Engineers from the Google Android team recently tweeted about the stricter unlock password attempt restrictions implemented in Android 17. This restriction is mainly used to prevent thieves or others from entering different PIN codes to try to unlock the device. The implementation of stricter restrictions means that it will be more difficult for criminals to guess and unlock. This can improve device security. Of course, Google is also balancing user experience issues. After all, some users may often forget their passwords themselves.

HMFhNugbgAAxLJ8.jpg

Unlock rate limits implemented in Android 17:

In Android 16, Google allows users to try to unlock 10 times in 1 minute (that is, all 10 times are wrong, if the error is correct, the error will not be repeated), 20 times in 6 minutes, 50 times in 25 minutes, and 110 times in 24 hours. This rate limit is secure enough for a randomly selected PIN, but users obviously won't use completely random passwords, and there may be quite a few users using birthdays and the like as passwords.

The success rate of guessing to unlock the device may increase when criminals know part of the user's information in advance, so Google will implement stricter rate limits in Android 17 (actually implemented starting from Android 16 QPR2). You can try 5 times in 1 minute, 6 times in 5 minutes, 7 times in 15 minutes, 8 times in 30 minutes, and 11 times in 12 hours.

The number of attempts mentioned here are all consecutive errors. In extreme cases, for example, if the criminal always enters the wrong password and keeps trying, the Android system will be locked after 20 consecutive errors and no longer allowed to be unlocked.

Will 20 errors in a row lock the user out?

The possibility is there but relatively low. According to Google settings, after entering the wrong password 20 times in a row, the Android system will be locked and no longer allowed to be unlocked. However, you must know that the user cannot enter the password continuously in a short period of time. You need to wait after each incorrect input. The longer you go, the longer you need to wait. For example, if you enter the wrong password 20 times in a row, it may take a long, long time to happen.

Therefore, this restriction usually does not cause problems for most users. After all, Google also provides a password retrieval option when binding a Google account. Therefore, after many consecutive errors, it is estimated that users will not try the password again, but will look for other ways to unlock the device.

Entering the same incorrect password does not count:

I have to say that Android engineers have considered it very carefully. In the wrong password counting mentioned above, if the user tries the same wrong password, it will only be counted once. For example, if the password entered for the first time is wrong, and the user tries the password again for the sixth time, then these two inputs will only be counted once. Therefore, continuously entering the same wrong password will not cause the system to be directly locked, but the user may need to wait for a long time to unlock the next input.

Finally, Google also optimized the copywriting prompts on the lock interface. It used to display something like 1800 seconds before trying to unlock again, but now it displays something like 30 minutes to retry, so that users can see at a glance how long they need to wait, and avoid users having to use a calculator to calculate the time (for example, the waiting time after 18 consecutive errors is 3 years / 94608000 seconds).