Screen Lock PIN Generator

Lock screen PIN: Android and iOS

Your smartphone lock screen is the last line of defence for emails, banking apps, photos and password managers. Since iOS 9 (2015), Apple bumped the default passcode from 4 to 6 digits, raising the keyspace from 10,000 to 1,000,000 combinations. Android lets you pick a PIN of 4 to 16 digits, a 3x3 grid pattern, an alphanumeric password or biometrics. Each option trades convenience for entropy.

Apple's Secure Enclave and Android's Trusted Execution Environment rate-limit guesses with hardware-backed delays, so brute force is far harder than the raw 10⁶ number suggests — but a weak human-chosen PIN still gets cracked on the first few tries.

Biometrics vs PIN: the trade-off

• Face ID (iOS) — TrueDepth IR camera, Apple claims a 1-in-1,000,000 random false-positive rate
• Touch ID — capacitive fingerprint, ~1-in-50,000 false-positive rate
• Android fingerprint / Face Unlock — varies wildly; only Class 3 sensors qualify for sensitive apps
• Pattern unlock — Andrew Aude's 2016 study found ~19% of patterns predictable (start corner + simple shape)

Biometrics are convenient but legally weaker in many jurisdictions: in the U.S. courts have repeatedly compelled suspects to unlock with a fingerprint or face while ruling that a PIN is protected by the Fifth Amendment. Best practice: combine biometric for daily use and a strong 6+ digit PIN as fallback.

Wipe after wrong attempts and forensic tools

iOS lets you enable Erase Data after 10 failed attempts (Settings → Face ID & Passcode). Android offers similar through MDM policies. Even with this, forensic units like GrayKey and Cellebrite UFED exploit periodic vulnerabilities — the famous FBI vs Apple 2016 case revolved around a San Bernardino iPhone 5C unlocked by a third-party tool. Modern iPhones with USB Restricted Mode and Android 13+ with file-based encryption (FBE) per-app keys are significantly harder targets.

Top weak PINs to avoid

DataGenetics analysed 3.4M leaked 4-digit PINs — the top 20 cover ~27% of all real users. Avoid:

1234 · 1111 · 0000 · 1212 · 7777
1004 · 2000 · 4444 · 2222 · 6969
9999 · 3333 · 5555 · 6666 · 1122

• Birth year (1990, 2001) — public on LinkedIn/Facebook
• Keyboard sequences (123456, 2580)
• Repeated digits visible by smudge on the glass
• Phone number last 4 digits

Recovery and complementary protections

If you lose the PIN: Apple Account Recovery can take weeks; Google Find My Device can remotely reset the lock if you stay signed in. Enable iCloud Keychain or Android's Smart Lock for password sync with a hardware-backed key. NIST SP 800-63B § 8.4.1 recommends biometric + memorised secret (PIN) as a multi-factor combo on phones. Cover the keypad when typing in public — shoulder surfing remains the cheapest attack.

FAQ

4 or 6 digits on a lock screen? Six minimum on any phone with personal data — banking apps, photos, work email. Four is acceptable only on a disposable burner with no sensitive accounts.

Is biometric alone enough? No — every Android and iPhone falls back to PIN after a reboot, 48 hours of no unlock, or 5 failed biometric attempts. The PIN is always the real key.

Should I enable wipe-after-10-attempts? Yes on iOS if you sync backups to iCloud. The risk of losing data to a forgetful kid is offset by the protection against forensic brute force.

What about pattern lock? Easier to shoulder-surf and 19% predictable. A 6-digit PIN is mathematically stronger and leaves no swipe trail on the glass.