GrapheneOS Some questions to your recommended setups:
To 1: a 6 digit pin is fine, which gives you "only" 1.000.000 combinations? Probably you mean in combination with the extended time you will have between increasing number of trials? Is there a spec for this time? Ate there other consequences or just the time?

To 2: what's your recommendation regarding the length of the pin using it in combination with fingerprint?

    Take a look at this changelog - amazing! Do you guys ever sleep?

    Thanks for your great work and have a good start to the new year!

    INSTALLED on P9P XL and working as expected! Will report any issues if found. Amazing work as per usually... GOS is the best thing since sliced bread!

    Is this feature included in this release?

    We're going to be adding a toggle for blocking the Play Integrity API in a way that acts as if the service is currently down. We've found that many apps do not correctly use it and still allow using the app if it's unavailable because their service only has soft enforcement of the Play Integrity API. It's possible this will be enough to get Revolut working but we don't know at this point. They're going out of the way to try banning using alternate OSes and can upgrade that over time.

    https://grapheneos.social/@GrapheneOS/113737931425144006

    Thanks

    In my opinion, face unlocking is a high security risk. The new method makes more sense to me.
    Thanks to the Graphene OS team for their work and support

    Thank you, I just tried flashing a Pixel 8a, and honestly, it’s magical.
    You are amazing, thanks to the entire GOS team.

    Nothing to say, it’s great.

    And here’s the additional part about Diceware:

    Diceware is a method of generating strong passphrases using a random selection of words. The longer the passphrase, the more secure it is. The method works by rolling dice to select words from a list, typically consisting of 7776 possible words.
    Examples of Diceware passphrases:

    4 words: piano finger window chair
5 words: mango rocket whisper dance paper
6 words: sunshine actor paper pencil cloud clock
7 words: cat turtle hat piano window goose march

    Security and Difficulty:

    The security of Diceware passphrases depends on the number of words used. For example, a 4-word passphrase has about 77764 (approx. 3.7 trillion) possible combinations, while a 7-word passphrase has 77767 (about 1.4 quadrillion) possible combinations.

    Mathematically, brute-forcing a 4-word passphrase would take considerable time, but with modern processing power, it’s not impractical. In contrast, a 7-word passphrase, due to its vastly larger keyspace, would be extremely hard to brute-force within a reasonable timeframe, even with a powerful attack.

    Effectiveness of Diceware:
    Diceware’s strength lies in its simplicity and ease of use while still being extremely secure. It is considered one of the best ways to generate memorable yet strong passphrases.

    You can read more about Diceware and its effectiveness here: https://www.eff.org/dice

    HAPPY NEW YEAR

      I just switched to the alpha channel on my Pixel 8 and updated it.
      It’s working perfectly! :)

      So, both the Pixel 8a and Pixel 8 are running smoothly, just like a fish in water.

      Really, thank you so much, this is fantastic, and I’m sure many people have been waiting for this update.

      HAPPY NEW YEAR, AND LONG LIFE TO GOS AND ITS TEAM!

      gos-users The method works by rolling dice to select words from a list, typically consisting of 7776 possible words. Examples of Diceware passphrases:

      You have a word list with 7776 short simple nouns? Please share a link to it in that case. Because all word lists with 4000+ words I ever seen have adjectives and verbs too, and complicated words, and I found that to make the passphrases hard to visualize and remember.

      I made my own prefix-free list with 1024 words, only short simple nouns, so exactly 10 bits of entropy per word. Easier to remember, even if I need to add one or two more words for same security level.

      gos-users Mathematically, brute-forcing a 4-word passphrase would take considerable time, but with modern processing power, it’s not impractical. In contrast, a 7-word passphrase, due to its vastly larger keyspace, would be extremely hard to brute-force within a reasonable timeframe, even with a powerful attack.

      Another option instead of considering timeframe is to calculate how much in electricity cost alone the attacker would have to pay to brute-force your passphrase. This has the advantage that we don't have to make assumptions about how much hardware the attacker has access to, which is hard in a world where compute power can be easily rented, including specialized hardware like ASICs. But whatever amount of hardware they have, whatever amount of time it takes to brute-force your passphrase, it will still cost them the same amount in electricity bill, because they cannot magically get access to more power-efficient hardware or algorithms than anyone else can get access to, so still consume the same amount of electricity per tried word combination. My impression is this method is preferable for high-risk threat models. You just need to select many words enough that the electricity alone would make it too expensive for your attacker to be able to or willing to pay to break into your specific device. Even for state actors it can get too expensive, tax payers might riot if too much money is "misplaced" to break into a single activist's phone.

