| ▲ | Tepix 2 days ago |
| Why not just display a single character out of a changing set of characters such as
/ - \ |
(starting with a random one from the set) after every character entered?
That way you can be certain whether or not you entered a character but and observer can‘t tell how many characters your password has. |
|
| ▲ | drysart 2 days ago | parent | next [-] |
| There was a software package a couple decades ago, I want to say it was Lotus Notes but I'm pretty sure it wasn't actually Lotus Notes but something of that ilk, that would show a small, random number of asterisks corresponding to each character entered. So you'd hit one key and maybe two asterisks would show up on screen. And kept track of them so if you deleted a character, it'd remove two. I thought that was kinda clever; it gives you feedback when your keystrokes are recognized, but it's just enough confusion to keep a shoulder surfer from easily being able to tell the length of your password unless you're hunt-and-pecking every single letter. |
| |
| ▲ | ErroneousBosh 2 days ago | parent | next [-] | | Yup, it was Notes, I used it at IBM. It was an unbelievably stupid idea. Every single day people were asking why their password was wrong because they were confused by the line of stars being too long. | |
| ▲ | orthoxerox 2 days ago | parent | prev | next [-] | | Yeah, I remember Lotus Notes both showing multiple filler characters per keystroke and showing different keychain pictures based on the hash of what you typed. This way you could also tell you've made a typo before submitting it. | | |
| ▲ | extraduder_ire 2 days ago | parent [-] | | If the hash changes after every character, doesn't that make it possible for someone to determine your password one character at a time if they know what each hash was? I'm guessing that wasn't in the threat model at the time. | | |
| ▲ | orthoxerox a day ago | parent | next [-] | | Hmm. Let's say you have 64 possible characters you can use in a password and four different images. You look over someone's shoulder and see that they go "RGBYYBRYG". What this means is that you can now reduce your search space to approximately 16^9 passwords instead of 64^9 passwords. Which is probably very helpful if you have stolen the password hash, but not if you have to guess it by entering the password manually. | | |
| ▲ | extraduder_ire 15 hours ago | parent [-] | | Makes sense. I was under the impression there were more than 4 outputs based on what you entered. (I've seen a similar setup that shows two hex digits) |
| |
| ▲ | qnleigh 2 days ago | parent | prev [-] | | Yeah this reduces the time required to crack a password from (# available characters) ^ (password length) to (# available characters) * (password length). If you were patient you could crack someone's passwords by hand. |
|
| |
| ▲ | CoastalCoder 2 days ago | parent | prev | next [-] | | Back around 1996, Notes would show hieroglyphics that changed with each new password character. | |
| ▲ | magicalhippo 2 days ago | parent | prev [-] | | Notes did indeed do that, and I as I recall it was three astrix characters per password character. |
|
|
| ▲ | ErroneousBosh 2 days ago | parent | prev | next [-] |
| Oh you mean like every time you type a password, it steps a spinner round? That solves the problem that IBM used to use for Notes where it showed "the wrong number of stars" which confused the hell out of users. |
|
| ▲ | jadamson 2 days ago | parent | prev | next [-] |
| I don't understand your suggestion. If you're still showing one character after each character entered, what's changed? What's the benefit of having a random character from a random set, instead of just a random character? |
| |
| ▲ | oneeyedpigeon 2 days ago | parent | next [-] | | I think the idea is that each character overwrites the previous, so you're never showing the total length (apart from 0/1!) | | |
| ▲ | jadamson 2 days ago | parent [-] | | Ah, and the characters are supposed to be an ASCII spinner. I think if I was new to Linux that would confuse the life out of me :) |
| |
| ▲ | NiloCK 2 days ago | parent | prev | next [-] | | There's no persistent reveal of password length after you're finished typing. It reduces the length-reveal leak from anyone who eventually sees the terminal log to people who are actively over-the-shoulder as you type it. | | |
| ▲ | ordu 2 days ago | parent [-] | | If you can see 1 char from set of 4 you know the number of characters modulo 4. If the minimum length of a password is 6, and probably it is no longer than 12 characters, then you can narrow the length to 1 or 2 numbers. It is marginally better than asterisks of course, of course, but it is still confusing. | | |
