[WEB SECURITY] Jakob Nielsen's Stop Password Masking

Martin, Christopher chrismartin at firstam.com
Tue Jul 14 11:44:34 EDT 2009


Better yet, if there is a camera involved, merely capturing your
keystrokes on the device as your fingers move. 


Christopher A. Martin
Manager, CITG Information Security Risk Management
First American Corporation
1 First American Way
Westlake, Texas 76262
Office: (817) 699-4309
http://www.firstam.com
**********************************************************************
This message contains confidential information intended only for the use
of the addressee(s) named above and may contain information that is
legally privileged. If you are not the addressee, or the person
responsible for delivering it to the addressee, you are hereby notified
that reading, disseminating, distributing or copying this message is
strictly prohibited. If you have received this message by mistake,
please immediately notify us by replying to the message and delete the
original message immediately thereafter.
Thank you.
FADLD Tag
**********************************************************************


-----Original Message-----
From: Bil Corry [mailto:bil at corry.biz] 
Sent: Monday, July 13, 2009 4:44 PM
To: Chris Varenhorst
Cc: Matt Parsons; websecurity at webappsec.org
Subject: Re: [WEB SECURITY] Jakob Nielsen's Stop Password Masking

Chris Varenhorst wrote on 7/12/2009 8:13 PM: 
> I thought this thread might be interested in two recent arc90 password

> masking experiments.  The basic idea is to meet Jakob Neilson half way

> and mask the password so that the casual observation won't be able to 
> get much information from it, but the user can still confirm they 
> typed their password correctly.
> 
> http://lab.arc90.com/2009/07/halfmask.php
> http://lab.arc90.com/2009/07/hashmask.php

Thanks for sharing these.  A few thoughts on each:

I found that I couldn't read halfmask at all, or even guess at what I
had typed.  I could, however, read what I had typed if I highlighted the
password.  I also found I could easily read it if I turned the gamma way
up and I also could easily read it on a screen capture image where I
tweak the color curves.

As for hashmask, couldn't an attacker with a video camera deduce your
password by replaying each hash image generated after every keystroke,
then trying every character until it matches, then move on to the next
one until your password has been entered?  Even if the hash image isn't
shown until you are done entering your password, it would still allow an
attacker to record the final password hash image, then brute-force it
off-line by comparing images without having to round-trip to the server
(which is the best alert that a brute-force is taking place).


- Bil


------------------------------------------------------------------------
----
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



****************************************************************************************** 
This message may contain confidential or proprietary information intended only for the use of the 
addressee(s) named above or may contain information that is legally privileged. If you are 
not the intended addressee, or the person responsible for delivering it to the intended addressee, 
you are hereby notified that reading, disseminating, distributing or copying this message is strictly 
prohibited. If you have received this message by mistake, please immediately notify us by  
replying to the message and delete the original message and any copies immediately thereafter. 

Thank you. 
****************************************************************************************** 
FACLD


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list