[cryptography] Oddity in common bcrypt implementation

Jeffrey Walton noloader at gmail.com
Tue Jun 28 15:00:19 EDT 2011


On Tue, Jun 28, 2011 at 11:36 AM, Ian G <iang at iang.org> wrote:
> On 28/06/11 11:25 AM, Nico Williams wrote:
>>
>> On Tue, Jun 28, 2011 at 9:56 AM, Marsh Ray<marsh at extendedsubset.com>
>>  wrote:
>
>>> Consequently, we can hardly blame users for not using special characters
>>> in
>>> their passwords.
>>
>> The most immediate problem for many users w.r.t. non-ASCII in
>> passwords is not the likelihood of interop problems but the
>> heterogeneity of input methods and input method selection in login
>> screens, password input fields in apps and browsers, and so on, as
>> well as the fact that they can't see the password they are typing to
>> confirm that the input method is working correctly.
>
> This particular security idea came from terminal laboratories in the 1970s
> and 1980s where annoying folk would look over your shoulder to read your
> password as you typed it.
>
> The assumption of people looking over your shoulder is well past its use-by
> date.  These days we work with laptops, etc, which all work to a more
> private setting.  Even Internet Cafes have their privacy shields between
> booths.
>
> There are still some lesser circumstances where this is an issue (using your
> laptop in a crowded place or typing a PIN onto a reader/ATM). Indeed in the
> latter case, the threat is a camera that picks up the keys as they are
> typed.
>
> But for the most part, we should be deprecating the practice at its mandated
> level and exploring optional or open methods.  Like:
>
>> Oddly enough
>> mobiles are ahead of other systems here in that they show the user the
>> *last/current* character of any passwords they are entering.
It's also approved by FIPS 140 (Change 2), Section 4.7.4:

    Manually-entered cryptographic keys (keys entered using
    manual methods) shall be verified during entry into a
    cryptographic module for accuracy using the manual key
    entry test specified in Section 4.9.2. During key entry, the
    manually entered values may be temporarily displayed to
    allow visual verification and to improve accuracy. ...

Jeff



More information about the cryptography mailing list