I was guessing about how safe will be a only numbers password and I realized that with just 6 digits the password will be broken in about 3 hours, if you increase the number of digits to 9 it will take 4 months, then I tough; I’m trying to change the default password in the emulator, but the settings tool doesn’t let me increase (nor decrease) the number of digits, will this change on launch?
It seems like you’re assuming brute force without rate limiting.
Which would require direct access to the encrypted password. Which an attacker outside the phone will not have.
However, this is just the initial release. We will see more flexibly in the future. I think if read something along those lines, probably by Dorota.
Why? I’m not an advanced user, but if it possible to plug a keyboard with the phone locked? if it’s possible, I will be possible to plug a device that it says it’s a keyboard but it’s really a device that ‘type’ numbers?
That’s true. But the only justification for allowing to enter more than one code every few seconds is “sorry, we didn’t implement rate limiting yet, will come with the next update”
When used with a smart card that can be backed up, you can get away with 4 digits, assuming that the smart card bricks itself after 4 concurrent failed attempts. If someone does that to your phone, then your phone becomes unusable until you put in one of your backup smart cards.
The only concern that I have is someone recording the entry. Randomly arranging the digits on the screen will help with low resolution cameras, but when 4K becomes more common, having a small second wireless token might help provide a 2nd factor of authentication.
That depends on the sophistication and nature of the attacker. That’s where a separate and physically more secure module helps.
I would prefer not to have a second token, but don’t mind if it’s an option for those that might want one. In other thread, I toyed with the idea, that the pin keypad should randomize itself to make it harder to identify from the pattern (also, it wears the screen visibly).
Also, a proper login with password is something that is expected of a computer (which L5 can be equated to) and pin is something that was used for phones back in the day, when they only could have numbers to enter - a legacy system in a way.
It would be nice to A) have the more advanced option (not just numbers) for power on / first login / periodical check / serious security, but also, B) option to use PIN for quick lockscreen opening (user selected length, from 4 to 16 digits maybe? I use >8 atm. Randomization as an option).
To go even further, it’s interesting that we would limit security code to a logic that’s based on 90’s GSM tech (and that was based on older sec tech). A touchscreen and sensors could also be used more creatively as a combination of options, from which user could select: timing of key touches (rhythm, an extra pause etc.), an invisible key (a separate press to an area or must be held down simultaneously), bringing the physical keys to the mix, adding a movement or an angle (specific direction, rhythm etc.), PIN that (partly) changes depending on time or date (cyclic or incremental), PIN that changes for location (more secure required for unknown places) and so on.
And also, these extra things could be used as “login options” (PIN+this), as in needed to start something or prevent something form starting. Could automatically start a sub-routine to play fanfare music, call emergency number, send message with location, start backup to net, delete all in folder “MyPlansToRuleTheWorld” (edit/added:), delete encryption key, start recording sound and video, throttle processor to crawl etc. Of course, for safety (and other uses), it would be good to have an optional second (or third) PIN/password (much longer), if the fancy options don’t work. And how about throwaway/onetime PIN(s) - with option to have a “time delay” (works only, if phone hasn’t been used for a week or month: good to give, if you want to give access in case you’re… not available).
Just saying, there could be options that L5 could have that normal phones can’t or won’t (and what haven’t mostly been needed or been useful before this).
Limited only by your imagination. I think though that Purism really only ought to implement a basic PIN function and if you want something more exotic, you should install / implement yourself.
Correct. Every good PIN system, also has a duress PIN that e.g. erases the underlying encryption key for only the most private information, for example, a particular folder.
The classics (in some systems) is to have PIN+additional number and PIN + change last number, of which I’d prefer former to also be implemented in L5 (for duress or other option or options).
Atm these are wayyyy above my skill level and as security features, I’d thought Purism would have interest and best skill to do these, so they get done right. A nice GUI to select combination of additional features and what action they are connected to. (One can always hope.)
Wait… does this mean that if one were to manually set the password via
passwd, one wouldn’t be able to log in?
You mean the imagined hypothetical case with extra options? I’d think it would be optional to use those features as well or just use normal passwords. Or pw would be the main [no extra features, used only at power on or for admin stuff - just imagining] but lockscreen pin would be the one with features. Many ways to implement.
I’m struggling to figure out how this would be useful, since someone with the capability to access to my phone would probably also have the capability to access the wireless token. Maybe it could be useful if they steal the phone but don’t know about the token?
Probably the latter. Or a second factor authentication to remote access the phone that has been turned into a server. Or (going back to the hypothetical imagined features) using token could be the additional login special feature that either prevents full deletion of encryption keys or gives more access (decrypts home folder).
I mean that, at the moment, the password one gives for admin privilages is the same as the pin, IIRC. If only pin input is supported, this implies that changing the password to something which is not a pin would make one unable to log in through normal methods.
It is useful because stepping up the passcode/passphrase complexity is useless in a world of cheap, ubiquitous, high resolution surveillance (smartphones with 2160p/4K video recording). At this point, a passcode is only protecting you if you leave your phone behind, and a random person picks it up. In which case, all you need to protect yourself in this scenario is a 4 digit number with a secure erase of the private key after 4 failed attempts. Any additional passcode complexity is solving for a scenario that can be defeated with a simple smartphone video recording of you unlocking your phone, or an offline attack if the passphrase is not stored in a special chip that erases itself when someone attempts to break in. If someone wants a 6 digit passcode, or a full phasephrase (with letters and symbols), then I question the effectiveness of this. What problem is this solving for, and does it actually solve the problem effectively. I argue that if someone wants this, then they are wasting their time and either need to accept the 4 digit solution, or move to something that actually is fit for their intended purpose.
It is also about reducing the opportunity for theft. If someone is bold enough to take stuff out of your pockets, then you have bigger issues. Most people who are curious about your data are not that bold. I would imagine that most would not figure out the token until it becomes standard issue. That might eventually take the form of a watch, since it has other uses. The token would have its own authentication procedures, so taking it or being in close proximity might not be enough. That depends on what level of security and convenience you want. For example, if it is something that sits in your pocket for the entire day, then exposing it to light could lock it.
Some login prompts are starting to require 2 factor authentication. Some are using phones as the physical factor. Hopefully they stop using SMS. If your computer is your phone, then it is no longer 2 factor authentication.
I guess 3 hours makes 6 digitsit as good as the CRM-114 discriminator in the movie Doctor Strangelove.
They’ll have just long enough to reach their targets before the failsafe recall code is cracked!
OPE = Our Pure Essence