Google has gutted the number of times anyone can guess a lock screen credential on Android, reducing the lifetime maximum from 1,800 tries to a hard cap of 20. The change, rolling out now to supported Pixel devices as part of Android 17, is designed to make stolen phones largely useless to attackers who rely on common PINs and personal details. For the millions of Windows users who link a Pixel to Microsoft accounts, password managers, and corporate VPNs, that’s a silent but significant upgrade to the chain of authentication.

What Actually Changed

The old Android 16 compatibility baseline allowed 10 guesses in the first minute, 110 over 24 hours, and up to 1,800 spaced across five years. That might sound generous, but it gave thieves ample room to try birthdays, anniversary dates, or the top 100 most common six-digit PINs in frequency order.

Android 17 collapses that attack surface. The new policy, also enforceable through Android 16 QPR2 and later builds, imposes a strict lifetime limit of 20 incorrect attempts. After the fourth wrong entry, escalating delays kick in:

Incorrect guesses Timeout before next attempt
1–4 None
5 1 minute
6 5 minutes
7 15 minutes
8 30 minutes
9 90 minutes
10 4 hours
11 12 hours
12 36 hours
13 4 days
14 13 days
15 41 days
16 123 days
17 1 year
18 3 years
19 9 years
20 or more No further guesses allowed

The countdowns are no longer shown in raw seconds. Android 17 translates them into minutes, hours, days, or years — a small quality-of-life fix that avoids absurd messages like “try again in 2,000 seconds.” A recovery shortcut also appears on the lock screen, pointing locked-out owners toward recovery options from another device.

Duplicate guess detection is another new safeguard. Re-entering the same incorrect credential won’t burn through multiple attempts on devices that use Weaver rate-limiting hardware alongside Android’s software rate limiter. However, phones relying solely on the older Gatekeeper hardware may not support this feature, meaning a mistyped PIN could count repeatedly against the 20-try budget. Google’s Android Open Source Project documentation first flagged the change, and reports from MakeUseOf and Android Central confirm it is live in the stable Android 17 release for Pixels.

What It Means for You

For everyday phone owners: The margin for error just vanished. If you routinely fat-finger your PIN or try a few old passwords out of habit, you could lock yourself out for days or years after a handful of misses. Google’s own advice is blunt: pick a memorable but genuinely obscure credential. A child or a thief who snags your phone for a minute can’t burn all 20 attempts quickly, but a few careless taps while distracted could still trigger a long timeout.

For power users and remote workers: If your Pixel acts as a second factor for Microsoft 365, a hardware security key for Windows Hello, or the vault for your password manager, the new limit shrinks the risk that a lost handset becomes a skeleton key. Attackers who know your birth year or favorite sports team no longer get hundreds of cracks at guessing the PIN that protects your entire digital estate.

For IT administrators: Corporate-owned Pixels enrolled in mobile device management will inherit the 20-try cap automatically with the Android 17 update. Admins should push the update, audit PIN complexity policies, and remind users to keep recovery contact methods current. Devices that rely on Gatekeeper rather than Weaver may not get duplicate guess detection, so training users to type carefully is suddenly a security control.

How We Got Here

Android’s lock screen rate-limiting has been catch-up security for years. Under Android 16, the 1,800-guess ceiling looked robust on paper but crumbled against real-world attack patterns. As Mishaal Rahman, who works on Android’s community engagement team, explained in a social media post: “Attackers can achieve a significant success rate cracking into devices by entering PINs or passwords in order of decreasing frequency, and if they know anything about you (like your birthday), that success rate only increases.”

Google’s engineers essentially rewrote the threat model. Instead of protecting against a random guess, they hardened the system against a motivated adversary armed with personal data. The new limits apply not just to the lock screen but also to credential-encrypted storage and authentication-bound keys, leveraging the device’s trusted hardware where available. This isn’t an Android 17 exclusive; Android 16 QPR2 also carries the policy, so some recent Pixel models may get the restriction before the full OS upgrade.

The human-readable timeouts and duplicate guess detection address predictable user frustrations. In earlier versions, a three-day lockout displayed as “try again in 259,200 seconds,” which helped nobody. Android 17 swaps that for “3 days,” and the duplicate-guess feature prevents a single typo from torching multiple attempts — though, crucially, only on devices with the right hardware.

What to Do Now

  1. Update immediately. On a compatible Pixel, navigate to Settings > System > Software update and install Android 17. The new rate-limiting takes effect automatically; no toggle to flip.
  2. Audit your credential. If your PIN is 1234, your birthday, or “password,” change it now. Settings > Security > Screen lock. A six-digit random number or a strong alphanumeric passcode makes the 20-try limit academically impossible for an attacker.
  3. Lock down recovery. While still logged in, confirm a backup phone number, email, or secondary device can receive recovery prompts. Open Settings > Google > Manage your Google Account > Security > Recovery phone/email.
  4. Lean on biometrics. Fingerprint or face unlock bypasses the passcode counter. Use them as your primary unlock method to avoid accidental lockouts. The passcode becomes a fallback — and a secure one.
  5. For IT admins: Validate that managed Pixels are receiving the update. Review mobile device management policy to require strong passcodes and enable biometric unlock. Distribute a plain-language alert to staff: “You now have only 20 tries before this phone permanently locks you out. Keep recovery info fresh.”

Outlook

Android 17 draws a line in the sand: the phone lock screen is no longer a gentle speed bump. It’s a hard gate. The 20-try cap, coupled with escalating delays that stretch into years, makes brute-force attacks impractical even for well-resourced adversaries. Google’s move will pressure other Android manufacturers to adopt similar hardware-backed rate-limiting, and Apple has long employed comparable protections in iOS. For Windows users, the takeaway is clear: a Pixel that guards your Microsoft credentials just became a much harder target. Keep your device updated, your PIN unpredictable, and your recovery path unobstructed.