Google's next Android version is set to make brute-forcing a phone's lock screen practically impossible, cutting the number of allowed failed passcode attempts down to just 20.
Attempt limit slashed from 1,800 to 20
Android 17 introduces a hard cap of 20 failed PIN attempts, after which the device locks permanently. This marks a sharp tightening from the current system, which allows an attacker to spread roughly 1,800 guesses across five years, according to Softonic.
Lockouts kick in within minutes
The new system escalates quickly. Users get around six incorrect tries within the first minute, seven within six minutes, eight within 25 minutes, and about 12 within a full day. Once the 20-attempt ceiling is hit, the phone locks for good. Android 17 makes one allowance. Repeatedly entering the same wrong PIN will not be counted as multiple separate attempts.
Aimed at curbing brute-force attacks
The update is designed to make brute-force attacks significantly less viable, particularly against weak PINs such as birthdays or simple repeated-digit patterns.
Clearer warnings and a recovery shortcut
Android 17 will also display clearer lockout messages showing wait times in minutes, along with a recovery shortcut built directly into the lock screen, making it easier for users to regain access if they are genuinely locked out.
Part of a broader security push
The tighter passcode limit is one piece of a wider security overhaul in Android 17. Google is also rolling out a strengthened 'Mark as lost' feature in Find Hub with biometric locking, on-device Live Threat Detection, tighter parental controls, and new rules governing local network permissions.
The changes are expected to reach supported Android devices once Android 17 begins rolling out.