[cryptography] Oddity in common bcrypt implementation

Ian G iang at iang.org
Tue Jun 28 11:36:42 EDT 2011

On 28/06/11 11:25 AM, Nico Williams wrote:
> On Tue, Jun 28, 2011 at 9:56 AM, Marsh Ray<marsh at extendedsubset.com>  wrote:

>> Consequently, we can hardly blame users for not using special characters in
>> their passwords.
> The most immediate problem for many users w.r.t. non-ASCII in
> passwords is not the likelihood of interop problems but the
> heterogeneity of input methods and input method selection in login
> screens, password input fields in apps and browsers, and so on, as
> well as the fact that they can't see the password they are typing to
> confirm that the input method is working correctly.

This particular security idea came from terminal laboratories in the 
1970s and 1980s where annoying folk would look over your shoulder to 
read your password as you typed it.

The assumption of people looking over your shoulder is well past its 
use-by date.  These days we work with laptops, etc, which all work to a 
more private setting.  Even Internet Cafes have their privacy shields 
between booths.

There are still some lesser circumstances where this is an issue (using 
your laptop in a crowded place or typing a PIN onto a reader/ATM). 
Indeed in the latter case, the threat is a camera that picks up the keys 
as they are typed.

But for the most part, we should be deprecating the practice at its 
mandated level and exploring optional or open methods.  Like:

> Oddly enough
> mobiles are ahead of other systems here in that they show the user the
> *last/current* character of any passwords they are entering.


More information about the cryptography mailing list