Hacker News new | past | comments | ask | show | jobs | submit login

In the case of Windows Hello, a PIN is very different from a password (such as your live.com password). PINs are encrypted per-device, and are never transmitted from the device. They are resilient against rainbow table brute-forcing, and they generate asymmetric cryptographic key-pairs by using the device TPM.

So forget what you know about ATM PINs; this is a markedly different concept.




Does the TPM limit retries or something? If it's a 4-6 digit number, you can just count upwards and try them all in a trivial amount of time.


Yes.

https://www.dell.com/support/kbdoc/en-us/000142311/tpm-failu...


> Does the TPM limit retries or something?

Yes.

TPMs have weaknesses, so this probably isn't a 100% guarantee depending on the attacker and the exact hardware, but it's pretty reliable (and very reliable if your attacker is reasonably small).


It can. TPMs have a "dictionary attack" (DA) protection feature.

You can't set the number of bad attempts that trip lockout, or how long to lock out for differently for different objects -- those are global configuration parameters. But you can configure which objects / policies require DA protection and which ones don't.


> So forget what you know about ATM PINs; this is a markedly different concept.

I mean it's actually the same concept (something you have, something you know) with a different implementation.


TIL

Thanks, when windows moved to the PIN I was wondering how that worked/ they kept it secure but still easy to login.


Indeed! They should have explained this much better when it was introduced.

But of course, Windows PIN was only needed when they made a local login a login to your Microsoft account, so your local password was suddenly transmitted to the internet.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: