Change OpenPGP Smartcard PIN retry counter
Chandler Davis
me at chandlerdavis.cc
Wed Nov 19 21:38:10 CET 2025
On Wednesday, November 19th, 2025 at 3:07 PM, Borden via Gnupg-users <gnupg-users at gnupg.org> wrote:
> Pardon my ignorance, but I thought GPG card hardware sets the PIN counter to lock or destroy the private key after failed attempts precisely to stop someone from trying to brute force the PIN?
Yes, that's correct. If the retry counter is maxed out, it will be locked and you'll have to use the unblocking pin (PWD.2 I think) to reset the counter and make it usable again.
If you don't know the unblocking pin, the only choice is to reset the card and put new keys on it. You *may* be able to do something with the admin PIN as well, but I don't remember off the top of my head.
> Am I to understand that we cannot rely on a PIN counter?
What we're discussing here is how to increase the number of PIN retries that are allowed before that locking happens. The counter still protects from brute forcing.
The default is 3 attempts, but I think 5 is still reasonable and a bit "safer" in terms of not accidentally locking yourself out.
--
Best,
Chandler Davis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: publickey - me at chandlerdavis.cc - 0x806B3070.asc
Type: application/pgp-keys
Size: 1279 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20251119/fab8be80/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 343 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20251119/fab8be80/attachment-0001.sig>
More information about the Gnupg-users
mailing list