Hacker News new | ask | show | jobs
by drysart 86 days ago
There was a software package a couple decades ago, I want to say it was Lotus Notes but I'm pretty sure it wasn't actually Lotus Notes but something of that ilk, that would show a small, random number of asterisks corresponding to each character entered. So you'd hit one key and maybe two asterisks would show up on screen. And kept track of them so if you deleted a character, it'd remove two.

I thought that was kinda clever; it gives you feedback when your keystrokes are recognized, but it's just enough confusion to keep a shoulder surfer from easily being able to tell the length of your password unless you're hunt-and-pecking every single letter.
4 comments
ErroneousBosh 86 days ago
Yup, it was Notes, I used it at IBM. It was an unbelievably stupid idea. Every single day people were asking why their password was wrong because they were confused by the line of stars being too long.
link
orthoxerox 86 days ago
Yeah, I remember Lotus Notes both showing multiple filler characters per keystroke and showing different keychain pictures based on the hash of what you typed. This way you could also tell you've made a typo before submitting it.
link
extraduder_ire 85 days ago
If the hash changes after every character, doesn't that make it possible for someone to determine your password one character at a time if they know what each hash was?

I'm guessing that wasn't in the threat model at the time.

link
orthoxerox 85 days ago
Hmm. Let's say you have 64 possible characters you can use in a password and four different images. You look over someone's shoulder and see that they go "RGBYYBRYG".

What this means is that you can now reduce your search space to approximately 16^9 passwords instead of 64^9 passwords. Which is probably very helpful if you have stolen the password hash, but not if you have to guess it by entering the password manually.

link
extraduder_ire 84 days ago
Makes sense. I was under the impression there were more than 4 outputs based on what you entered. (I've seen a similar setup that shows two hex digits)
link
qnleigh 85 days ago
Yeah this reduces the time required to crack a password from

(# available characters) ^ (password length)

to

(# available characters) * (password length).

If you were patient you could crack someone's passwords by hand.

link
CoastalCoder 86 days ago
Back around 1996, Notes would show hieroglyphics that changed with each new password character.
link
magicalhippo 86 days ago
Notes did indeed do that, and I as I recall it was three astrix characters per password character.
link