this post was submitted on 28 Feb 2024
1 points (100.0% liked)

Security

469 readers
1 users here now

A community for discussion about cybersecurity, hacking, cybersecurity news, exploits, bounties etc.

Rules :

  1. All instance-wide rules apply.
  2. Keep it totally legal.
  3. Remember the human, be civil.
  4. Be helpful, don't be rude.

Icon base by Delapouite under CC BY 3.0 with modifications to add a gradient

founded 2 years ago
MODERATORS
[email protected]
1
Mitigating attacks based on knowing the length of a Windows Hello PIN - The Old New Thing (devblogs.microsoft.com)
submitted 1 year ago by [email protected] to c/[email protected]
0 comments fedilink hide all child comments
 

Describes considerations of convenience and security of auto-confirmation while entering a numeric PIN - which leads to information disclosure considerations.

An attacker can use this behavior to discover the length of the PIN: Try to sign in once with some initial guess like “all ones” and see how many ones can be entered before the system starts validating the PIN.

Is this a problem?

no comments (yet)
sorted by: hot top controversial new old
there doesn't seem to be anything here