insecure login


Giles Turnbull
 

Hi all,

has anybody else using a pin to login to Windows found that the last digit of the 4 digit pin number gets announced? It does for me on one of my tablets and, when I switched my second tablet from password to pin today, that also does. I've been using both tablets at least a year, one is a Chuwi HI10 and the other is a Microsoft Surface Pro 4.

I'm using NVDA 17.3 on both tablets, and both are set to use NVDA settings on the login screen. This is with Windows 10, and has been doing this at least since two updates before the one I'm using (the Fall update I think, Version 1703 (OS Build 15063.726))

The pin field shows circles or asterisks and, as I type my pin — let's use 1234 as an example, I type 1, 2, 3 (all silently), and then as I press 4 it auto submits and announces 4. By comparisson, when I used a password it didn't auto submit and I had to either hit enter or tab to the submit button.

Given that a four digit pin has 10,000 possible combinations, anybody overhearing the last digit and wishing to crack the pin would only have 1,000 combinations to check, which seems a significant security issue!

Any advice appreciated :)

Giles


Sarah k Alawami
 

No, never heard of, or had the issue. I guess keep an eye on it?

Take care

On Nov 22, 2017, at 11:29 AM, Giles Turnbull <giles.turnbull@...> wrote:

Hi all,

has anybody else using a pin to login to Windows found that the last digit of the 4 digit pin number gets announced? It does for me on one of my tablets and, when I switched my second tablet from password to pin today, that also does. I've been using both tablets at least a year, one is a Chuwi HI10 and the other is a Microsoft Surface Pro 4.

I'm using NVDA 17.3 on both tablets, and both are set to use NVDA settings on the login screen. This is with Windows 10, and has been doing this at least since two updates before the one I'm using (the Fall update I think, Version 1703 (OS Build 15063.726))

The pin field shows circles or asterisks and, as I type my pin — let's use 1234 as an example, I type 1, 2, 3 (all silently), and then as I press 4 it auto submits and announces 4. By comparisson, when I used a password it didn't auto submit and I had to either hit enter or tab to the submit button.

Given that a four digit pin has 10,000 possible combinations, anybody overhearing the last digit and wishing to crack the pin would only have 1,000 combinations to check, which seems a significant security issue!

Any advice appreciated :)

Giles


Chris
 

Yes, always done it

 

From: Giles Turnbull
Sent: 22 November 2017 19:29
To: nvda@nvda.groups.io
Subject: [nvda] insecure login

 

Hi all,

has anybody else using a pin to login to Windows found that the last digit of the 4 digit pin number gets announced? It does for me on one of my tablets and, when I switched my second tablet from password to pin today, that also does. I've been using both tablets at least a year, one is a Chuwi HI10 and the other is a Microsoft Surface Pro 4.

I'm using NVDA 17.3 on both tablets, and both are set to use NVDA settings on the login screen. This is with Windows 10, and has been doing this at least since two updates before the one I'm using (the Fall update I think, Version 1703 (OS Build 15063.726))

The pin field shows circles or asterisks and, as I type my pin — let's use 1234 as an example, I type 1, 2, 3 (all silently), and then as I press 4 it auto submits and announces 4. By comparisson, when I used a password it didn't auto submit and I had to either hit enter or tab to the submit button.

Given that a four digit pin has 10,000 possible combinations, anybody overhearing the last digit and wishing to crack the pin would only have 1,000 combinations to check, which seems a significant security issue!

Any advice appreciated :)

Giles

 


Quentin Christensen
 

I can replicate this using 2017.4rc1 on Fall Creators update.  I've added an issue to our issue tracker at: https://github.com/nvaccess/nvda/issues/7792

Feel free to subscribe to that for updates, or comment if you have additional information that I missed.

Regards

Quentin.

On Thu, Nov 23, 2017 at 6:29 AM, Giles Turnbull <giles.turnbull@...> wrote:
Hi all,

has anybody else using a pin to login to Windows found that the last digit of the 4 digit pin number gets announced? It does for me on one of my tablets and, when I switched my second tablet from password to pin today, that also does. I've been using both tablets at least a year, one is a Chuwi HI10 and the other is a Microsoft Surface Pro 4.

I'm using NVDA 17.3 on both tablets, and both are set to use NVDA settings on the login screen. This is with Windows 10, and has been doing this at least since two updates before the one I'm using (the Fall update I think, Version 1703 (OS Build 15063.726))

The pin field shows circles or asterisks and, as I type my pin — let's use 1234 as an example, I type 1, 2, 3 (all silently), and then as I press 4 it auto submits and announces 4. By comparisson, when I used a password it didn't auto submit and I had to either hit enter or tab to the submit button.

Given that a four digit pin has 10,000 possible combinations, anybody overhearing the last digit and wishing to crack the pin would only have 1,000 combinations to check, which seems a significant security issue!

Any advice appreciated :)

Giles




--
Quentin Christensen
Training and Support Manager

Official NVDA Training modules and expert certification now available: http://www.nvaccess.org/shop/

Facebook: http://www.facebook.com/NVAccess 
Twitter: @NVAccess 


Giles Turnbull
 

thanks for submiting that as an issue, Quentin :)