Utilizing the auto reboot feature to put your data back to rest.

https://grapheneos.org/features#auto-reboot

From there, you can use a random 6 digit PIN if you want to rely on the secure element to do the throttling.

Alternatively, you can use a 18 character password comprised of lowercase letters and numbers, or a 7 word diceware passphrase, which is strong enough to not have to rely on the secure element, in case it can be exploited and bypassed.

https://grapheneos.org/faq#encryption

    Offtopic but anyone has any tips on how to remember 7 word diceware passphrase? I am getting older and it's hard for me to do reliably. I can remember 7 non-random words that make some sense to me but it's not secure vs random words.

      evalda Try memorizing three words, then one, then three? Take a few days to memorize just the first three if need be. Reciting is fine, but writing may help more.

        [deleted]
        That's not random and subject to guessing based on knowing just a bit about the target.

          • [deleted]

          Graphite that is pretty random by my standards. This was just an example. It could be any 7 words in order of your choice from any memorable text. Random enough?

            Any medium sized sentence will have higher entropy and be much easier to remember.
            xkcd explanation

              blicero

              Entropy only matters for brute force. If not random, then guessing bypasses high entropy.

                blicero

                Brute force would be trying everything within possibility, so entropy is a factor.
                When a password or passphrase is user chosen (as opposed to random), Guessing can be done with just a bit of knowledge about the target. Things like age, gender, language, culture, sports, hobbies, music, movies, location, family, etc can narrow it down drastically.
                Entropy at that point is meaningless.

                  I believe that randomness is an absolute.

                  Something can no more be “less random” than one can be “less pregnant”.

                    Graphite
                    A dictionary attack is still a brute force vector. Entropy does not become meaningless when each word increases the number of permutations.
                    You can just as easily generate a random sentence that meets your criteria.

                      blicero dictionary attack is still a brute force

                      No. It's not. They are different concepts in security and password cracking. Entirely different modes for cracking tools.

                      Randomness and entropy are not just words to be interpreted subjectively. Confusing these terms is how you get weak security, and a false sense of security.

                      blicero

                      Are you trying to post the link to XKCD that I've already posted?

                      You may be misreading the comic explanation. The bits of entropy that it's referring to, are entirely dependent on the words being chosen at random. Which is what I've been saying.
                      Random letters, numbers and symbols are within about 70 - 100 character set.
                      Random words in the English dictionary are the equivalent to a character set of thousands.
                      Which is why four words can have as good as the entropy of an eight character password.

                      But again, this entropy bit count is based on being randomly chosen from the set of possibilities.
                      If the user is choosing the words based on favorite song, book, common phrase, whatever... Then the entropy is meaningless. The attacker no longer has to brute force from the entire set of possibilities, rather the attack will be guessing from common phrases and what they know about the target.
                      Instead of each word being any word from the entire dictionary, it can be derived and deduced from the previous words and a number of factors. Instead of quadrillions of possibilities, now we have thousands.

                      For example, if the choice is a seven-word passphrase. A completely random diceware passphrase from a large English dictionary of say 3000 words, will have 30007 (2.187E24) possibilities.
                      But if the user is choosing the words, not at random, based on some personal preferences such as favorite song, movie quote, whatever.... We are talking about millions of possibilities. Far, far weaker and easy for a computer to go through.

                      We can simplify this further by thinking about PINs. A six-digit pin has a million possibilities. There's a reason why two-factor codes are randomized and rotated every 30 seconds.
                      Now imagine if there were no 30-second rotation and the user chose the numbers. They do it based on some important date or phone number. The attacker doesn't have to go through all possibilities but will take advantage of knowing basic information such as area codes, zip codes, birthdays or age of children, etc. Instead of a million possibilities it can be cracked in a few hundred most likely.