Note that there are limitations of TPM-only Bitlocker.
#Bitlocker pin password#
On the other hand, even without Bitlocker, an attacker could encrypt data that is protected with a key derived from their login password (using DPAPI and/or EFS) and therefore require the attacker to get their login password (although in that case brute-forcing the NTLM hash is probably the easiest option, and with BitLocker you can't do that). However, it does mean that simply getting the hard disk without the rest of the machine will be useless to an attacker, and that getting the entire machine but with no idea what the login passwords are and no special attack hardware will be nearly as bad. In fact, in TPM-only mode, it is vital that you have a strong Windows password on all login-enabled accounts, because the attacker can still attempt online brute-forcing of that password (though Windows will limit how fast they can try). Using Bitlocker in TPM-only mode (not the same as just "without PIN" because you could use another form of authentication, such as an external key on a USB device) means the disk encryption key will only be available if the OS boots up normally if the boot process is modified by malicious code, or if the normal OS isn't booting at all (because you're booting to Linux or something instead) then the TPM won't reveal the key.īitlocker, in any mode, doesn't really "transform the normal Windows User login into something secure", except in the sense that you can't easily attempt offline cracking of the (weak) password hash the way you normally can.
0 kommentar(er)