| ▲ | NiloCK 2 days ago | parent [-] | | The original suggestion included randomizing the first character of the set, which removes this attack. |
|
| |
| ▲ | DrawTR 2 days ago | parent | prev [-] | | They mean to have a static single character on the screen and have it change with every keypress. For example, you type "a" and it shows /. You type "b" and it shows "|", etc. |
|
|
| ▲ | gzread 2 days ago | parent | prev | next [-] |
| Because that's still weird and confusing to people and still serves no purpose. |
| |
| ▲ | creatonez 2 days ago | parent | next [-] | | Sorta reminds me of the i3lock screen locker. It shows an incredibly confusing circle UI where every keystroke randomizes the position of the sector on a circle, with no explanatory text on the screen (^1). To new users, it's not clear at all that you are entering your user password or even that it's a screen locker at all, because it just looks like a cryptic puzzle. Of course, once you do understand that it's just a password prompt, it's great. Completely confuses the hell out of any shoulder surfers, who will for sure think it's a confusing puzzle, and eventually they will get rate limited. ^1: Example of it in use: https://www.youtube.com/watch?v=FvT44BSp3Uc | | |
| ▲ | opan 2 days ago | parent [-] | | Now that you mention i3lock, if sudo showed a symbol changing with each keystroke, it could show it's working (not frozen, accepting input) without revealing the length, similarly to i3lock. I've seen ascii loading spinners from package managers by changing between slashes and hypens and such. Something of that sort would probably do the trick. |
| |
| ▲ | nananana9 2 days ago | parent | prev [-] | | Purpose: > That way you can be certain whether or not you entered a character | | |
| ▲ | gzread 2 days ago | parent | next [-] | | And the shoulder surger can still count the number of times it changes so you might as well just be normal. They can also count the number of keystrokes they heard. | | |
| ▲ | ErroneousBosh 2 days ago | parent | next [-] | | ATM keypads are very carefully designed so that all the buttons sound exactly the same, so you can't lift a PIN by recording the sound. I've seen this demonstrated, using "Cherry" type keyswitches, with about a 75% success rate. I also knew an old guy who could tell what an ASR33 or Creed teleprinter was printing just by the sound, with "good enough" accuracy, and copy RTTY by ear with "good enough" accuracy. He didn't really talk about his time in the Royal Signals in the 50s and 60s very much. | |
| ▲ | Tepix 2 days ago | parent | prev | next [-] | | The echoed stars should disappear when you press enter, that way you are not revealing this information when you share a screen capture. | |
| ▲ | oneeyedpigeon 2 days ago | parent | prev [-] | | Surely looking at your screen seconds/minutes/hours later is the greater risk vector? |
| |
| ▲ | blackhaz 2 days ago | parent | prev [-] | | It's surprising to see an OS, dominant as a sever platform, now optimizing catering to people who are unsure whether they've pressed a button on their keyboard. What's next, replacing asterisks with a progress bar? | | |
| ▲ | johnisgood 2 days ago | parent | next [-] | | You are down-voted, but if we consider this to be the reason, it is indeed sad. You can no longer filter out power users of computers based on their choice of OS alone. :D | |
| ▲ | rabf 2 days ago | parent | prev [-] | | Password recovery where you enter your mothers maiden name and favourite food. |
|
|
|
|
| ▲ | g947o 2 days ago | parent | prev | next [-] |
| For a new Ubuntu user, that is probably more confusing than not echoing at all. "That way you can be certain..." absolutely not. |
|
| ▲ | jandrese 2 days ago | parent | prev [-] |
| Unless of course your adversary can count. But if they can count they can also just count the number of keystrokes they hear, especially if you're recording it and they can spend time post processing the audio. |
| |
| ▲ | eapressoandcats a day ago | parent [-] | | As a general rule, if you have an adversary that cares that much you’re probably doomed. Presumably they’re capable of buying a $5 wrench to physically use against you. | | |
| ▲ | fsflover a day ago | parent [-] | | Unless they want to compromise you secretly. | | |
| ▲ | eapressoandcats 15 hours ago | parent [-] | | Then spear Phishing is almost certainly more economical. Or just plugging a device into your laptop while you’re not looking and stealing all your session state for browsers. |
|
|
|
