[Cryptography] Order of username and password entry

Jerry Leichter leichter at lrw.com
Mon Apr 5 18:04:42 EDT 2021 

> It's often the case for me that I paste both [username and password] into the slots. When I did not have a fixed order, about once or twice a year I would paste the password into the username slot, whence it would be displayed in the clear....
If someone is looking over your shoulder, you should not be entering your password - after all, it was visible in the clear wherever you copied it from!

In most cases, you can easily clear the information off the screen.  It was harder back in the days of teletypes where what you typed was on a piece of paper.... :-)

Proper design - for as long as people have talked about proper design for username/password handling - is to *never* log a failed username anywhere, exactly because this kind of inversion is a very common failure mode.

> To avoid this, I now have a rule: always enter the username first, then the password. If you put the un into the pwd slot, the non-displaying will alert you.
> 
> That's fine, but... Now the password is left in the copy/paste buffer, and can pop out when you are not expecting it. This is the lesser of the two evils. I have another rule: over-write the copy/paste buffer right after doing the password.
On a Mac it's possible to write programs to record what goes into the copy/paste buffer, and there are many useful versions out there that let you go back and grab old entries.  There was also a bug - recently fixed - that, in some circumstances, allowed apps on your iPhone to grab the contents of the paste buffer.  (It's still possible to do this - in fact, it's a feature of the integration between different Mac/iOS systems - but you're now informed when it happens.)

So ... I personally try to avoid copying passwords.  Rather, I drag and drop them into the password field - an operation that doesn't put them in the paste buffer.  (Whether there is some other way for a program to grab them, I don't know - but it's certainly not something I've seen done.)

I can't speak to Windows, or to any of the variety of Unix desktops out there, which don't necessarily all behave the same way.

                                                        -- Jerry

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210405/2e03b424/attachment.htm>

More information about the cryptography mailing list