this post was submitted on 28 Feb 2024
5 points (100.0% liked)

Security

633 readers
2 users here now

A community for discussion about cybersecurity, hacking, cybersecurity news, exploits, bounties etc.

Rules :

  1. All instance-wide rules apply.
  2. Keep it totally legal.
  3. Remember the human, be civil.
  4. Be helpful, don't be rude.

Icon base by Delapouite under CC BY 3.0 with modifications to add a gradient

founded 1 year ago
MODERATORS
[email protected]
5
Mitigating attacks based on knowing the length of a Windows Hello PIN - The Old New Thing (devblogs.microsoft.com)
submitted 8 months ago by [email protected] to c/[email protected]
1 comments fedilink hide all child comments
 

Describes considerations of convenience and security of auto-confirmation while entering a numeric PIN - which leads to information disclosure considerations.

An attacker can use this behavior to discover the length of the PIN: Try to sign in once with some initial guess like “all ones” and see how many ones can be entered before the system starts validating the PIN.

Is this a problem?

top 1 comments
sorted by: hot top controversial new old
[–] [email protected] 5 points 8 months ago

Knowing the length of a random pin/password is roughly as valuable as knowing one of the characters, if it's a concern just make it two longer and you have just improved security.

I don't know how that applies to non-random pins/password.