We have moved to a new Sailfish OS Forum. Please start new discussions there.
5

XA2 possibilty to set different security codes

asked 2020-04-06 18:10:00 +0200

p1rat gravatar image

hello,
is it possible to set different security codes for device (/home) encryption and for the normal device lock? A long one with e.g. 20 numbers for encryption and a short one for the device lock (e.g. 5-6 numbers) ? for me its not clear written in the how-to.
ahoi

edit retag flag offensive close delete

Comments

That'd be a ood thing to have, if the security code itself is used as the luks key. (I am not sure if that is the case, or is there a mechanism that'd somehow lengthen the key based on some device property? And even though ther would be, what would stop an attacker using the same property to salt the code and obtain the longer code...?)

As the minimum secureity code length is 5 digits, I assume many people use just the 5 digits as the code and do not create a longer code. 5 digits makes up just 100000 combinations it can very quickly opened with a brute-frce attack.

juiceme ( 2020-04-06 21:22:13 +0200 )edit

1 Answer

Sort by » oldest newest most voted
0

answered 2020-04-07 10:51:07 +0200

jovirkku gravatar image

Sailfish OS 3.3.0: the security code is used both for unlocking the device lock and for unlocking the encryption of user data.

This was clarified to https://jolla.zendesk.com/hc/en-us/articles/360011115540.

edit flag offensive delete publish link more

Comments

thank you for the clarification.
maybe I choose a long code for encryption and for unlocking the device I will use my fingerprint.

p1rat ( 2020-04-07 12:18:03 +0200 )edit
1

your clarification was clear to me, however I think the request for different codes is still valid.

As @juiceme pointed out a 5 digit code is very weak for LUKS encryption as brute force attacks can quickly been executed in recovery console from a script. There's no limit for failed trials so if you're interested in securing you home partition you're strongly advised to use a huge number of digits, especially an attacker knows that the key only contains numbers. If this is only required at login I think users may accept larger codes than for 'normal' security code to unlock the screen.

On the other hand a very long security code is not practical for 'normal' screen unlock, as this will be done plenty of times. On the other hand a 5-digit code on the UI is not as crucial as we have a counter for failed attempts. So brute force via UI is limited by that counter.

As we have different levels of protection and sensitivity and different attack vectors I don't think it's wise to have an identical code

jollajo ( 2020-04-07 12:30:49 +0200 )edit
1

Thanks @jollajo, you summarized my thoughts clearly.

I would even go as far as proposing that the luks unlock password dialog be changed so that it would accept alphanumericals, and be possible to use a proper password sentence. (like on my fedora laptop I use a sentence of 47 characters to unlock luks)

As this only needs to be input once per boot it is not a big hindurance to anyone. The device unlock can remain as it is, a minmum 5-digit pincode.

juiceme ( 2020-04-07 13:45:36 +0200 )edit
Login/Signup to Answer

Question tools

Follow
4 followers

Stats

Asked: 2020-04-06 18:10:00 +0200

Seen: 243 times

Last updated: Apr 07 '20