How long should my device password be?

The BitBox02 has two unlock protections to protect against simply trying out all possible passwords:

  1. After 10 failed unlock attempts, the device is reset and must be restored from the backup.
  2. The secure chip contains a lifetime counter and permanently locks the device after ~730'000 unlocks (that's about 100 unlocks per day for 20 years).
This is called "security in-depth": even if unlock protection (1) can be bypassed, unlock protection (2) will prevent any damage.

We recommend using a password that is hard to brute-force even in the unlikely event that the unlock protection (1) could be bypassed. The chance of an attacker guessing the right password before hitting the unlock protection (2) are as follows:

  • 5 random characters: 0.08 %
  • 6 random characters: 0.012 %
  • 7 random characters: 0.00002 %
We recommend to use a device password of 5 or more random characters, including uppercase and lowercase characters and numbers.