[Cryptography] Order of username and password entry
Robin Wood
robin at digi.ninja
Tue Apr 6 03:15:20 EDT 2021
On Mon, 5 Apr 2021, 22:50 Michael Nelson via cryptography, <
cryptography at metzdowd.com> wrote:
> Thought you guys might like a breather from bits and bytes. This is low
> tech security, but not entirely trivial.
>
> When you have to enter a username/password pair for a site, which do you
> do first?
>
> It's often the case for me that I paste both into the slots. When I did
> not have a fixed order, about once or twice a year I would paste the
> password into the username slot, whence it would be displayed in the clear.
> Usually you catch it then, but if not, it may be submitted to the site.
> Yikes!
>
> To avoid this, I now have a rule: always enter the username first, then
> the password. If you put the un into the pwd slot, the non-displaying will
> alert you.
>
> That's fine, but... Now the password is left in the copy/paste buffer, and
> can pop out when you are not expecting it. This is the lesser of the two
> evils. I have another rule: over-write the copy/paste buffer right after
> doing the password.
>
> Unix kill-ring yanking, and the supposed new Windows ability to save
> multiple items to the clipboard can mean that it's a bit cumbersome to
> clear out the buffers.
>
I use Keepass which uses the clipboard but clears it after a few seconds so
the password isn't left in there, I assume other password managers would
offer a similar service.
And for shoulder surfing, as long as your password is a long random string
(which you would assume it's why you are pasting it), someone would have to
have a very good and quick memory to be able to memorize it before you
clear it.
Robin
> Sigh. Any reflections?
>
> Mike
>
>
>
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> https://www.metzdowd.com/mailman/listinfo/cryptography
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20210406/6dcb939b/attachment.htm>
More information about the cryptography
mailing list