[cryptography] Oddity in common bcrypt implementation

Marsh Ray marsh at extendedsubset.com
Tue Jun 28 13:15:40 EDT 2011

On 06/28/2011 10:36 AM, Ian G wrote:
> On 28/06/11 11:25 AM, Nico Williams wrote:
>> The most immediate problem for many users w.r.t. non-ASCII in
>> passwords is not the likelihood of interop problems but the
>> heterogeneity of input methods and input method selection in login
>> screens, password input fields in apps and browsers, and so on, as
>> well as the fact that they can't see the password they are typing to
>> confirm that the input method is working correctly.
> This particular security idea came from terminal laboratories in the
> 1970s and 1980s where annoying folk would look over your shoulder to
> read your password as you typed it.

Hardcopy terminals were common even into the 80s. Obviously you don't 
want the password lying around on printouts.

Even worse, some terminals couldn't disable the local echo as characters 
were typed. The best the host could do for password entry was to 
backspace overprint a bunch of characters on the printout beforehand to 
obscure it.

> The assumption of people looking over your shoulder is well past its
> use-by date.


Perhaps someday our systems will be secure enough that shoulder-surfing 
is a problem worth worrying about again.

>> Oddly enough
>> mobiles are ahead of other systems here in that they show the user the
>> *last/current* character of any passwords they are entering.

Don't forget, the person in the room with you may have a 5 megapixel 
video camera in their shirt pocket with a view of your keyboard.

- Marsh

More information about the cryptography mailing list