[lhorie]

>> model it against an adversary with a camera.

Which can record your hands? :)

I figure that the offline dictionary attack could be foiled if this was a Firefox extension that generated a random salt on installation. (of course, this doesn't work if you want to play WOW on an Internet Cafe)

My main reaction to the experiment is that I don't know many people who touch type (at least when it comes to their password): I've had people accidentally type their password on the username field in front of me countless times because they weren't even looking at the screen.

I don't see why I should worry about big brother FUD when I could embarrass myself any time by accidentally pressing caps lock instead of tab.

[tptacek]

Another thing I love about this discussion is the intimation ("big brother") that in order to get a picture of my screen, you have to be the NSA. And not, you know, some jackass with a camera.

[lhorie]

Sure, sure, it could be both. It could be my girlfriend looking over my shoulder too. But of course, I don't use an stupidly easy password and I don't let my girlfriend see me typing it (2-finger typing style, of course). I mean who does that, right? </sarcasm> :)

I just find it interesting to observe the discrepancies between perception of security and actual math-backed security.

[tptacek]

I don't use a stupidly easy password either, but I'm not going to give you the password hash from my laptop. That's what this scheme does.