[sopooneo]

I had the same thought. If we allow upper, lower, and digits, that's 26+26+10 = 62 possible characters per space. With six spaces, that gives 62^6 = 56,800,235,584 possible passwords.

Now if we take their figure of 5.5 years to crack a phone's files and divide, we get 327 seconds (more than 5 minutes) per password they check.

Something is off, though perhaps it's my math so please do double check it for me.

Edit: Argggg. Good corrections. My main problem is that I did my final division in the wrong direction. Fix that by taking a reciprocal: 1/327 = 0.003 seconds. And then correct that by a factor of 2 to assume they get each password in half possible time: 0.003 * 2 = 0.006 or roughly 6 milliseconds. Thanks for the quick check folks.

[lozf]

6 randomly selected characters out of the 62 available gives less than 36 bits of entropy, which anyone with even a passing interest in any kind of cryptography will instantly recognise as pretty poor.

This issue is compounded by the fact that humans are notoriously bad at randomness. I really don't think many users will be typing the 22 random characters required for just over 128 bits of entropy every time they want to use their phone.

But maybe the 5.5 year figure includes the incrementally increasing delay that Apple insert between tries after x wrong guesses -- assuming a manual brute force, which is pretty much not how it would play out in reality.

[XorNot]

In reality they lift your prints from the phone, fool the lock sensor, then clone it to a new, bugged phone, and monitor all your communications.

But frankly, such scenarios are not privacy concerns unless you're actually trying to carry out crimes because at that point you've got a half-dozen or more government agents assigned to personally follow you.

[Ntrails]

5.5 years is ~173563000 seconds or my maths and google are both wrong.

For pure brute force you'd want to make some assumption about the mean time taken to find the correct password, but lets argue that you find it after checking exactly 1/2 of the possible combinations.

2.8400e+10 passwords checked in 1.7300e+8 seconds => ~0.6 milliseconds per check. ish. I think.

Edit: as comment below points out, humans are crap. In reality any hack would use dictionary attacks rather than pure brute force. I was just addressing the maths.