touch-packages team mailing list archive

Thread
Date

[Bug 1363214] Re: [System Settings] [design] allow Passcodes of variable length instead of just 4 digits

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Antti Kaijanmäki <antti.kaijanmaki@xxxxxxxxxxxxx>
Date: Fri, 10 Oct 2014 11:01:50 -0000
Reply-to: Bug 1363214 <1363214@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

updated PIN -> Passcode

** Summary changed:

- [System Settings] [design] allow PINs of variable length instead of just 4 digits
+ [System Settings] [design] allow Passcodes of variable length instead of just 4 digits

** Description changed:

- Currently when setting a PIN on the device, it must be 4 digits. This is
- artificially limiting. Other platforms (eg Android) allow longer PINs.
- It has always been my understanding that we should support Swipe,
- Passphrase and PIN where Passphrase and PIN can be arbitrarily long.
+ Currently when setting a Passcode on the device, it must be 4 digits.
+ This is artificially limiting. Other platforms (eg Android) allow longer
+ Passcodes. It has always been my understanding that we should support
+ Swipe, Passphrase and Passcode where Passphrase and Passcode can be
+ arbitrarily long.
  
- However, once longer PINs are supported, we will have to add an Enter
- key. Right now, the lockscreen checks the PIN once 4 digits are added so
- that you don't have to press Enter. I guess this was done for usability,
- but would be a security issue because an attacker can easily determine
- the PIN length, which makes it easier to for an attacker to guess the
- PIN. Eg, if I have a 5 digit PIN set, then an attacker need only type
- '11111' and know that the PIN is only five characters. Now, a PIN isn't
- strong to begin with and an automated attack could rather quickly brute
- force PINs, but we shouldn't make it easier for someone manually trying
- to guess the PIN.
+ However, once longer Passcodes are supported, we will have to add an
+ Enter key. Right now, the lockscreen checks the Passcode once 4 digits
+ are added so that you don't have to press Enter. I guess this was done
+ for usability, but would be a security issue because an attacker can
+ easily determine the Passcode length, which makes it easier to for an
+ attacker to guess the Passcode. Eg, if I have a 5 digit Passcode set,
+ then an attacker need only type '11111' and know that the Passcode is
+ only five characters. Now, a Passcode isn't strong to begin with and an
+ automated attack could rather quickly brute force Passcodes, but we
+ shouldn't make it easier for someone manually trying to guess the
+ Passcode.
  
  The passphrase lockscreen prompt correctly allows variable length
  passphrases and requires you to press Enter.
  
  I suggest moving the 'X' up t the left of '0' and an Enter symbol to the
  rigth of '0'.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unity8 in Ubuntu.
https://bugs.launchpad.net/bugs/1363214

Title:
  [System Settings] [design] allow Passcodes of variable length instead
  of just 4 digits

Status in Ubuntu UX bugs:
  Triaged
Status in “ubuntu-system-settings” package in Ubuntu:
  Confirmed
Status in “unity8” package in Ubuntu:
  New

Bug description:
  Currently when setting a Passcode on the device, it must be 4 digits.
  This is artificially limiting. Other platforms (eg Android) allow
  longer Passcodes. It has always been my understanding that we should
  support Swipe, Passphrase and Passcode where Passphrase and Passcode
  can be arbitrarily long.

  However, once longer Passcodes are supported, we will have to add an
  Enter key. Right now, the lockscreen checks the Passcode once 4 digits
  are added so that you don't have to press Enter. I guess this was done
  for usability, but would be a security issue because an attacker can
  easily determine the Passcode length, which makes it easier to for an
  attacker to guess the Passcode. Eg, if I have a 5 digit Passcode set,
  then an attacker need only type '11111' and know that the Passcode is
  only five characters. Now, a Passcode isn't strong to begin with and
  an automated attack could rather quickly brute force Passcodes, but we
  shouldn't make it easier for someone manually trying to guess the
  Passcode.

  The passphrase lockscreen prompt correctly allows variable length
  passphrases and requires you to press Enter.

  I suggest moving the 'X' up t the left of '0' and an Enter symbol to
  the rigth of '0'.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-ux/+bug/1363214/+subscriptions

References

[Bug 1363214] [NEW] require 'Enter' key when entering PIN
From: Jamie Strandboge, 2014-08-29