What is the recommended length for a phone PIN?

Question

I recently read that you're supposed to have a phone pin consisting of at least six digits. Why?

I'd get it if the pin was stored as a hash in a database, even though six digits would easily be brute-forceable in that case. That database would of course be in the phones storage, which you don't get access to without the pin. Realistically that part of the phone's storage wouldn't be user-accessible.

Also, Android disables the phone for a while, after entering the wrong pin five times. This gives a potential attacker a 0.05% chance of guessing the pin, when assuming a four-digit pin.

So what are the benefits of a longer PIN for your phone? And what length should you really use?

Answer 1

I would say the article you read is incorrect. I don't think it is a common opinion of security experts that phone PIN should consist of at least six digits.

At first glance it would seem that six digits is 100 times more secure than four digits. While this may be the case, the aggressive brute-force protection on a phone makes it infeasible to guess a large fraction of the key space. I would say four digits provides adequate security.

If you read it in the lifehacker article, there is a big inconsistency that should be pointed out. The Homeland Security agent testified that the PIN was not relevant:

The agent was brought to testify that it was trivial enough to extract the data with an IP Box, and thus that it was of no consequence whether or not that passcode was obtained

This seems to indicate that some attackers can bypass the brute-force protection, so a longer PIN will only take a little longer to crack. I don't understand how LifeHacker could use this as a base for an article to increase the PIN size. A better solution would be to upgrade to a better phone or phone OS.

Edit: the IP Box does a brute-force attack, so PIN size does influence the time it would take. This only seems to work on older iOS versions (<= 8.1.1).