Password protection


Hi everybody,
This may seem a stupid question but I can’t find an answer to it, and I will say that I did ask support the question and they have not answered either. This is for a Nitrokey storage.

With your initial password there are only three attempts allowed. My question is…what happens if there is an attempt where these three attempts are used up? What happens to the device? Is it reset? Is data destroyed?

I’ve looked everywhere but can’t see any info. If someone could point me toward some official explanation on the Nitrokey site I’d appreciate it.



You have something of an explanation there for the passwords creation itself, but it’s a bit unclear what happens when one fails. I understand if you fail the day-to-day password three times, you’ll be able to reset it with the master password (which is why NK proposes to keep a short pass for day-to-day : it will be burnt straight after 3 attempts).
On the other hand I don’t really know the process if you fail the master pass three times : I understand you only can reset the whole key, and I also understand that a third party dismounting the key to access the memory will just get a strongly encrypted volume, which we consider is not decipherable…

Another helpful link : User PIN / Admin PIN explanation?


Thank you very much for the reply. Yes, I had already seen those bits of info which are not at all clear. Not sure what it means by “blocked” in terms of what? Blocked forever? One day? Two days? Its a bit opaque and I regard this as being a key feature of the key. I will pester the support people again and see if I can get something resembling a straight answer.


Hi, “blocked” means: it will not work until it is “un-blocked”. You have to active “un-block” the device - there is no timer, nor any other automatic procedure that will start.

To “un-block” you could either use the admin pin ( if the user-pin is blocked ) and with that you could un-block the device without destroying the content OR (if the admin pin is blocked ) you could reset the NK, which also destroys the content.


Thanks for the reply. So by “blocked” does this mean that it will not allow any more attempts at a password being put into it and that it will only respond to the correct password? If that is so what is to stop a brute force password program still trying to crack the password?

I must be slow or something but terms such as “blocked” don’t really tell me anything. Pretty hard, for me at least, to understand what happens.

For example, I have an Ironkey. With that device it is clear that you have ten attempts to correctly put the password in. If you don’t you have already made a decision when setting it up to have the device reset or the data destroyed after ten goes. Pretty simple. No such simplicity it appears with the Nitrokey.


Blocked means you can not access the keys anymore. It does not matter, if you put in the correct PIN or not, the device will not respond to the request other than denying it.

Thus, brute force is not possible. The device is not usable anymore, until one decides to factory-reset it.


I received a very nice and comprehensive reply from Nitrokey support which goes:

"You have a user and a admin PIN. If the former is blocked by using a wrong PIN for three times, you can still unblock it with the admin PIN. If you block both PINs, the keys on the Nitrokey can’t be used anymore and thus it is not possible to decrypt anything of the storage. The only thing one can do in this state, is to factory reset the device. The reset is not done automatically, but the keys still can not be
accessed anymore. This is ensured in hardware.

So there is the answer. Thank you to all who replied to my question.