Feature, information leak, same thing. At least sometimes? It turns out this is the fact with the iPhone 5 and strong passcodes.
Many people are familiar with passcodes used to protect phones now-a-days. These passcodes are used to unlock the phone for use after a period of disuse (such a minute, 5 minutes, or even instantly as soon as the screen is turned off). The iPhone 5 supports two types of passcodes, “simple” and otherwise. Simple passcodes are limited to numbers only, and always have a length of 4. Non-simple passcodes can use letters and numbers and can be up to 10 characters long. Since simple passcodes only involve numbers, the input screen shows a number pad for input. However, with complex passcodes, the situation is different.
With complex passcodes, if we have both letters and numbers in our passcode, the input screen shows the standard on screen QWERTY keyboard. However, if a complex passcode only contains numbers (greatly reducing the complexity and attack space), the QWERTY keyboard is not shown, and only a number pad is shown. This usability (?) choice (?) directly reveals that numeric-only complex passcodes are numeric-only to potential attackers without them having to know anything about the password and greatly reduces the security of numeric-only passcodes. However, who wants to enter numbers on a QWERTY keyboard on a touch screen?