upvote

points

by Tepix4 hours ago |
comments
upvoteby drysart3 hours ago|
next
[-]
There was a software package a couple decades ago, I want to say it was Lotus Notes but I'm pretty sure it wasn't actually Lotus Notes but something of that ilk, that would show a small, random number of asterisks corresponding to each character entered. So you'd hit one key and maybe two asterisks would show up on screen. And kept track of them so if you deleted a character, it'd remove two.

I thought that was kinda clever; it gives you feedback when your keystrokes are recognized, but it's just enough confusion to keep a shoulder surfer from easily being able to tell the length of your password unless you're hunt-and-pecking every single letter.

reply
upvoteby orthoxerox2 hours ago|
parent|
next
[-]
Yeah, I remember Lotus Notes both showing multiple filler characters per keystroke and showing different keychain pictures based on the hash of what you typed. This way you could also tell you've made a typo before submitting it.
reply
upvoteby CoastalCoder3 hours ago|
parent|
prev|
next
[-]
Back around 1996, Notes would show hieroglyphics that changed with each new password character.
reply
upvoteby magicalhippo2 hours ago|
parent|
prev|
next
[-]
Notes did indeed do that, and I as I recall it was three astrix characters per password character.
reply
upvoteby ErroneousBosh2 hours ago|
parent|
prev|
[-]
Yup, it was Notes, I used it at IBM. It was an unbelievably stupid idea. Every single day people were asking why their password was wrong because they were confused by the line of stars being too long.
reply
upvoteby g947o2 hours ago|
prev|
next
[-]
For a new Ubuntu user, that is probably more confusing than not echoing at all.

"That way you can be certain..." absolutely not.

reply
upvoteby gzread4 hours ago|
prev|
next
[-]
Because that's still weird and confusing to people and still serves no purpose.
reply
upvoteby creatonez3 hours ago|
parent|
next
[-]
Sorta reminds me of the i3lock screen locker. It shows an incredibly confusing circle UI where every keystroke randomizes the position of the sector on a circle, with no explanatory text on the screen (^1). To new users, it's not clear at all that you are entering your user password or even that it's a screen locker at all, because it just looks like a cryptic puzzle.

Of course, once you do understand that it's just a password prompt, it's great. Completely confuses the hell out of any shoulder surfers, who will for sure think it's a confusing puzzle, and eventually they will get rate limited.

^1: Example of it in use: https://www.youtube.com/watch?v=FvT44BSp3Uc

reply
upvoteby nananana94 hours ago|
parent|
prev|
[-]
Purpose:

> That way you can be certain whether or not you entered a character

reply
upvoteby gzread3 hours ago|
parent|
next
[-]
And the shoulder surger can still count the number of times it changes so you might as well just be normal.

They can also count the number of keystrokes they heard.

reply
upvoteby Tepix3 hours ago|
parent|
next
[-]
The echoed stars should disappear when you press enter, that way you are not revealing this information when you share a screen capture.
reply
upvoteby oneeyedpigeon3 hours ago|
parent|
prev|
next
[-]
Surely looking at your screen seconds/minutes/hours later is the greater risk vector?
reply
upvoteby ErroneousBosh2 hours ago|
parent|
prev|
[-]
ATM keypads are very carefully designed so that all the buttons sound exactly the same, so you can't lift a PIN by recording the sound.

I've seen this demonstrated, using "Cherry" type keyswitches, with about a 75% success rate.

I also knew an old guy who could tell what an ASR33 or Creed teleprinter was printing just by the sound, with "good enough" accuracy, and copy RTTY by ear with "good enough" accuracy.

He didn't really talk about his time in the Royal Signals in the 50s and 60s very much.

reply
upvoteby blackhaz3 hours ago|
parent|
prev|
[-]
It's surprising to see an OS, dominant as a sever platform, now optimizing catering to people who are unsure whether they've pressed a button on their keyboard. What's next, replacing asterisks with a progress bar?
reply
upvoteby rabf3 hours ago|
parent|
[-]
Password recovery where you enter your mothers maiden name and favourite food.
reply
upvoteby jadamson4 hours ago|
prev|
next
[-]
I don't understand your suggestion. If you're still showing one character after each character entered, what's changed?

What's the benefit of having a random character from a random set, instead of just a random character?

reply
upvoteby oneeyedpigeon3 hours ago|
parent|
next
[-]
I think the idea is that each character overwrites the previous, so you're never showing the total length (apart from 0/1!)
reply
upvoteby jadamson3 hours ago|
parent|
[-]
Ah, and the characters are supposed to be an ASCII spinner.

I think if I was new to Linux that would confuse the life out of me :)

reply
upvoteby NiloCK3 hours ago|
parent|
prev|
next
[-]
There's no persistent reveal of password length after you're finished typing. It reduces the length-reveal leak from anyone who eventually sees the terminal log to people who are actively over-the-shoulder as you type it.
reply
upvoteby ordu1 hours ago|
parent|
[-]
If you can see 1 char from set of 4 you know the number of characters modulo 4. If the minimum length of a password is 6, and probably it is no longer than 12 characters, then you can narrow the length to 1 or 2 numbers. It is marginally better than asterisks of course, of course, but it is still confusing.
reply
upvoteby DrawTR3 hours ago|
parent|
prev|
[-]
They mean to have a static single character on the screen and have it change with every keypress. For example, you type "a" and it shows /. You type "b" and it shows "|", etc.
reply
upvoteby ErroneousBosh2 hours ago|
prev|
[-]
Oh you mean like every time you type a password, it steps a spinner round? That solves the problem that IBM used to use for Notes where it showed "the wrong number of stars" which confused the hell out of users.
reply