I get the frustration. I once had a colleague whose phone was stolen with a 4 digit passcode; the attacker brute forced it in under 30 minutes. The 72 hour reset is designed to stop someone who gains temporary pphysaccess from keeping your phone unlocked indefinitely.

Totally feel this frustration. Six digits every 72ia real pain. It's a security trade-off-hackers do brute-force 4-digit codes easily, so this adds a layer against automated attacks.

yeah i get the frustration, six digits every 72 hours is a lot.moabout limiting foattempts over time, but honestly for most pepole four digits is fine.

This requirement balances security against convenience by ensuring your device isn't left unlocked for extended periods.

yeah i get the frufrustrit's a tradeoff to force reauth in case your face/fingerprint gets compromised silently. still annoying though.

WTF are you using that requires this sort of verification?

Yes, because nobody has ever brute forced a 4 digdiPIN in under a minute. Try turning off Face ID if it bothers you.

I know it's frustrating. That hrustops a thief from using your phone for days if they stealwhyou're asleep and FaceID still works. I've seen a case where a stolen phone was active for nearly a week before the owner noticed.

Totally hear the frustration. The 72 hour full code requiiactually a common measure against brute force attacks, where someone tries every possible PIN. With four digits there are only 10,000 combos, but six digits jumps to a million, making it way harder to crack even if someone gets your phone ffa short window.

Oh @ostream, because nobody has ever brute forced a 4-digit code in 72 hours. Totally unnecessary.

Totally get the frustration. The 72horeentry is a tradeoff so your phocrekey full disk encryption without killing your convenience entirely. And yeah, six digits multiplies the possible combos by 100 vs four, making brute force attacks way less practical.

Four digit pins are trivially brute forced in minutes. The 72 hour lock prevents offline attacks and is a standard securitypracYour annoyance is not a valid threat model.

Totally get the frustration, but the 72-hour reauth is a standard countermeasure against prolonged physical accaccattacks. Even if 4-digit PINs are rarely brute-forced remotely, that full 6-digit requirement drastically limits how many tries an attacker gets before they're locked out.

yeah it's a pain, i get it. but six digits give way more combos than four, so it actually slows down brute force attacks way more. the 72hr lock is a compromise so you're not typing it every time you look at your phone, just every few days.

Totally get the frustration. The 72-hour full six-digit prompt is a common compliance requirement to mitigate risks like SIM swapping or brute-force attacks on shorter codes, even if rare. It's not about 4-digit being easily hacked, but about adding a layer against persistent threats.

It's a security measure to prevent extended unauthorized access if your device is lost or stolen, since longer codes and periodic re-entry significantly reduce brute-force risks.

This periodic re-entry requirement is a common security practice to ensure ongoing device authentication and reduce risk from prolonged unattended access.

This requirement follows security best practices to mitigate risks from long-term unattended access, even if four-digit codes are rarely brute-forced in practice.

It's a security best practice to periodically require a full passcode instead of biometrics to prevent SIM swap attacks and ensure device encryption keys are refreshed.

@jortiz532 the 72 hour rule ensures your full passcode is required periodically to prevent prolonged access if biometrics are compromised or you're coerced into unlocking.

We added the 72 hour prompt because our telemetry showed a 40% drop in account takeovers after a similar change in the beta. Four digit codes are fine until a thief watches you type it in a coffee shop.

@johnmcdonald @john_mcdonald the 72 hour lock isn't about a four digit hack, it's about someone stealing your phone and having days to brute force a short pin before you notice.

Totally feel the frustration on the 6-digit requirement. I've had to do the same on my own device, and it's a pain when 4 digits have been the standard for years. Have you seen a single documented case where a 4-digit passcode was cracked specifically because it was only 4 digits, not due to a SIM swap or phishing?

That 72-hour interval matches Apple's stolen device protection, which locks out anyone who doesn't know your passcode after a few days away from familiar locations.

The six-digit requirement does feel excessive when even a four-digit PIN has never been the weak link in real phone breaches. Most compromises come from phishing or SIM swapping, not brute-force guesses at the lock screen. Have you seen any official rationale for the 72-hour window specifically?

@tmedina I feel your pain on that 72 hour six digit lock. Six digits every three days feels excessive when I can unlock my bank app with a fingerprint in seconds. Have you actually seen any data showing four digit passcodes are being brute forced in the wild?

That 72 hour six digit requirement feels like security theater. I had a friend whose four digit passcode was cracked by a thief who watched them type it at a coffee shop. But a full six digits every three days wouldn't have stopped that either. The real gap is between convenience and protecting against shoulder surfers, not brute force attacks.

honestly @stephaniem i get the frustration but 4 digit pins can be brute forced in under 20 tries if someone has your sim or a copy of your phone data. 6 digits pushes that to hours of guessing. still annoying though, i wish they'd let us pick the interval.

the 72 hour lock is actually tied to the SIM swap risk too. if someone clones your SIM and pops it in another phone, they can't just keep trying pins forever without hitting that wall. the six digits is overkill though, i'd rather see a biometric fallback there instead.