Mishaal Rahman / Android Authority
TL;DR Android 17 includes stricter lock screen rate limits to make PIN and password guessing much more difficult than before.
Devices running Android 17 will allow far fewer incorrect attempts before imposing lengthy lockouts.
Google has also implemented a hard cap of 20 failed attempts and introduced duplicate-guess detection and clearer lockout messages for legitimate users.
Google first announced stronger lock screen protections for Android 17 during The Android Show: I/O Edition in May. These new protections make it significantly harder for anyone to force their way into your phone by guessing your lock screen PIN or password. Now, Google’s Mishaal Rahman has shared exactly how the new security feature works in Android 17, and the changes are more aggressive than you might expect.
Stronger unlock protections in Android 17 According to Rahman, Android 17 introduces much stricter default rate limiting for PIN and password attempts on supported devices. Instead of allowing hundreds of guesses over time, the system now sharply reduces the number of incorrect attempts before longer lockouts kick in.
Previous versions of Android were considerably lenient when it came to PIN and password guesses. Android 16 allowed up to 10 guesses in the first minute, 20 within six minutes, 50 within 25 minutes, 110 over 24 hours, and as many as 1,800 guesses across five years.
Android's hard limit for failed PIN attempts has dropped from 1,800 over five years to just 20.
Starting with Android 16 QPR2, Google made a change that carries forward into Android 17. The policy has now become much stricter, with devices now allowing only six guesses in the first minute, seven within six minutes, eight within 25 minutes, 12 over 24 hours, and just 19 guesses across five years. After 20 incorrect attempts, no further guesses are permitted.
Google explains that the old limits left room for attackers to exploit the fact that many people choose common PINs or passwords rather than random ones. Someone who knows your personal information, like your birthday or anniversary, could improve their odds of guessing your PIN or password even further by trying commonly used combinations first.
... continue reading