1. John H Woods Silver badge

    Passphrase vs Masking

    One of the problems about using a passphrase instead of a password is that once you have become aware you have mistyped, you often have to start again from the beginning. My favoured solution is a a check-to-unmask*, but I was wondering what you guys would think of a compromise where spaces show up as spaces and everything else shows up as * or the standard password blob.

    *actually I prefer it to also default to be unmasked.

    1. Phil W

      Re: Passphrase vs Masking

      I think that using the word compromise when it comes to password policies and security is an immediate fail.

      Passwords should be fully masked, the only reason to implement check-to-unmask is on mobile devices where retyping is hugely inconvenient. On a hard keyboarded device retyping is insufficiently inconvenient to make it worth compromising security.

      Biometrics are the way forward, there was a time when many laptops came with fingerprint readers but it seems to have gone out of fashion a bit.

      It doesn't matter if your password/passphrase is long and complex if you hardly ever have to type it.

      Sure the security of fingerprints is compromised if someone cuts off your fingers, but if your data is so important that you need it secured against the removal of your fingers then you should be using 2 or 3 factor authentication anyway.

      1. John H Woods Silver badge

        Re: Passphrase vs Masking

        Hi Phil, thanks for the answer.

        But I think I don't need blobs when typing on my laptop - any sufficiently well positioned observer / camera can see what I'm typing. Blobs make me feel happy about entering my password with other people watching - which I shouldn't.

        As for fingerprint readers, they are a nice idea but cheapy laptop built-ins are pretty terrible. I think they can be defeated by someone lifting your prints from a glass with tape and then simply scanning the tape.

        1. TeeCee Gold badge

          Re: Passphrase vs Masking

          Hmm, the mythbusters found the exact opposite with fingerprint readers. Their "off the shelf" USB reader couldn't be fooled with tape, or any of the simple options they'd thought of and they had to resort to making an artificial finger with the fingerprint cast into it to get past the thing.

          With that, they went to the hugely expensive fingerprint activated doorlock that they'd snaffled from somewhere for the test. Their artificial finger opened that on the first attempt..........and so did a piece of sticky tape(!)

          The funny part was that they'd only taken on the USB device in order to prove the concept before having a go at the serious kit.

  2. Phil W

    As TeeCee says, finger print readers are harder to fool than you'd think. Some testing like mythbusters will show you that.

    Admittedly some of the built in laptop ones are of poor quality but I would say that rather than being easy to fool they actually fail to read genuine fingers prints far more often than you'd like. But this is down to them being the swipe variety rather than the type that read the whole print at once which are more preferable I think.

    Your argument that obfuscation isn't needed since anyone who can see your screen can probably see what you're typing is massively flawed.

    You can (and I have on occasion when being watched) type a password with one hand while cover it with the other much as is done when typing in your PIN at an ATM. Also when typing with sufficient speed it will be difficult to track the exact keystrokes.

    If it is displayed on my monitor it is quite easy to see what I type as I type it, regardless of how quickly it is done.

    The new trend now, though by no means a new concept, is two factor authentication. You may be aware that both Microsoft and Google now offer it via a mobile app for most/all of their web services.

    Using two factor authentication, does make password obfuscation and complexity requirements significantly less important but really any environment or system where you can afford to relax security to the point of having your password visible to all is an environment where you don't really need passwords in the first place.

  3. Phil W

    P.S.

    There is a really obvious way to make fingerprint scanning more secure though I've never seen it implemented.

    Have all 10 of your digits registered, then when logging in the system will ask you to submit a random choice of 2 prints. Even if the reader were vulnerable to duplicated prints on tape etc (which as pointed out before is largely a myth, although can be done with the right tools and extreme care), it would be fairly difficult for someone to lift all of your prints reliably.

  4. John H Woods Silver badge

    Thanks

    Phil that sounds like a good idea, although I understand that most fprint readers let you use alternative fingers in case you have, e.g. a sticking plaster on one of them, so you'd need some flexibility for that.

    TeeCee, thanks for the info about that - I didn't realise that it had been debunked, I'll look out for that episode.

    I absolutely agree about two-factor authentication (I use it for my work VPN) but I'm not sure I agree about password visibility. For instance, when you are in your own office, mounting an encrypted volume, you are fairly sure about having the requisite privacy. But you still want that password to be extremely strong so that your data remains safe if your server is stolen. This is even more true of mobile devices - sometimes you know you are in a safe environment, and mostly you know you will also be frequently taking that device into a less safe environment.

    However, if there were a hidden hi-def camera of which you were unaware, I'm pretty sure that a slow-mo replay of you entering the password, even as a ten-finger typist, would yield so much information about the content of the password that it would make it relatively easy to crack. Even if you can only identify the hand and the row you have narrowed each character to about 5 possibilities.

    On balance though, I think you have convinced me that it's a dumb idea, and if I value security I should just accept the occasional need to retype a long passphrase. Who knows, maybe it will even improve the accuracy of my typing!

    1. TeeCee Gold badge

      Re: Thanks

      I'm not sure "debunked" is right there.

      As both could be fooled, even though the cheap PC reader proved "harder" I reckon a fingerprint reader is less secure than a password. Both are vulnerable once the miscreant has the thing, but your fingerprints are more likely to be available to some scrote without your knowledge. Also if you suspect someone else may have 'em, changing your fingerprints is tricky.

  5. OzBob

    I can't remember where I saw it

    but there was a masking rule I used recently where the last character typed was visible only and the rest was masked, which allowed you to stop and verify what you had got up to. I did find it both helpful and disconcerting in equal measure.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020