Comment by pbhjpbhj
2 years ago
Aside, I've noticed that the current technique of rendering a fixed number of asterisks independent of the password length is quite confusing to users -- "that's wrong, it's the wrong length", resulting in attempts to type in the "correct" password and this obviating the benefit of the stored password.
Not sure how to fix that. I recall a visible hash of some form being used in the past (eg take a 2-digit hash, pair of with a smiley; I must have entered it right, it's showing me ROFL smiley), but that would aid shoulder surfed password entries, at least.
I've seen a GUI password input field that mutated an abstract line drawing on every keypress. Think random cross-hatching over the whole input field where the lines are nudged a little on every press.
(Not that that's necessarily a good idea, it still gives away timing/length information to e.g. cameras.)
I remember seeing this in Lotus Notes. Never saw it before that, or since.
Oh yes, that could be it! Employer made me run Windows in a VM to read corporate email.
My memory doesn't match videos I can find online of it, but that could be version differences.
1 reply →
Yes. Wasn't it to make it harder spoof a password prompt with a static image popping up?
1 reply →
xsecurelock[https://github.com/google/xsecurelock] has a few variants on this.
I'm honestly seeing little value in asterisks with WFH and the move to passphrases. Feedback is important when you're typing a long phrase with complete precision. Plus shoulder surfing is simply not a thing when my physical security profile now involves a locked front door and a call to the police.
WFH also means Working From my backyard, the coffee shop around the corner, the library, a friend's house, a hotel room, etc.
Even for people who only work at home while working remotely, private homes can see a lot of traffic. I wouldn't assume all screens are kept and used in totally secure environments so we should probably still stick with masked passwords and telling users not to keep passwords written on a post-it note stuck to their monitor.
And now employees simply leave their laptop open with the SSH window up while getting their coffee because it's now so annoying to close the lid and correctly type the password.
>USB Rubber Ducky has entered the chat
If they can see the screen wouldn’t they be better off just looking at the keyboard to directly observe what’s being typed?
> the coffee shop around the corner
I would hope people in high leverage job roles would just avoid such behavior.
1 reply →
Plenty of value in confirming that you are hitting each key exactly once.
Why not just mutate a specific fixed-length line with every keypress?
You've never typed a password in while screen sharing?
I don't type passwords. My password manager fills them for me, or I paste them.
5 replies →
Oh god no, absolutely not. Always stop sharing for the duration of the password entry.
5 replies →
Are you describing your experience or implying that the industry should change this because you can WFH?
The latter. They seemingly meant "I can WFH, so asterisks are meaningless to everyone. F@&# asterisks!"
> I'm honestly seeing little value in asterisks
They're essential ! How else would we encourage the average user to use as short and and as simple a password as they can get away with ?
Lotus Notes used to have that. (Might still do?)
https://security.stackexchange.com/questions/41247/changing-...
We used Notes at work until a few years ago and it still had it IIRC. I never stopped to think about why the pictures changed, that's interesting. Another annoying decision is that they prevented pasting passwords, which is very inconvenient when using a password manager. I ended up having to use one that simulated keystrokes.
I’ve seen some programs render three asterisks per key stroke. Defers human shoulder surfers from seeing the length of your password.
I think simplest and safest solution would be a shape that rotates at random interval for each key stroke.
Depends what problem you want to solve. Did keyboard register my press? vs did I type the same thing as last time.? have some different constraints.
The login fractal - a shape that is infinitely recurring, starts at a random place, and indicates entry with "zooming".
The browser could use a different rendering convention for autopopulated passwords. For instance, it could render a solid black bar (no characters for the user to count) or maybe the phrase "autofilled", perhaps with a strange background color / rendering convention.
What about : "You are typing..." like in IM apps