I'm not thick. I know it doesn't sound like much of a boast, but I'm pretty competent at this whole adulting lark. But it appeared that I had forgotten a 4 digit number I'd set up less than a minute ago! The security guard smiled wearily at me, "It happens to everyone!" She said. Which, [...]
A little rant for this Saturday about a stupid usability problem which will never get fixed.
Typing in my computer password is pretty much just muscle memory at this point than consciously remembering the password (yes, I should probably be rotating the password). Part of me thinks that some usecases of passwords or pins could be replaced with “pass-gestures,” like pattern unlock on phones.
For my local computer password, it will likely be the same pattern until I die. For Internet services I just use a password manager. Local accounts don’t seem like a major attack vector as they once were. Maybe I’m wrong about that though.
The biggest potential issue is if your local password can be used to login remotely.
I am definitely coming to the conclusion that in the long run, we’re going to end up using something that looks a fair bit like Webauthn / Passkeys for most things that care about security, with something as additional local authentication.
There are technical reasons why passwords / passphrases are useful, but there is a lot of research that shows just how horrible they are both from a security perspective and from a usability perspective.
Biometrics are… Convenient, but only useful in low security applications*, and are almost impossible to use for things like unlocking your phone after it reboots**.
A separate physical object would work really well in some cases, like a desktop computer, but it wouldn’t work at all for something like your cell phone. Or even a laptop. The object would be stolen along with the device it secures.
I’m really not sure what the long term answer even looks like, but I do hope that it’s not passwords or the like.
*: You can’t easily change any of your biometrics, but you can most definitely capture someone’s biometrics, and then duplicate them to gain access to something. It wouldn’t be practical to do this every single day, but just to gain access to something once or twice? Easy enough.
**: The short version: Your PIN / Passphrase / Password / Pattern get fed into a hashing function of some sort, like PBKDF2, which eventually spits out something that can be used to decrypt the key used to encrypt all the data on the device. But this requires a static value, and biometrics are all about fuzzy matches to other patterns.
Yeah, typically with local passwords they can only be used to log in remotely if you specifically enable those services. In those cases, I consider it not to be a local password anymore, since it’s not just local to your machine.
Something I’ve always found funny is the fact that there’s a big chunk of people who have only ever encountered a scramble-pad for typing their bank PIN in Runescape
I’ve encountered this in two places. One was way back in the day on Runescape where they shuffled the keys after every press. The other was much more recently with a bank that had them shuffled randomly on page load, but not moving between key presses. Annoyingly, this bank allowed only logging on to their web service via a 4-digit PIN—not any sort of real password/passphrase.
maybe it’s time to switch bank?? This is something I feel really bad with NA banks, in my home country Taiwan, we had 12 digits pins in 2007 before I immigrate to Canada. Now it’s 2023 and most banks debit pin is still fucking 4 digits. (good thing the online banking allows longer passphrases in recent years now. ) I don’t carry debit cards unless I need to get some cash, otherwise the phone wallet app is the way to go.
I actually have switched banks, though not because of this. I was with the bank in question for a long time because they had a really excellent value proposition in terms of very high savings interest rates and not having charges for things like international transactions. Plus, legally I’m pretty sure the bank is liable for any money I might lose because of being hacked, not me.
This was in Australia, not NA, for what it’s worth.
So if all this work was done to determine that the phone layout is simply better than the calculator layout… why the fuck are we still using the calculator layout on anything?
And screw you OP for bringing this up. Now I want to remap my 10-key to phone layout to see if that’s “better”… I already had important stuff to do this weekend that I’m totally going to ignore now because this irrationally bothers me that I didn’t realize this before.
There are multiple secured doors at my workplace I have access to, and they all have a little sticker next to the keypad showing a telephone style keypad with the letters. Those are there to remind you of what numbers to press for the four letter word you chose to represent your PIN. When I’m in the security office and choosing a new PIN, because the keyboard numpad is different, I’ll ask the person to turn their desk phone around so I can see the numbers to choose my PIN.
In the era of “smart” phones and saved phone numbers (not to mention contactless payments) I use calculators much more than I dial telephone numbers. I think the calculator layout is very much the standard.
I can type rather fast on a 10 key. Back in the day, I would have to run a tape on the hundreds of checks I would get every day. I don’t miss checks at all.
I do get frustrated with the telephone style keypad. I’ve always wondered why it wasn’t the same as a calculator 10 key pad.
My pin is also a pattern, recently I paid at a restaurant, and they had a card unit with a touch screen, I suppose for fingerprint reasons; the numbers on the pad were randomised… took me quite a while to remember what my pin number was in tge end
Don’t come to Korea.
Every banking transaction requires you to punch in your PIN at least twice with a randomized numpad.
Well actually it’s a 4x3 numpad with 2 spaces randomly inserted into it.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !technology@beehaw.org
A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.
Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.
Typing in my computer password is pretty much just muscle memory at this point than consciously remembering the password (yes, I should probably be rotating the password). Part of me thinks that some usecases of passwords or pins could be replaced with “pass-gestures,” like pattern unlock on phones.
