Unless custom PIM set, remove PIM from boot password screen

[Dave]

If the user has not set a custom PIM, please remove the PIM prompt on the boot password screen. Without a custom PIM value, the PIM prompt offers no benefit, as the user (and an attacker) would only need to press Enter key to bypass it (rather than entering a numeric value).

Having the PIM on the boot screen confuses new users, as they don’t know what it means. This would not be the case if the user knowingly chooses a custom PIM value.

Cheers.

[jackmanjack]

That would be a security issue...it would tell an attacker that you use the default PIM. The PIM can be considered as a secondary password (with limited security). Therefore this will never happen. People that don't know what a PIM is or don't invest the time to research what they are about to do to their computer should not use this tool anyway.

[Dave]

The first the thing an attacker would do is press Enter key at the PIM prompt. Provided the user has followed the instructions in the wizard and created a password consisting of at least 20 characters, with upper and lower case letters, numbers and symbols, the attacker would have a hard time brute-forcing entry. The longer the password is, the better.

I have read in the past on here that users would set the PIM value far too high, resulting in VERY long waiting times before VeraCrypt will boot the system.

Maybe VeraCrypt could choose a custom PIM value during system encryption (based on the quality of the password and the available hardware resources)? If so, the encryption wizard should prompt the user to remember the PIM value, with warnings that the system won’t boot without entering the correct value!