When accessing the Ledger Nano (S or X), you input a 4-8 character numeric PIN code. The device (appears) to randomly select a number (0-9) to initially show for digits 1-4 and 6-8, but the fifth digit always initially shows the checkmark symbol as default. I suspect this is to ease entry for users that only have a 4-digit PIN, but in reality it weakens the overall security of PINs greater than 4-digits long.
A malicious actor that became determined to steal my Ledger and access it would also need to monitor my PIN entry. I would assume that the random starting digit for characters 1-4 & 6-8 are so that an actor could not easily monitor button presses and have a high likelihood of knowing my PIN. But the 5th character always starts at a fixed position and is, therefore, surrendering that bit of randomness.
I understand this would increase the complexity of a user with a 4-digit PIN, but only VERY slightly so. I'd request this either be treated as an issue (security weakened) or a feature request (ability to make 5th digit start as random).
When accessing the Ledger Nano (S or X), you input a 4-8 character numeric PIN code. The device (appears) to randomly select a number (0-9) to initially show for digits 1-4 and 6-8, but the fifth digit always initially shows the checkmark symbol as default. I suspect this is to ease entry for users that only have a 4-digit PIN, but in reality it weakens the overall security of PINs greater than 4-digits long.
A malicious actor that became determined to steal my Ledger and access it would also need to monitor my PIN entry. I would assume that the random starting digit for characters 1-4 & 6-8 are so that an actor could not easily monitor button presses and have a high likelihood of knowing my PIN. But the 5th character always starts at a fixed position and is, therefore, surrendering that bit of randomness.
I understand this would increase the complexity of a user with a 4-digit PIN, but only VERY slightly so. I'd request this either be treated as an issue (security weakened) or a feature request (ability to make 5th digit start as random).