[__david__]

> But this blurb fails to mention that the user provided passcode can only be about 15 bits of user supplied entropy…

How do you figure that?

[themeekforgotpw]

Four digits, choice of 10 for each digit.

log(10000)/log(2) ~ 15.

[rimantas]

You are not limited to four digits.

[themeekforgotpw]

I see. Is there a limit? Does it approach 128 bits?

[cjensen]

"Over 90 characters" [1]. At roughly 5 bits per character, that puts it at more than 450 bits.

[1] http://www.engadget.com/2014/03/05/how-to-set-up-a-complex-p...

[themeekforgotpw]

Nice!

Of course this isn't ever actually used - in practice users choose four to eight digit passcodes.

Users should, if they want to secure their information, use a randomly chosen passcode of approximately 30 digits long.

[joshstrange]

You can choose to set a complex password which can be as long as you want and use the full keyboard

[themeekforgotpw]

How difficult is it to configure this? Users should definitely choose passphrases of sufficient length and sufficient types to be secure. This is unfortunately an infamously tricky area of security to get right.

[tedunangst]

Did you factor in the possibility that after ten fails the device is wiped?

[themeek]

This would be for a cryptographic attack - not someone with the hardware.