I know that GrapheneOS throttles pin attempts after some trials.

  1. Does that mean even 4 pin numbers are "safe-enough"? i.e: How is entropy measured in this case?
  2. Apart from not using repetitive or pattern pins, are there any security suggestions for pin strength?

    I would recommend using 6 digits to be safe. We had a gust lecture with Cellebrite, and they actually brute forced them self into iPhone by trying a PIN code, wait and tried another one. The difference between 4 and 6 digits was quite big in the time it took to get access (like weeks compared to almost a year I think). Not sure how iPhone throttle failed attempts (might be a fixed time), but they got in eventually.

    4 digit pin gives 5040 combinations (210 if they should be unique), while 6 digit pin gives 151 200 combinations.

      zynex 4 digit pin gives 5040 combinations (210 if they should be unique), while 6 digit pin gives 151 200 combinations.

      I'm not sure I can reproduce the calculations for four digits. If there are four digits, each 0 through 9, that gives 0000 through 9999, which is 10,000 combinations. Avoiding duplicates, 10x9x8x7 would be 5024. I'm not sure where 210 comes from?

      But it is true that a six-digit PIN is waaaay better than a 4-digit PIN.

        4 months later

        zynex Will graphene let you do six digit pins? I only have four digit pin.

        9 months later
        • [deleted]

        de0u do you recommend a 6 digit Pin or long password?

        • de0u replied to this.

          I currently have mine set with a 6 digit pass and the randomised keyboard

            [deleted] do you recommend a 6 digit Pin or long password?

            A long password is more secure given certain assumptions, but also less convenient. Which makes more sense depends on one's threat model.

              • [deleted]

              de0u couldn't I just have put more sensitive data in a secondary profile with a long password? I figured I could put the long password in my password manager that is in my first profile?

              thank you!

                [deleted]
                Unfortunately you cannot access the secondary profile with your password manager from first profile.
                That's the reason why I have changed from using the great local working KeePassDX app to the great online working Bitwarden password vault.
                Because after every change of any password I had to export my password database from one place/profile/device to every other place/device/profile.
                If I would at some point forget to export/copy/update a password, I could lock out myself forever.

                  • [deleted]

                  Eagle_Owl okay so if my password manager is in the owner profile then i can copy and paster the exta long password from my vault to open the secondary profile?

                    PaulDavis I also am more than happy with a 6 digit pin.
                    As @de0u posts, it's all about your threat level.
                    And the level of competence of your aggressor.

                    But, randomised keyboard? That's Spy vs Spy stuff.
                    They would have to watch you entering your pin, probably on multiple occasions, and then have access to your phone.
                    I'll take the risk that a 1 in a million chance won't befall me.

                    [deleted]
                    No!
                    While you are in owner profile, you have no access to the login window for the secondary profile.

                    For security reasons, I let Bitwarden delete a cached password after 10 seconds.
                    – But even if I were to set this time to 10 minutes in order to first copy the extra long password from the password manager of the owner profile without stress and then switch to the second profile in order to paste it there – this does not work because the cache is deleted when switching to the second profile.
                    – Or perhaps to put it in more understandable and technically correct terms:
                    The cache of one profile is never available for another profile.

                      • [deleted]

                      • Edited

                      Eagle_Owl do you have a suggestion on how to use longer passwords? or should i stick with the pin?

                        [deleted]
                        See my favourite comic strip for this topic:
                        https://xkcd.com/936/

                        I don't use a PIN – I don't want to rely solely on the secure element in the phone.

                        Because you need one really strong password for your computer/smartphone and another one as master password for your password manager, which you as human can memorise and handle:
                        Select the second method of this great comic, maybe better with seven words instead of four.
                        Write it down on paper (!), keep it in a safe place!
                        And use it constantly, several times a day at first, to really memorise it.

                        The following method helps you to memorise it as quickly as possible:

                        1. Be sure to write it down (on paper!) and put it in a really safe place (for emergencies).
                        2. On your PC/laptop, replace your previous password with your new passphrase of four to seven words (paper with new passphrase really created and secured?)
                        3. Set the time for locking the screen from 30 minutes (?) or longer to max. 15 minutes!
                          This means you often get the login screen and have to keep entering the new password phrase.
                          Annoying, yes, but you'll quickly memorise your passphrase!

                        It's like in the old days when there were no smartphones/redialling and you had to type a phone number a lot if you didn't get someone on the phone straight away.
                        You quickly memorised even complex phone numbers without wanting to. :-)

                          • [deleted]

                          Eagle_Owl thank you for the tips! Is 4 worlds okay or does it have to be 7?

                            I just use a 12-character password and my fingerprint.

                            Is that dumb?