Leaf&Core

Your iPhone Passcode Can be Used to Steal Your Apple ID. Here’s How to Fix It

Reading Time: 3 minutes.
Man with gun. Armed robbery.

If this guy wants your phone and passcode, you’ll give it to him.

Here’s a scenario. You’re walking home from a late night at the office one night and someone grabs you from behind. You’re shoved up against a wall. They pull out a knife and ask for your iPhone. You hand it over. They ask for your passcode. With a knife in your face, fearing for your life, you comply. You rush home and go to use Find my iPhone to lock your phone, wipe it, and report it stolen. You believe you can potentially protect your iPhone, get it back, and protect your Apple ID/iCloud account. But you can’t log in to your iCloud account. Your password is wrong. How?

You’ve fallen prey to a default setting in iOS that helps thieves not only steal your iPhone, but also steal your iCloud account. All of your apps are now gone. Your payment information? It’s theirs now. iOS allows users to reset their iCloud password with nothing more than the device passcode. You probably didn’t even notice the step during setup, because Apple makes it seem necessary.

It’s not. Therefore, you have to protect yourself. Fortunately, it’s not difficult to prevent your phone from changing your Apple ID password without verifying your current password. Here’s how.

Finding the Problem

To start, we’re going to figure out if the problem exists on your device. You’ll do this by attempting to change your Apple ID password. If you’re able to do it without entering your existing Apple ID password, then you could be a victim of Apple ID theft in the case of a stolen iPhone. Here’s how to find out if you have this vulnerability.

  1. Open Settings
  2. Tap on your iCloud profile at the top
  3. Tap Password & Security
  4. If your iPhone doesn’t ask you for your iCloud password here, you have a problem.
  5. You can further verify that you can be hacked by tapping Change Password.
  6. If you get a prompt to enter your passcode here, a thief can steal your iPhone and your iCloud account with nothing more than your passcode.

Fixing the Problem

Ok, so you’ve got the issue. How do you fix it? It’s going to sound scary and counter-intuitive, but you’ll have to turn off your passcode and then turn it back on, skipping the iCloud step. Here’s how.

Turning Passcode Off

  1. Go to Settings
  2. Scroll down and tap Face ID (or Touch ID) & Passcode
  3. Scroll down and tap “Turn Passcode Off”
  4. When the alert comes up, tap Turn Off

Don’t worry, your phone isn’t insecure. Well, technically, it is, but someone would have to run up and steal it right now. Hopefully that’s not something you’re currently concerned about. If you’re worried, wait until you’re in the safety of your own home to change these settings.

Turn Passcode Back On, With Protections

  1. You should already be here, but if you’re not, take the above steps to get to the Passcode section of Settings
  2. Tap the option to set a passcode for your device
  3. When you’re presented a page showing a passcode, don’t just enter a 6 digit number. You’ll want a passcode at least 10 digits long. Here’s how to do that.
  4. Tap Passcode Options
  5. Select Alphanumeric Code for a passcode with letters and numbers
  6. OR Tap Custom Numeric Code for a numerical password longer than 6 digits. I recommend this. 6 digits or under is not secure anymore. I recommend using at least 10 digits. I use far more.
  7. NEVER use a 4 digit passcode!
  8. After you create and repeat your passcode, you’ll get a popup asking for your Apple ID Password.
  9. This is the most vital step. DO NOT ENTER YOUR PASSWORD.
  10. Instead, hit cancel. Your iPhone will be fine, you just will need your existing Apple ID/iCloud password to change your password on this device.
  11. You can leave the option on your iPad or Mac, that way you’ll still have a way to reset your password if you forget it. However, you’ll be protected from phone thieves.

Can Apple Fix This?

Yes, they can make it more clear that you have an option not to enter your Apple ID password, thus linking your accounts. This feels like a hack, a strange workaround, rather than something everyone should do. However, you absolutely should not link your iPhone passcode to your Apple ID, because iPhone can be stolen off your person, and your passcode can be coerced out of you. If someone steals your iPad from your home while you’re away, they won’t have your passcode. However, a stolen iPhone is the perfect target for thieves looking to gain access to your Apple ID, payment information, and more.

Would Apple change this? It’s unlikely, they prefer everything to be seamless. Hopefully they update the prompt to show that this is an optional step, but they certainly won’t disable the feature. It’s actually a secure feature for changing your Apple ID password, as long as it’s not in use on your phone.

Of course, a thief could ask for your Apple ID password. Usually thieves want to get what they came for and leave as soon as possible. They’ll likely just try for your passcode, as the rest is not only too time consuming, but unnecessary on most iOS devices. Therefore, this should protect you from a phone theft leading to an Apple ID theft, but it’s not guaranteed.

Exit mobile version