On 06/28/2011 10:36 AM, Ian G wrote:
On 28/06/11 11:25 AM, Nico Williams wrote:
The most immediate problem for many users w.r.t. non-ASCII in
passwords is not the likelihood of interop problems but the
heterogeneity of input methods and input method selection in login
screens, password input fields in apps and browsers, and so on, as
well as the fact that they can't see the password they are typing to
confirm that the input method is working correctly.
This particular security idea came from terminal laboratories in the
1970s and 1980s where annoying folk would look over your shoulder to
read your password as you typed it.
Hardcopy terminals were common even into the 80s. Obviously you don't
want the password lying around on printouts.
Even worse, some terminals couldn't disable the local echo as characters
were typed. The best the host could do for password entry was to
backspace overprint a bunch of characters on the printout beforehand to
obscure it.
The assumption of people looking over your shoulder is well past its
use-by date.
+1
Perhaps someday our systems will be secure enough that shoulder-surfing
is a problem worth worrying about again.
Oddly enough
mobiles are ahead of other systems here in that they show the user the
*last/current* character of any passwords they are entering.
Don't forget, the person in the room with you may have a 5 megapixel
video camera in their shirt pocket with a view of your keyboard.
- Marsh
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
