Describes considerations of convenience and security of auto-confirmation while entering a numeric PIN - which leads to information disclosure considerations.

An attacker can use this behavior to discover the length of the PIN: Try to sign in once with some initial guess like “all ones” and see how many ones can be entered before the system starts validating the PIN.

Is this a problem?

  • anton
    link
    fedilink
    English
    arrow-up
    5
    ·
    9 months ago

    Knowing the length of a random pin/password is roughly as valuable as knowing one of the characters, if it’s a concern just make it two longer and you have just improved security.

    I don’t know how that applies to non-random pins/password.