Dirk SteinsMay 30
Neil Sardesai
Made a more modern password field
May 29 at 9:40pmWeb
Show threadHak Foo May 30

@neilsardesai Weren't there some systems (I'm thinking Lotus Notes) where the masking for the password field was made of glyphs derived from the keys already pressed?

This was a sort of accessibility hint-- if you saw the *pattern* you were used to you know you didn't drop or double a keystroke, even if it didn't provide visibility for the raw data.

You could like sha256 the content of the field, then map the result onto a collection of emoji, for a similar effect.

Show threadNeil SardesaiMay 30
@hakfoo Never seen that before but that sounds pretty fun!
Show threadFritz AdalisMay 30

@hakfoo @neilsardesai
I was hoping to find a sample of the animation, best I can find is this:

https://www.tenable.com/plugins/nnm/1305

Lotus Notes Password Hieroglyphics Information Disclosure

The remote host may give an attacker information useful for future attacks. (Nessus Network Monitor Plugin ID 1305)

Show threadEmma in HobartMay 30
@hakfoo I've been using Lotus Notes (actually now HCL Notes after some rebrandings) for work for nearly 25 years. Despite having used Notes 4.6 & 5.0, it's been so long that I can't remember their password field behaving that way. In more recent Notes versions, the password field produces a semi-random number of Xs for each password-character.
@neilsardesai
Show threadEmma in HobartMay 30
@hakfoo Just checked and I still have a Notes 5.0.13 installer on my home PC. Kinda scary!
@neilsardesai
Show threadsauaMay 30
@hakfoo @neilsardesai I remember this as well, but never quite understood the details. Which, I guess, was part of the idea: it wasn't necessary to understand it, it was easily use intuitively. I also seem to remember that it didn't necessarily print one "*" for each typed letter, but "grouped" them in some way, so it wasn't even possible to "read" the length of the password purely from observing the password entry field.
Show threadFennixMay 30

@hakfoo @neilsardesai

Yep, this was very useful for spotting typos in a field you can't see the contents of.

It could be done securely but I would've bet there were problems with it.

Show threadR.L. Dane   ๐Ÿต May 30

@hakfoo @neilsardesai

As I recall, Lotus Notes just changed the password field output to a random number of asterisks after every key pressed, so the only way to guess a person's password length was to count each update, rather than counting the asterisks.

Show threadElias MรฅrtensonMay 30

@hakfoo @neilsardesai Yes, it was Lotus Notes.

That said, that does leak information, since it updated for each keystroke. So I'm not sure it's particularly secure.

Show threadkccqzyMay 30
@loke @hakfoo @neilsardesai I mean if an attacker is allowed to observe your screen, a conventional password input field will leak the length of the password. Perhaps the Lotus Notes version would leak less information? I don't know; it's been so long since I saw that.
Show threadElias MรฅrtensonMay 31
@kccqzy @hakfoo @neilsardesai it leaks more, if the attacker can remember the patterns. The pattern changes for each keyless, so if they later try to recreate it, they can find the password by finding the first character that generates the desired pattern, then move on to the next pattern until the password is revealed.
Show threadKals_ElsMay 30
@neilsardesai I just wish we could use emojis in passwords, it would probably make them harder to guess when the people that are bad at them just write: Pa๐Ÿฆจ ๐Ÿฆจ wโญ•rd๐Ÿ”ข
Show threadwhereamiMay 30
@Kals_Els @neilsardesai 1๏ธโƒฃ2๏ธโƒฃ3๏ธโƒฃ4๏ธโƒฃ5๏ธโƒฃ6๏ธโƒฃ
Show threadFurbland's Very Cool Mastodonโ„ขMay 30
@neilsardesai this is a very Mac thing to do /pos
Show threadJamie May 30
@neilsardesai I heard this is what gets you VC funding :D
Show threadStรฉphane BortzmeyerMay 30
@neilsardesai #UX
Show threadNatouille ๐Ÿท ๐Ÿฅƒ ๐ŸพMay 30
@bortzmeyer @neilsardesai won't replace a plain error text explaining what's wrong #ContentDesign
Show threadMathieu PeronaMay 30
@neilsardesai Nice Cowboy Bebop vibe!
Show threadMark DominusMay 30

@neilsardesai @nikitonsky

I want to see the dialog where you pick the password in the first place and it offers commentary in the form of a row of one of these:
๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜ฎ๐Ÿ˜ฎ

๐Ÿ˜†๐Ÿ˜†๐Ÿ˜†๐Ÿ˜†๐Ÿ˜†๐Ÿ˜†๐Ÿ˜†๐Ÿ˜†

๐Ÿค”๐Ÿค”๐Ÿค”๐Ÿค”๐Ÿค”๐Ÿค”๐Ÿค”๐Ÿค”

๐Ÿ˜–๐Ÿ˜–๐Ÿ˜–๐Ÿ˜–๐Ÿ˜–๐Ÿ˜–๐Ÿ˜–๐Ÿ˜–

๐Ÿ˜ฑ๐Ÿ˜ฑ๐Ÿ˜ฑ๐Ÿ˜ฑ๐Ÿ˜ฑ๐Ÿ˜ฑ๐Ÿ˜ฑ๐Ÿ˜ฑ

๐Ÿคก๐Ÿคก๐Ÿคก๐Ÿคก๐Ÿคก๐Ÿคก๐Ÿคก๐Ÿคก

Show threadProkrastinoteles May 30
@neilsardesai when emojis as passwords?
Show threadJosh JusticeMay 30
@neilsardesai @kalleboo on a New Password field you could use the emoji to communicate the strength of the password; ๐Ÿ’ฉ for not very strong
Show threadjhhlMay 30
@neilsardesai I'm from the era when a teletype would back up over your password and type MMMMM WWWWW XXXXX over it to block it out . Of course the passwords themselves should allow emoji, spaces and unprintable characters like good ol' BEL (0x07), and have no maximum length constraint.
Show threadEfi (nap pet) ๐ŸฆŠ๐Ÿ’คMay 30
@neilsardesai funny
Show threadJeder  May 30
@neilsardesai doesn't show up after clicking next, not modern enough
Show threadianMay 30
@neilsardesai thatโ€™s genuinely ace!
Show threadAndrey RysMay 31

@neilsardesai Brilliant and cute idea but pls don't if it'll require JavaScript. Or at least please PLEASE ensure it will fallback to generic password entry field until fancy js loads. I'll explain why.

Gitlab devs didn't do that, and once I spoiled password to public by typing it blindly as I used to, not realizing that:
* there is creepy js behind which will mark this field as a password entry field, and (until it is here, the field is normal text one)
* that creepy js loads awfully slow on our corporate instance
And their password entry field not even a "fancy" one.
That resulted me in changing that damned password asap, in corporate it can take hours of work to reinitialize all your automatically expired api tokens.

It's all fun and flowers until it betrays your expectations by breaking well-known contract.

Show threadSplinux May 31
@neilsardesai i lolled