logoalt Hacker News

dlcarrieryesterday at 7:22 PM2 repliesview on HN

Just a PIN? For most people that's a 4-digit number, which has a worst-case scenario of 10,000 attempts and a median of only a few hundred. Why not use a full 8-digit password?


Replies

jjmarryesterday at 7:32 PM

Because the TPM effectively rate limits brute forcing of the key.

https://learn.microsoft.com/en-us/windows/security/hardware-...

> For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. This totals a maximum of about 4,415 guesses per year. If the PIN is four digits, all 9999 possible PIN combinations could be attempted in a little over two years.

show 2 replies
naikrovekyesterday at 7:53 PM

No one uses a 4-digit pin for BitLocker. No one who knows what they are doing, anyway.

My employer requires at least an 18-digit PIN, and not just numbers, either.