BitLocker security/protection questions

I recently enabled BitLocker on my laptop with a TPM and selected a PIN as the authentication method. I have a couple questions about the security provided:

1. Why is there no option to require a password (as opposed to a PIN) on startup when the TPM is used? I personally think a more secure and easier to remember password could be created vs a PIN for a given number of characters.

2. The PIN is only required to boot the computer. If someone were to steal my laptop while it was turned on but locked at the Windows lock screen, the PIN and BitLocker encryption would be worthless at that point, correct? How difficult is it to bypass a Windows lock screen/account password?

This is running Windows 10 Pro.

Hi,

It's nearly impossible because you would have to modify files on the installation Off Line and without the recovery key the drive will remain encrypted.

External applications cannot be executed until logon has complete. Brute force attack are also out of the question. Windows will freeze after too many attempts and ntuser.dat files are also encrypted.

It's very easy to bypass windows login screen on a non encrypted computer, On a encrypted one, not so much.

You can forget your password, but not your key.

MaloK said:

Hi,

It's nearly impossible because you would have to modify files on the installation Off Line and without the recovery key the drive will remain encrypted.

Are you saying that if I turn on my computer, enter the BitLocker PIN, boot my computer to the desktop, then press the Windows+L keys to lock the screen, the drive is encrypted at this point?

MaloK said:

External applications cannot be executed until logon has complete. Brute force attack are also out of the question. Windows will freeze after too many attempts and ntuser.dat files are also encrypted.

I'm referring to the case in which the PIN has already been entered to boot the computer, the Windows desktop has loaded, and then Windows+L is pressed to lock the screen. At this point, the BitLocker PIN is providing no protection, correct?

MaloK said:

It's very easy to bypass windows login screen on a non encrypted computer, On a encrypted one, not so much.

You can forget your password, but not your key.

Again, I am talking about the case in which a computer that has already booted to the Windows desktop (after entering the BitLocker PIN) is locked by pressing the Windows+L keys. At that point, doesn't a thief/hacker only need to bypass the lock screen and/or Windows account password in order to access the drive?

1 - No the drive is not encrypted, But there's nothing you can do to bypass authentication at this point.

2 - Yes, still no way to run external applications.

3 - Hacker need to access the drive before being able to bypass login screen. ( you cannot magically bypass it at prompt ) The simplest backdoor I know needs to be implemented offline.

4 - It's pretty secure believe me.