New
#1
Bitlocker...TPM + PIN vs Password?
I have seen this question asked elsewhere several times, but with different answers...so I just want to make sure my understanding of BitLocker is correct.
In the past, I had used BitLocker on several computers that did Not have a TPM...therefore I had to use a strong 30/40/50+ character password, which was not a problem. I am now working with a new computer that came with a TPM installed...so now instead of a long password, I am restricted to a maximum of 20 characters (even with enhanced PIN's enabled, it still only lets you use 20 characters, which I'm not sure why 20 is the limit?)
From my understanding, even though it is a much shorter PIN, it is more secure than a long password because the TPM only allows up to 32 attempts before locking out...and then lets 1 more attempt every 2 hours...thereby allowing only just over 4,000 attempts per year (according to both basic math as well as a Microsoft article). Thereby making brute forcing the PIN pretty much impossible even if you use just a 6 digit number.
In addition, if you put the hard drive in another computer, the PIN won't work...you would now need to use the recovery key/recovery password...which is also impractical to brute force.
Is my understating pretty much correct? Or am I missing anything? At first it would seem a 50 character password is more secure than a 6 digit PIN number, but after reviewing everything, it seems that the TPM makes the PIN 'stronger' than the password? Is there any benefit to turning off the TPM in BIOS and just using a long secure password? Or is it best to stick with the TPM + PIN even though the PIN is far shorter?