insecure login


Giles Turnbull
 

Hi all,

has anybody else using a pin to login to Windows found that the last digit of the 4 digit pin number gets announced? It does for me on one of my tablets and, when I switched my second tablet from password to pin today, that also does. I've been using both tablets at least a year, one is a Chuwi HI10 and the other is a Microsoft Surface Pro 4.

I'm using NVDA 17.3 on both tablets, and both are set to use NVDA settings on the login screen. This is with Windows 10, and has been doing this at least since two updates before the one I'm using (the Fall update I think, Version 1703 (OS Build 15063.726))

The pin field shows circles or asterisks and, as I type my pin — let's use 1234 as an example, I type 1, 2, 3 (all silently), and then as I press 4 it auto submits and announces 4. By comparisson, when I used a password it didn't auto submit and I had to either hit enter or tab to the submit button.

Given that a four digit pin has 10,000 possible combinations, anybody overhearing the last digit and wishing to crack the pin would only have 1,000 combinations to check, which seems a significant security issue!

Any advice appreciated :)

Giles

Join nvda@nvda.groups.io to automatically receive all group messages.