undefined | Better HN

0 pointshnlmorg4d ago0 comments

Knowing that user passwords have to be manually keyed, I don’t think the average person will have a 37 character password set ;)

Typically they’re between 8 and 12 characters. Usually contain dictionary terms, with the first character capitalised and a numeric value at the end with an exclamation mark.

If you know a little bit of information about the individual (which you likely will if you’re in a position to shoulder surf) then you can easily guess at personal details that individual might use (kids names, favourite movie, sports team, that kind of stuff) which also helps narrow the search field too.

Now I’m not saying that this will apply for everyone. But you can see how knowing the password length combined with another piece of information suddenly increases the statistical probability of cracking some passwords.

And this comes back to my earlier point about how security isn’t about absolutes. It’s about probabilities and risk. So there isn’t going to be a universal truth about whether this decision is correct for everyone or not.

0 comments

tsimionescu2d ago

You keep talking as if visible passwords is some scary never tried before thing. In reality, it's the almost universal norm, with Unixy terminal being the only place that does anything else. When you log into your UI (on Linux, Mac, and Windows), when you access your bank website, when you go to an ATM, when you log into your email account, and so many other places - all use a normal password input that echoes some character for every input.

You also keep ignoring the fact that anyone who has access to see the length of your input in a shell has access to MUCH more useful information by watching/listening to you type.

Bottom line is that there is no realistic security loss from this, except for the most extreme contrived scenarios. While sure, this is not the best choice for 100% of users, it's still the best choice for 99.99999% of them, so it really doesn't bear discussion.

hnlmorgOP2d ago

> You keep talking as if visible passwords is some scary never tried before thing.

No. That’s you adding tone that wasn’t there.

> In reality, it's the almost universal norm, with Unixy terminal being the only place that does anything else. When you log into your UI (on Linux, Mac, and Windows), when you access your bank website, when you go to an ATM, when you log into your email account, and so many other places - all use a normal password input that echoes some character for every input.

Which is exactly why I talked about the audience of the security policies and not the technology ;)

It’s the risk appetite of the users that matter more here than the technology.

> You also keep ignoring the fact that anyone who has access to see the length of your input in a shell has access to MUCH more useful information by watching/listening to you type.

I didn’t ignore that. I just didn’t address it because there are a plethora of problems with key strokes and didn’t want to get drawn into a debate about that specifically. But since you asked:

1. They’re not always audible. Not everyone owns a mechanical keyboard ;)

2. backspace, ctrl+d and so on will be keystrokes that delete some or all of the password characters.

3. tab and enter are also keystrokes but also aren’t password characters

4. People are generally worse at counting sounds than counting sequences of visual clues

5. You might be watching someone on video rather than shoulder surfing so key sounds are unavailable

6. Other people might by typing in the vicinity and picking out one typist from another is exceptionally difficult vs reading dots on a screen

7. just because one thing exists it doesn’t automatically mean everything else has no value too

I could go on. But key sounds aren’t as big a giveaway as some on here would like to claim. And they’re definitely not on a par with dots on a screen.

However, if your security model is that even the key sounds are a risk then you / your organisation should be looking a passwordless systems like certificate-based logins.

So again, notice here that I’m not talking in absolute terms but instead discussing risks and their countermeasures.

> Bottom line is that there is no realistic security loss from this, except for the most extreme contrived scenarios. While sure, this is not the best choice for 100% of users, it's still the best choice for 99.99999% of them, so it really doesn't bear discussion.

Except you are discussing it and ended up making the same point I was but expressing it like a counter argument. It would have been a whole lot easier if you’d just said “I agree” but c'est la vie.

j / k navigate · click thread line to collapse