Google has cut Android’s failed PIN and password ceiling to 20 attempts in Android 17, replacing a far looser system that once allowed up to 1,800 guesses over five years.
Six wrong entries now trigger much faster throttling—rising to just seven within six minutes, eight within 25 minutes, 12 over 24 hours, and 19 across five years before the final block.
Duplicate wrong entries no longer count against the limit, letting users who repeat the same mistaken PIN avoid burning attempts while seeing a message explaining the exemption.
Android 17 also makes lockouts easier to navigate with clearer wait-time messages such as minutes instead of seconds, plus a lock-screen recovery shortcut for account help from another device.
Google says the stricter policy targets attackers who exploit common PIN choices and personal details like birthdays or anniversaries to improve their odds.