Feico Dillema <dillema@acm.org>  wrote:
 > Summary: While I thought I typed four digits, I produced 8 control characters 
 > instead, leaving the rest of the password characters as insignificant.
 >  
 > Opinion: I think this should be regarded as a security bug, although minor.
 > The usefulness of allowing control characters seems rather limited to me,
 > as these are often difficult to reproduce on different 
 > systems/keyboards/configurations. I think the `passwd' command should 
 > therefore not allow the use of control characters in password and give an 
 > error or at least a warning about it, as what the system actually does and 
 > what the user thinks it does may be different. The other reason would be that 
 > such a password is rather weak, it has about the strength of a four digit 
 > password where an 8 digit is expected.

hmmm. are there issues for international keyboards here?

Besides, I've always thought that passwds typed on a numeric keypad were
especially vulnerable to shoulder-surfing anyway...


H.



--> Get your official NetBSD-1.3.2 CDROM set today! http://www.netbsd.com <--