Wave Systems Corp. (fka WAVXQ)

[Genz2]

PIN vs Password in Windows 10 – Which offers better security?

https://www.wavesys.com/products/wave-virtual-smart-card
Excerpt:

The user experience with a virtual smart card is simple: he or she logs in with a PIN (authentication factor number one). The TPM (authentication factor number two) then transparently identifies the device to the network and connects the user to all the approved services. It’s one less thing for users to carry around.

https://www.thewindowsclub.com/pin-vs-password-in-windows-10

Windows 10 introduced Windows Hello allowing users to sign in to their device using the PIN or biometric identification. It revolutionized the concept of system security, bringing it to a level that no system could be hacked remotely. However, Windows 10 also allows users to use the Password to log in. So which offers better security?

PIN vs Password in Windows 10

What is a Password?

A Password is a secret code which is stored on a server and can be used to access your account from any location, at least when speaking of computer-related accounts. Now they say that since servers have their own Firewalls which are powerful enough, these passwords cannot be hacked. However, this is untrue. A cyber-criminal doesn’t need to specifically access the server to figure out the password. Keylogging, phishing, etc. are a few of the known techniques to hack a person’s password without interfering with the server itself.

No matter how the password has been acquired, the intruder now has access to the user’s accounts from anywhere he/she chooses to access. One exception is if the user whose account was compromised was using a company based login where the information is stored in an active directory. In such a case, the hacker would have to access the original user’s account through any other system which is on the same network, which is difficult, though still possible.

Here’s where the concept of the PIN and biometric identification come to use. Windows Hello PIN and biometric identification are system specific. They are not stored on any server. While these logon types are not a substitute for a password, they are seemingly unhackable unless the cyber-criminal steals the device itself.

What is a PIN?

A PIN is an easy secret login code to login to your device. It is usually a set of number (mostly 4-digits), though some companies might allow their employees to use PINs with letters and special characters.

A PIN is tied to the device

A PIN is not stored on any server and is device specific. This means that if someone finds out your system’s PIN, the intruder would be able to get nothing out of it unless he/she steals the device as well. The PIN cannot be used on any other device belonging to the same person.

A PIN is backed up by TPM hardware

A Trusted Platform Module (TPM) is a hardware chip that has special security mechanisms to make it tamper proof. It has been made such that no known software attacks can hack it. Eg. PIN-brute force won’t work since the TPM gets locked.

How PIN backed up with TPM works if someone steals your laptop?

Ideally, it would be an extremely rare case that a cybercriminal is able to steal your laptop and spoof its PIN, but well, considering that it’s possible, TPM uses anti-hammering mechanism to block the PIN after repeated wrong attempts. If your device does not have TPM, you can use BitLocker to limit the number of failed sign in attempts, using the Group Policy Editor.

Why do users need to set a PIN before using biometric identification?

Be it a fingerprint, the retina of the eye or speech, injury on the body part used for biometric identification might lead to your device getting locked. Since people have a habit of not setting PINs unless forced to, Microsoft made it mandatory to set one before creating biometric identification.

Which is better among PIN and Password?

Honestly, this is a question that cannot be answered straight away. A PIN cannot be used for single sign-on structures like a password. A password is insecure and even known attacks like phishing and keylogging cannot protect systems if the password is hacked. Usually, servers offer extra protection like 2-step authentication and IT departments in companies help change the password or block accounts the second they figure out that the password has been compromised. So the choice is yours – but generally speaking, a PIN does offer more security.