this post was submitted on 28 Feb 2024
5 points (100.0% liked)

Security

673 readers
5 users here now

A community for discussion about cybersecurity, hacking, cybersecurity news, exploits, bounties etc.

Rules :

  1. All instance-wide rules apply.
  2. Keep it totally legal.
  3. Remember the human, be civil.
  4. Be helpful, don't be rude.

Icon base by Delapouite under CC BY 3.0 with modifications to add a gradient

founded 1 year ago
MODERATORS
 

Describes considerations of convenience and security of auto-confirmation while entering a numeric PIN - which leads to information disclosure considerations.

An attacker can use this behavior to discover the length of the PIN: Try to sign in once with some initial guess like “all ones” and see how many ones can be entered before the system starts validating the PIN.

Is this a problem?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 5 points 8 months ago

Knowing the length of a random pin/password is roughly as valuable as knowing one of the characters, if it's a concern just make it two longer and you have just improved security.

I don't know how that applies to non-random pins/password.