On 28/06/11 11:25 AM, Nico Williams wrote:
On Tue, Jun 28, 2011 at 9:56 AM, Marsh Ray<[email protected]> wrote:
Consequently, we can hardly blame users for not using special characters in
their passwords.
The most immediate problem for many users w.r.t. non-ASCII in
passwords is not the likelihood of interop problems but the
heterogeneity of input methods and input method selection in login
screens, password input fields in apps and browsers, and so on, as
well as the fact that they can't see the password they are typing to
confirm that the input method is working correctly.
This particular security idea came from terminal laboratories in the
1970s and 1980s where annoying folk would look over your shoulder to
read your password as you typed it.
The assumption of people looking over your shoulder is well past its
use-by date. These days we work with laptops, etc, which all work to a
more private setting. Even Internet Cafes have their privacy shields
between booths.
There are still some lesser circumstances where this is an issue (using
your laptop in a crowded place or typing a PIN onto a reader/ATM).
Indeed in the latter case, the threat is a camera that picks up the keys
as they are typed.
But for the most part, we should be deprecating the practice at its
mandated level and exploring optional or open methods. Like:
Oddly enough
mobiles are ahead of other systems here in that they show the user the
*last/current* character of any passwords they are entering.
iang
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
