This seems to be begging for a DIY project, doesn't it?
A 3d printed case, a little SoC, perhaps a Raspberry Pi Zero, as the brains with asterisk and some additional open source software providing a web interface running on it.
I went the DIY route (you can find the details as a parent comment). But, I had good luck with voip.ms as a SIP provider. It is inexpensive at $1.10/month for the phone number and $0.008/min for calling. And it has a pretty good history of user forums, wiki, etc for debugging hints with various hardware.
Idea:
If you have a vertical fridge on your countertop and you change the door so that it slides down and the cold air stays inside the part of the fridge still closed by the door, you could sort the things in your fridge by frequency of accessing them.
The door of a fridge is usually used for a lot of frequently used items. Eggs, milk, butter, and what have you. You would have to address losing that in terms of convenience and storage space.
For exactly the same reason : space is scarce but power even more. Power can also become unavailable in a degraded situation much often than on land. Therefore, it is a better design choice to have a chest freezer.
In a city appartement where floor space is scarce, convenience is a key feature and power costs barely nothing, it is a less obvious choice.
Why not just display a single character out of a changing set of characters such as
/ - \ |
(starting with a random one from the set) after every character entered?
That way you can be certain whether or not you entered a character but and observer can‘t tell how many characters your password has.
There was a software package a couple decades ago, I want to say it was Lotus Notes but I'm pretty sure it wasn't actually Lotus Notes but something of that ilk, that would show a small, random number of asterisks corresponding to each character entered. So you'd hit one key and maybe two asterisks would show up on screen. And kept track of them so if you deleted a character, it'd remove two.
I thought that was kinda clever; it gives you feedback when your keystrokes are recognized, but it's just enough confusion to keep a shoulder surfer from easily being able to tell the length of your password unless you're hunt-and-pecking every single letter.
Yup, it was Notes, I used it at IBM. It was an unbelievably stupid idea. Every single day people were asking why their password was wrong because they were confused by the line of stars being too long.
Yeah, I remember Lotus Notes both showing multiple filler characters per keystroke and showing different keychain pictures based on the hash of what you typed. This way you could also tell you've made a typo before submitting it.
If the hash changes after every character, doesn't that make it possible for someone to determine your password one character at a time if they know what each hash was?
I'm guessing that wasn't in the threat model at the time.
Hmm. Let's say you have 64 possible characters you can use in a password and four different images. You look over someone's shoulder and see that they go "RGBYYBRYG".
What this means is that you can now reduce your search space to approximately 16^9 passwords instead of 64^9 passwords. Which is probably very helpful if you have stolen the password hash, but not if you have to guess it by entering the password manually.
Makes sense. I was under the impression there were more than 4 outputs based on what you entered. (I've seen a similar setup that shows two hex digits)
Oh you mean like every time you type a password, it steps a spinner round? That solves the problem that IBM used to use for Notes where it showed "the wrong number of stars" which confused the hell out of users.
Sorta reminds me of the i3lock screen locker. It shows an incredibly confusing circle UI where every keystroke randomizes the position of the sector on a circle, with no explanatory text on the screen (^1). To new users, it's not clear at all that you are entering your user password or even that it's a screen locker at all, because it just looks like a cryptic puzzle.
Of course, once you do understand that it's just a password prompt, it's great. Completely confuses the hell out of any shoulder surfers, who will for sure think it's a confusing puzzle, and eventually they will get rate limited.
Now that you mention i3lock, if sudo showed a symbol changing with each keystroke, it could show it's working (not frozen, accepting input) without revealing the length, similarly to i3lock. I've seen ascii loading spinners from package managers by changing between slashes and hypens and such. Something of that sort would probably do the trick.
ATM keypads are very carefully designed so that all the buttons sound exactly the same, so you can't lift a PIN by recording the sound.
I've seen this demonstrated, using "Cherry" type keyswitches, with about a 75% success rate.
I also knew an old guy who could tell what an ASR33 or Creed teleprinter was printing just by the sound, with "good enough" accuracy, and copy RTTY by ear with "good enough" accuracy.
He didn't really talk about his time in the Royal Signals in the 50s and 60s very much.
It's surprising to see an OS, dominant as a sever platform, now optimizing catering to people who are unsure whether they've pressed a button on their keyboard. What's next, replacing asterisks with a progress bar?
There's no persistent reveal of password length after you're finished typing. It reduces the length-reveal leak from anyone who eventually sees the terminal log to people who are actively over-the-shoulder as you type it.
If you can see 1 char from set of 4 you know the number of characters modulo 4. If the minimum length of a password is 6, and probably it is no longer than 12 characters, then you can narrow the length to 1 or 2 numbers. It is marginally better than asterisks of course, of course, but it is still confusing.
They mean to have a static single character on the screen and have it change with every keypress. For example, you type "a" and it shows /. You type "b" and it shows "|", etc.
Unless of course your adversary can count. But if they can count they can also just count the number of keystrokes they hear, especially if you're recording it and they can spend time post processing the audio.
I don‘t like the whole idea because it is less secure to have a web browser instead of a standard client. Think what an attacker could do if they take control of the server.
reply