5
Mitigating attacks based on knowing the length of a Windows Hello PIN - The Old New Thing (devblogs.microsoft.com)
submitted 7 months ago by Kissaki@programming.dev to c/security@programming.dev
1 comments fedilink hide all child comments

Describes considerations of convenience and security of auto-confirmation while entering a numeric PIN - which leads to information disclosure considerations.

An attacker can use this behavior to discover the length of the PIN: Try to sign in once with some initial guess like “all ones” and see how many ones can be entered before the system starts validating the PIN.

Is this a problem?

top 1 comments
sorted by: hot top controversial new old
[-] anton@lemmy.blahaj.zone 5 points 7 months ago

Knowing the length of a random pin/password is roughly as valuable as knowing one of the characters, if it's a concern just make it two longer and you have just improved security.

I don't know how that applies to non-random pins/password.

this post was submitted on 28 Feb 2024
5 points (100.0% liked)

Security

522 readers
2 users here now

A community for discussion about cybersecurity, hacking, cybersecurity news, exploits, bounties etc.

Rules :

  1. All instance-wide rules apply.
  2. Keep it totally legal.
  3. Remember the human, be civil.
  4. Be helpful, don't be rude.

Icon base by Delapouite under CC BY 3.0 with modifications to add a gradient

founded 1 year ago
MODERATORS
LinearArray@programming.dev