[Cryptography] Order of username and password entry

[Jerry Leichter]

> One suggestion is to keep a space in the password, this would prevent it reaching the other end in username, you can consider a loss of 1 character followed by space, at worst, you will lose one char of your password.
I'm not sure what systems do that.  None I log into regularly stop at the space.  Why should they?

> Two thoughts, 
> 1. passwords are generally insecure, so enforce MFA, 2FA, SSO where possible.
MFA/2FA just add another factor - and a troublesome one at that.  The most broadly adopted standard is to use text messages - which we now know are very insecure.  There is simply no even-close-to-universally-accepted alternative.  And you still need the password, and still need to keep it secure - it's one of your factors!

SSO just means you have one really high-value username/password to enter somewhere, and outside of business contexts means you have to place your *complete* trust in Apple, Facebook, or Google - not that any of them provide universally accepted alternatives either.

We're still a long way from eliminating passwords and the problem of how to make them as effective as possible remains.

Personally, I don't think we'll eliminate passwords until we have a solution that solves what I call the "bathrobe problem":  You get up early, get on the computer while still in your bathrobe - and have to log in to various sites.  Your key fob?  Your cell phone?  Back in the bedroom.  You don't want to disturb your sleeping spouse to get it....

> 2. Use a passphrase (with space) as a password, this can prevent an accidental copy paste from reaching the other end.
Eh?  If, indeed, it doesn't "reach the other end" - how is it useful as a passphrase?

                                                        -- Jerry