthy and complex procedure for reinstating your Apple ID, but the result is never guaranteed. In the tests we performed, we had close to a 50-50 chance of success when recovering 2FA accounts without access to the second factor. All this makes your second authentication factor far more significant than the iCloud password.
If you lose access to your second authentication factor
- You will be locked out of your Apple ID/iCloud account even if you know your iCloud password
- You may be able to reinstate access to your Apple account. The procedure is complex and lengthy, and the outcome is not guaranteed
- Try not losing access to the second authentication factor
If you have access to your second authentication factor
- Easily reset your Apple ID/iCloud password it if you have access to a trusted device (that device is considered your second authentication factor)
- Reinstate your Apple account (and reset your Apple ID/iCloud password) if you can receive the 2FA code (trusted phone number/SIM card)
- Sign in to your Apple ID/iCloud services even if you forget your iCloud password (by resetting the password)
- Restore existing or new devices from iCloud backups
- If restoring existing device (the same physical device an iCloud backup was made from), saved passwords (keychain items) will be restored as well even if you don’t know the screen lock passcode
- You can download many types of data (such as calendars, mail, notes, reminders, Voice Memos etc.)
The ifs and buts
- Even if you lose access to 2FA, you can still access the “Find My” section of iCloud services (if you know your iCloud password)
- Passwords (the keychain) will be only restored from iCloud backups onto exactly the same physical device the cloud backup was captured from
The four passwords have different policies regarding their length and complexity. Here they are:
- Screen lock passcode: no definite policy; can select 4 digits, 6 digits (default), custom numeric or variable length alphanumeric. Apple maintains a database of the most common passcodes; if you attempt to select one of those, you will be warned (but can still use it if you choose so).
- iCloud password: must be at least 8 characters; must include at least one small letter, one capital letter, and one digit.
- iTunes backup password: no policy.
- Screen time password: exactly 4 digits
If you attempt to brute force
If you forget your password, you may be tempted to try a few one that you thing may fit. This is what happens if you do:
- Screen lock passcode: progressively increasing delay followed by permanent device lock (the “Connect to iTunes” deadlock due to USB restricted mode) or, if the user specifies the “Erase after 10 attempts” setting, wipe to factory settings after 10 attempts.
- iCloud password: temporary account lock. In addition, if you attempt to brute-force the device screen lock passcode when extracting iCloud Keychain, Health, Messages or Screen Time data from iCloud, all of those categories will be wiped after just 10 attempts.
- iTunes backup password: no restrictions. Brute-force away!
- Screen time password: progressively increasing delay; after 10 attempts, a one-hour delay between attempts will be enforced.
We tried to demystify the complex relationships between the four-and-a-half Apple passwords. If you are still feeling confused, rest assured you are not alone. Apple claims it cares about your security, but its current security model looks just a bit too confusing even for seasoned security experts. When analyzing the whole picture, we get suspicious if there was a proper security model in place, or if Apple just patched various issues reacting to security concerns and users’ complaints. In particular, giving the users the ability to reset their iTunes backup password AND their iCloud password using the device screen lock passcode alone does not look good however you look at it.
While we cannot applaud this security model, we can understand Apple’s reasons. Apple has to reach an acceptable balance between security, privacy and convenience. You cannot get all three at the same time. To make things even more complicated, this balance is always a moving target. You can secure your device all the way, sacrificing all the convenience in the world but still not getting the protection level you expect because of some recently discovered (and sometimes unpatchable) security flow.
If you want to access the maximum amount of information available in Apple iCloud, we recommend using Elcomsoft Phone Breaker. To maximize the amount of data, make sure to have the user’s Apple ID/iCloud password, access to the second authentication factor and the device screen lock passcode (if you have access to the device, you can use the latter to reset the former). We recommend Elcomsoft Phone Viewer to analyze the downloaded information (particularly, to access the Screen Time password).