For my local computer password, it will likely be the same pattern until I die. For Internet services I just use a password manager. Local accounts don’t seem like a major attack vector as they once were. Maybe I’m wrong about that though.
The biggest potential issue is if your local password can be used to login remotely.
I am definitely coming to the conclusion that in the long run, we’re going to end up using something that looks a fair bit like Webauthn / Passkeys for most things that care about security, with something as additional local authentication.
There are technical reasons why passwords / passphrases are useful, but there is a lot of research that shows just how horrible they are both from a security perspective and from a usability perspective.
Biometrics are… Convenient, but only useful in low security applications*, and are almost impossible to use for things like unlocking your phone after it reboots**.
A separate physical object would work really well in some cases, like a desktop computer, but it wouldn’t work at all for something like your cell phone. Or even a laptop. The object would be stolen along with the device it secures.
I’m really not sure what the long term answer even looks like, but I do hope that it’s not passwords or the like.
*: You can’t easily change any of your biometrics, but you can most definitely capture someone’s biometrics, and then duplicate them to gain access to something. It wouldn’t be practical to do this every single day, but just to gain access to something once or twice? Easy enough.
**: The short version: Your PIN / Passphrase / Password / Pattern get fed into a hashing function of some sort, like PBKDF2, which eventually spits out something that can be used to decrypt the key used to encrypt all the data on the device. But this requires a static value, and biometrics are all about fuzzy matches to other patterns.
Yeah, typically with local passwords they can only be used to log in remotely if you specifically enable those services. In those cases, I consider it not to be a local password anymore, since it’s not just local to your machine.
Wait until you see number pads that the numbers are shuffled after each use. Good thing it’s not common.
examples: https://www.youtube.com/watch?v=SoUe0VW7Fus
https://twitter.com/movito/status/1546020213895958532
Something I’ve always found funny is the fact that there’s a big chunk of people who have only ever encountered a scramble-pad for typing their bank PIN in Runescape
I’ve encountered this in two places. One was way back in the day on Runescape where they shuffled the keys after every press. The other was much more recently with a bank that had them shuffled randomly on page load, but not moving between key presses. Annoyingly, this bank allowed only logging on to their web service via a 4-digit PIN—not any sort of real password/passphrase.
maybe it’s time to switch bank?? This is something I feel really bad with NA banks, in my home country Taiwan, we had 12 digits pins in 2007 before I immigrate to Canada. Now it’s 2023 and most banks debit pin is still fucking 4 digits. (good thing the online banking allows longer passphrases in recent years now. ) I don’t carry debit cards unless I need to get some cash, otherwise the phone wallet app is the way to go.
I actually have switched banks, though not because of this. I was with the bank in question for a long time because they had a really excellent value proposition in terms of very high savings interest rates and not having charges for things like international transactions. Plus, legally I’m pretty sure the bank is liable for any money I might lose because of being hacked, not me.
This was in Australia, not NA, for what it’s worth.
So if all this work was done to determine that the phone layout is simply better than the calculator layout… why the fuck are we still using the calculator layout on anything?
And screw you OP for bringing this up. Now I want to remap my 10-key to phone layout to see if that’s “better”… I already had important stuff to do this weekend that I’m totally going to ignore now because this irrationally bothers me that I didn’t realize this before.
The Dvorak of numpads
Offtopic, but I really like the Atkinson Hyperlegible font and I’m glad to see it being used here!
Cheers! It is actually a very lightly customised version of Atkinson. See https://shkspr.mobi/blog/2022/08/an-update-to-the-atkinson-hyperlegible-font/
There are multiple secured doors at my workplace I have access to, and they all have a little sticker next to the keypad showing a telephone style keypad with the letters. Those are there to remind you of what numbers to press for the four letter word you chose to represent your PIN. When I’m in the security office and choosing a new PIN, because the keyboard numpad is different, I’ll ask the person to turn their desk phone around so I can see the numbers to choose my PIN.
In the era of “smart” phones and saved phone numbers (not to mention contactless payments) I use calculators much more than I dial telephone numbers. I think the calculator layout is very much the standard.
I can type rather fast on a 10 key. Back in the day, I would have to run a tape on the hundreds of checks I would get every day. I don’t miss checks at all. I do get frustrated with the telephone style keypad. I’ve always wondered why it wasn’t the same as a calculator 10 key pad.
I’m sure there’s an answer there, and i’d really like to know what it is.
My pin is also a pattern, recently I paid at a restaurant, and they had a card unit with a touch screen, I suppose for fingerprint reasons; the numbers on the pad were randomised… took me quite a while to remember what my pin number was in tge end
Oooof! Yeah, I don’t think I could cope with that.
Don’t come to Korea. Every banking transaction requires you to punch in your PIN at least twice with a randomized numpad. Well actually it’s a 4x3 numpad with 2 spaces randomly inserted into it.
What?! That boggles my mind - and would probably break my brain.
Interesting, sometimes I have a black out when I’m paying for groceries and can’t simply remember the PIN due to the keypad difference
Is your profile a Pac-Man influenced flyers logo?
Yes it is! :)