Only 6 digit PIN for Librem Key?

I have seen several posts about the PIN for the Librem 5 (the phone) being only 6 digits. These posts are years old. Yet, that still seems to be the situation for the Librem 14 laptop with the Librem Key. So:

1. Is this true?

2. Is it 6 digits or any 6 characters? 6 digits = 1 million possibilities. If upper/lower case letters are also allowed, it is 57 billion. If special characters can be used also, it’s about 262 billion. Both of which are a bit of an improvement over 1 million.

3. Can a delay be set? At one try per second, 6 digits is insufficient (6 days on average to guess), but 57 to 262 billion is probably fine. Still, why not just allow 10+ digits? Your web site requires a 10 digit password to sign up!

4. Was a duress PIN ever implemented to wipe the system?

5. Why do I even want a Librem Key if the password is limited to 6 digits? The only advantage I see is the blinking red LED. But with only a million possibilities, I am not sure they couldn’t fool the key by altering the code to have the same checksum.

Thank you!

Typically the way this works is: Regardless of the exact length of the PIN, the PIN only unlocks the device and after 3(?) failed attempts to unlock the device, it will block itself against any further attempts to enter the PIN (requiring the longer admin PIN to unblock).

So your chances of getting a valid 6 digit PIN in 3(?) guesses are not good provided that you don’t use the shipped default PIN (123456) and don’t use a totally silly PIN (e.g. 111111) i.e. even assuming digits only.

Even so, it is still a fair question to ask what the exact length and character subset restrictions are.

The Librem Key is based on the Nitrokey Pro and does support other characters. Both the user and admin PINs support up to 20 characters.

The user PIN can have up to 20 digits and other characters (e.g. alphabetic and special characters). But as the user PIN is blocked as soon three wrong PIN attempts were done, it is sufficiently secure to only have a 6 digits PIN. The default PIN is 123456.

The admin PIN can have up to 20 digits and other characters (e.g. alphabetic and special characters). But as the admin PIN is blocked as soon three wrong PIN attempts were done, it is sufficiently secure to only have 8 digits PIN. The default PIN is 12345678.

Nitrokey Pro 2 documentation: https://docs.nitrokey.com/pro/linux/change-pins

Why do I even want a Librem Key if the password is limited to 6 digits? The only advantage I see is the blinking red LED.

The Librem Key has some additional features the Nitrokey doesn’t have to support tamper detection with Pureboot+Heads. See the “Provable Security, Made Easy” section of the following article: https://puri.sm/posts/introducing-the-librem-key/.

We have worked with Nitrokey to add a custom feature to our Librem Key firmware specifically for Heads. This custom firmware along with a userspace application allows us to store the shared secret from the TPM on the Librem Key instead of on a phone app. Then when Heads boots, if the BIOS hasn’t been tampered with the TPM will unlock its copy of the shared secret, and Heads will send the 6-digit code over to the Librem Key. If the code matches what the Librem Key itself generated, it flashes a green light. If the codes don’t match, it flashes a red light.

And I believe that 6 and 8 are the respective minimum lengths.

3 failed attempts locks the device? It is not uncommon for me to make 3 stupid mistakes. I’d really like that to be more like 10 (still awful odds, 1:100,000 of guessing even from a 6 digit password, and it sounds like 6 digits it not the limit).

Or, if this is possible, allow unlimited attempts but after 10, only 1 per minute (maybe someone could trick the system clock so this would not work).

Maybe it’s: 3 by default but you can choose a different number.

3 failed attempts locks the PIN. Then you have up to 3 attempts to unlock it using the admin PIN. After this you need to reset the key (wiping it completely).