The weak link
Unfortunately, passcodes' dependence on human intervention makes them the weakest link in the iOS protection scheme. People are notoriously bad at choosing security over convenience, and many of us unwittingly weaken the safety of our data through poor "security hygiene" practices.
For example, iOS defaults to requiring four-digit passcodes, which most people pick because they are easier to enter single-handedly on the large numeric keypad. According to Apple's own security whitepaper, a malicious attacker who gains access to a device's contents could defeat a four-digit passcode in a little over a minute, using nothing more sophisticated than a simple program that tries all 10,000 possible combinations.
But it gets worse--research has shown that many people choose extremely weak passcodes like "0000" and "1234," giving would-be hackers an easy means of attack. In fact, there's a better than one-in-five chance of that they can gain access to your phone with just five attempts, simply by guessing the most common choices.
Picking better passcodes
Fortunately, it doesn't take much effort to dramatically increase the security of your passcodes. For starters, if you like numeric codes because they're easy to input using the on-screen keypad, you'll be happy to know that iOS uses the same entry mechanism even if you pick a code longer than four digits. To enable it, open the Settings app and go to General, then tap Passcode Lock, where you can turn Simple Passcode off. If you now enable passcodes and choose one that is made up only of digits, iOS will provide the numeric keypad when you try to unlock your device.
Of course, this also tells attackers that your code is a number, giving them a leg up on breaking it; however, each additional digit increases the amount of time required for a brute-force attack tenfold, which is certainly much better than nothing. For example, going by Apple's estimates, a six-digit code would require around 22 hours to break, while a nine-digit code could be broken only in two and a half years.
This brings me to a crucial point: A passcode isn't a magic solution that protects your data for all eternity--instead, it buys you time before that data falls into the wrong hands. Given enough time and resources, almost any encryption mechanism can be defeated; thus, your goal should be to pick a passcode whose length gives you enough time to neutralize the effects of losing your data.
For example, your garden-variety thief will most likely turn on a stolen device as soon as possible to make sure that it works, and will possibly root around for a quick score like your online-banking credentials. In this case, even a nontrivial four-digit passcode will give you enough time to log on to Find My iPhone and remotely wipe the phone's contents well before the thief can get his or her hands on them.
Sign up for CIO Asia eNewsletters.