[Cryptography] New SSL/TLS certs to each live no longer than 47 days by 2029

[Peter Gutmann]

Kent Borg <kentborg at borg.org> writes:

>I also saw Schneier once say that there is no need for password bullet
>characters because shoulder-surfing is no longer a big problem. Except it is
>*because* of obscured password typing that shoulder-surfing is no longer such
>a problem.

And it's entirely because I wear leopard-proof underwear that I've never been
attacked by a leopard out in the street (although I did see one eating
someone's face once).

Arguably, blanking passwords actually makes things worse because you never get
to see the password you're typing, leading to both problems in memorising
passwords that you never see and ease of exploitation by attackers when people
mistype their passwords, don't realise it, and instead try various other
passwords on the assumption that they've entered the wrong one for the site
(both of those are from password studies, and there's several more problems
that are created through password blanking).  The real reason why they're
blanked is because it was done that way on ASR-33s more than half a century
ago and is now a required part of the login ceremony, along with getting three
guesses at your password which is something I've never been able to find the
origin of.

Peter.