      https://tails.net/security/argon2id/index.en.html#comparison

      Without trusting secure element throttling, GrapheneOS algorithm is comparable to PBKDF2 in that table from the link. GrapheneOS is using scrypt, but with so weak parameters they are comparable to PBKDF2. And their word list gives about 13 bits of entropy per word, so similar to the one you mentioned. Most people could easily afford to break a 4 word passphrase ($1 000), if they believe there is anything of value at all on your phone, but I cannot imagine even a state actor being able to pay the price for breaking a 7 word passphrase ($1 000 000 000 000 000). And these prices do not include rent cost or cost for hardware, it is electricity alone, so already have some margin. I remember having seen how they calculated the cost, but they took into account power consumption for ASIC hardware and powering RAM memory modules of large enough size, and some average cost of electricity at the time. I cannot find that page now.

      gos-users The method works by rolling dice to select words from a list

      Perfect high-quality dices. Lower quality ones might have bias because of production flaws that makes certain words much likelier to get selected. But better use the cryptographically secure random number generator on your computer, it doesn't have any such flaws. And the security for the encryption relies on it anyway, since the actual encryption key is generated. The passphrase is just used to wrap the encryption key.

      https://blog.quarkslab.com/android-data-encryption-in-depth.html

              ryrona

              You have a word list with 7776 short simple nouns? Please share a link to it in that case. Because all word lists with 4000+ words I ever seen have adjectives and verbs too, and complicated words, and I found that to make the passphrases hard to visualize and remember.

              I had already provided the EFF link, but here is the TXT file :

              https://www.eff.org/files/2016/07/18/eff_large_wordlist.txt

              You can also add words from other languages, numbers, uppercase letters, spaces, and characters :)

                  One minor regression I noticed is that the haptic feedback for scanning your fingerprint is gone when the Second factor PIN is enabled.

                  I might be in the minority, but I actually prefer the haptic feedback to be disabled.

                    gos-users I had already provided the EFF link, but here is the TXT file

                    Unfortunately there are adjectives and verbs in there, but thank you for sharing anyway. It is hard for me to visualize "concur" and "freely", but easy for me to visualize "fox" and "student". I keep to my own word list for now. Worst that can happen is if I forget my passphrase and permanently lose access to all my data.

                      @ryrona You have a word list with 7776 short simple nouns? Please share a link to it in that case. Because all word lists with 4000+ words I ever seen have adjectives and verbs too, and complicated words, and I found that to make the passphrases hard to visualize and remember.

                      I have been using https://github.com/passhelp/passhelp to generate passphrases & would be interested in your thoughts -- the wordlist uses 12dicts package's 3esl list and contains approximately 11.5k simple words, according to the documentation.

                        that_guy I have been using https://github.com/passhelp/passhelp to generate passphrases & would be interested in your thoughts -- the wordlist uses 12dicts package's 3esl list and contains approximately 11.5k simple words, according to the documentation.

                        From src/generators/words.ts:

                        ...,bird,birdseed,birth,birthday,...

                        This list is not prefix-free and thus not safe for password generation. In the sense that it is not possible to analyze the level of security the list provides. (Unless you yourself add a separator between each word, like a dash or space. But I usually don't have that, so rely on the list being prefix-free)

                        It also has a lot of adjective and verbs inflected in various ways, so from my perspective it would be hard to memorize passphrases generated using it, because adjectives and verbs cannot easily be visualized, certainly not their tense.

                          GrapheneOS Thanks for this version, I have already set it from Alpha Channel, it works fine.
                          Since the batteries touched, I would like to express several wishes that the rest of the users will probably like it

                          1. The opportunity to choose the level of maximum charge yourself, it seems that this is already in the plans of GOS (thanks)
                          2. The ability in the same section the switch is set to turn off (or vice versa - turn on and activated by default) the fast charging function. This will help to avoid overheating of the battery and some simply does not make sense to rush to charge the device

                            Hello
                            First post here, but been reading for a long time
                            I updated my pixel 9 to this build today. When restarting the phone and after entering the pin code for the sim card
                            I was told to enter a password. I can't remember to have made a password, but not sure.

                            I thought I would just reset the phone and start from scratch. But I can't reflash it since bootloader is locked and recovery mode just shows a dead Android and nothing else.

                            Would appreciate any help you can give

                              Riasroc recovery mode just shows a dead Android and nothing else.

                              From there, push and hold the power button and the volume up button at the same time, or power then volume up (if I remember correctly.. maybe volume down?) and a menu should appear where you can perform a factory reset.

                                GrapheneOS
                                Awesome! I can confirm that the second factor PIN works like a charm on my Pixel 6a, Pixel 7 and Pixel tablet on 2024123000.
                                You have my gratitude!

                                Also; best wishes for 2025 to the GrapheneOS dev team and the forum members, have a good new year everyone!