How long should Windows 10 pins be?
The R2B2 can guess a 4 digit pin (10,000 combinations) in about 20 hours, not taking into account the delay for entering a phrase after every 4 failed tries. When using a 6 digit pin (1,000,000 combinations) this will rise with a factor of +/- 100, making it about 2000 hours (about 83 days). A 8 digit pin (100,000,000 combinations) would again raise this even higher.
The question is, when using a 6 or 8 digit pin (the 4 digit is way to low imo), why not use a password? What is the added value of a pin when you could also use a 6 or 8 digit numerical password, besides having the intruder know he only has to try numerical values?
First of all, Microsoft Windows allows you now to use PINs of any length. Secondly:
Microsoft has taken a new approach to thwarting brute force attacks with a challenge phrase. Essentially when a the PIN gets entered incorrectly four times in a row, users are sent to a different screen where they are required to enter a specific phrase. This ‘challenge phrase’ slows potentially malicious brute force entry and doesn’t freeze the device. While similar to a captcha method, the challenge phrase also prevents automated machines from entering popular PINs over and over.
Source.
Windows logic behind using a PIN is it's easier to remember a PIN (numbers), so you won't have to write it down.
While this is correct, it doesn't make it more secure.
Just like with passwords (password, qwerty) the average user gets lazy. My guess is that most people will use PIN numbers that are 4 digits, and something familiar. DOB, bank card pin, family DOB, or simple patterns, 1234, 0000, 8008, 2580.
Windows has implemented some brute force protection, which helps prevent or at least slows down automated brute force attempts.
However, with my guess above, it will make manual brute force attacks by family members or non technical users with some information on the user much easier.
My advice
- Use PINs longer than 4 numbers
- Make it unique, no birthdays, funny body parts, keyboard patterns
- Remember it, don't write it down
- Disregard everything above and use a password
And to answer the title, a random number of digits thats easy to remember in your head, but also isn't 4.
The reason I say not 4 is that is the default number people think of with PIN numbers, and the reason I say a random number is for a little more obscurity.
e.g.: If you told someone your password is 20 characters long, they would attempt to brute force 20 characters. If you didn't, they would have to attempt 1-20.
Obviously the more digits you use, the harder it will be to guess/force, but there's also the debate over usability vs security.