[dambi0]

In some scenarios that’s really a difference without distinction though.

If I have a key to my house attached to a chain so it can be used to open the door but not leave the property and then secure it in a lockbox. If someone steals the key to the lockbox they technically don’t have access to the house key but they can still rob my house

[vel0city]

Your scenario makes it so the house key doesn't matter in the end though; if they're able to get to the lockbox to use the lockbox key they're already in the house and thus already able to rob it regardless of whether they got the lockbox key. In the end your door lock did nothing for you at all. I don't get how that relates to using a PIN stored in the TPM to protect your actual password, other than suggesting "well your account can be hacked without even touching your device" which I mean yeah sure.

But in the end that PIN is still different from that Windows/Microsoft password. The PIN only works on that one device and gets totally invalidated after only a few failures. This is untrue of passwords which usually never get fully invalidated and are then used across multiple devices.

If you manage to find out my PIN to log into device A with my Microsoft account is 1234, you don't have access to my Microsoft Account in general or on device B. If you see I log in to my device A with hunter42 (my Microsoft account password), you can now log in to my Microsoft account and every other device I'm using my Microsoft account.

Is that a difference without distinction? I'd say that's quite a bit of distinction! And that's only one of the many differences!

[dambi0]

Which is why I was careful to say that it was a difference without distinction only in some scenarios. Namely offline attack to a physical device.

In this scenario, even with the attempt restrictions the attacker has a couple of chances of relatively easy guesses, before falling back to the password protection. If we consider shoulder surfing, it’s a lot easier to distinguish a four or six digit PIN than a password.

I aware the PIN doesn’t give actual access to credential and so doesn’t impact online attacks. But that isn’t the only scenario.

Incidentally how much work is “in general” doing when you talk about the access Io Microsoft services granted by the PIN + TPM? It isnt zero access is it.

[vel0city]

> how much work is “in general” doing when you talk about the access Io Microsoft services granted by the PIN + TPM?

I mean you can't just go to microsoft.com and log in knowing only my pin on a single device. If you know my PIN for a device, but you don't have the device, you don't have access to my Microsoft account at all.

[dambi0]

And if I do have the device? And I have guessed the PIN?

[vel0city]

And if you have all my devices? And what if you have all my external security tokens? And what if you also have all my passwords? And what if you have a complete replica of every thought in my head? And what if what if what if what if...

Sure. Whatever buddy. Nothing is truly secure. If they guessed my password as well along with my device I'd be in an even worse situation. At least my PIN just disappears forever after a few failed attempts and requires that physical device.

Needing a physical device which wipes itself after a few failed attempts is more secure than having a password that could be used anywhere on any device however many times they want to guess.

> without distinction only in some scenarios. Namely offline attack to a physical device.

There is a distinction in this domain though, and it's pretty massive. Offline attacks at guessing passwords, if you fail the PIN a few times (three on most of my machines) the PIN gets cleared never to be used again. Meanwhile you can keep trying the password over and over. The account password on the device isn't getting cleared. So I can make the PIN pretty simple and easy to type in while making my regular password very long and complicated. It doesn't matter if its a pain to type in, because its not like I'm typing it in every time I walk away and come back to my computer.