Re: Mobile passwords

2015-11-11 Thread Preet Sangha 
I don't know if this relevant but I tend to use last pass and it let's me
paste passwords into apps. But maybe this is only relevant for android.
Anyway I'd make sure any app I write will not stop users using a tool like
that too.
On 11 Nov 2015 19:44, "Joseph Cooney"  wrote:

> If
> On 11 Nov 2015 3:59 PM, "Mark Hurd"  wrote:
>
>>
>> On 11 November 2015 at 16:05, mike smith  wrote:
>>
>>> Device entry of passwords is a nightmare.  If you multi-hit the virtual
>>> keyboard even slightly you get accented characters which of course do not
>>> work.  This is one time the ***  to represent a password field is
>>> infuriating.  Yes, I know its wrong, now show it to me so I can see where
>>> it is wrong!  Some apps have a check box to display the password or not.
>>>  ++1 for these!
>>>
>>
>> The only mobile device I've used (that was smart enough to browse
>> anywhere that I cared how passwords are entered) is my Windows Phone, and
>> the default password UI there seems to show the last typed key just long
>> enough to note if it's wrong, due to fat or slow fingers.
>>
>> I assumed that would be the "obvious" compromise for the ** UI.
>>
>> ​> snip
>>
>>>
>>>
>>> --
>>> Meski
>>>
>>>  http://courteous.ly/aAOZcv
>>>
>>> "Going to Starbucks for coffee is like going to prison for sex. Sure,
>>> you'll get it, but it's going to be rough" - Adam Hills
>>>
>>
>> --
>> Regards,
>> Mark Hurd, B.Sc.(Ma.)(Hons.)
>>
>

Mobile passwords

2015-11-10 Thread Greg Keogh 
Folks, I just got feedback from the first semi-live usage of an ASP.NET app
that has been designed for pleasant appearance on tablet devices. The first
users have iPads and ... *no one could sign in!*

It turns out they all have mixed case passwords and the iPad is rather
clumsy with case changing. Once the problem was explained to them it all
came good, but it gave us a hell of a fright.

So what do you do? Train people on how to live with the quirks of keyboards
on various brands and models of tablet devices? Use case insensitive
passwords? Are there mobile usage or coding conventions I'm not aware on
this issue?

*Greg K*

Re: Mobile passwords

2015-11-10 Thread DotNet Dude 
I like how some apps (banking in particular) map the login details to a 4
digit pin on the device. Gets rid of this problem.

On Wed, Nov 11, 2015 at 11:25 AM, Greg Keogh  wrote:

> Folks, I just got feedback from the first semi-live usage of an ASP.NET
> app that has been designed for pleasant appearance on tablet devices. The
> first users have iPads and ... *no one could sign in!*
>
> It turns out they all have mixed case passwords and the iPad is rather
> clumsy with case changing. Once the problem was explained to them it all
> came good, but it gave us a hell of a fright.
>
> So what do you do? Train people on how to live with the quirks of
> keyboards on various brands and models of tablet devices? Use case
> insensitive passwords? Are there mobile usage or coding conventions I'm not
> aware on this issue?
>
> *Greg K*
>

Re: Mobile passwords

2015-11-10 Thread Mark Hurd 
On 11 November 2015 at 16:05, mike smith  wrote:

> Device entry of passwords is a nightmare.  If you multi-hit the virtual
> keyboard even slightly you get accented characters which of course do not
> work.  This is one time the ***  to represent a password field is
> infuriating.  Yes, I know its wrong, now show it to me so I can see where
> it is wrong!  Some apps have a check box to display the password or not.
>  ++1 for these!
>

The only mobile device I've used (that was smart enough to browse anywhere
that I cared how passwords are entered) is my Windows Phone, and the
default password UI there seems to show the last typed key just long enough
to note if it's wrong, due to fat or slow fingers.

I assumed that would be the "obvious" compromise for the ** UI.

​> snip

>
>
> --
> Meski
>
>  http://courteous.ly/aAOZcv
>
> "Going to Starbucks for coffee is like going to prison for sex. Sure,
> you'll get it, but it's going to be rough" - Adam Hills
>

-- 
Regards,
Mark Hurd, B.Sc.(Ma.)(Hons.)

Re: Mobile passwords

2015-11-10 Thread Joseph Cooney 
If
On 11 Nov 2015 3:59 PM, "Mark Hurd"  wrote:

>
> On 11 November 2015 at 16:05, mike smith  wrote:
>
>> Device entry of passwords is a nightmare.  If you multi-hit the virtual
>> keyboard even slightly you get accented characters which of course do not
>> work.  This is one time the ***  to represent a password field is
>> infuriating.  Yes, I know its wrong, now show it to me so I can see where
>> it is wrong!  Some apps have a check box to display the password or not.
>>  ++1 for these!
>>
>
> The only mobile device I've used (that was smart enough to browse anywhere
> that I cared how passwords are entered) is my Windows Phone, and the
> default password UI there seems to show the last typed key just long enough
> to note if it's wrong, due to fat or slow fingers.
>
> I assumed that would be the "obvious" compromise for the ** UI.
>
> ​> snip
>
>>
>>
>> --
>> Meski
>>
>>  http://courteous.ly/aAOZcv
>>
>> "Going to Starbucks for coffee is like going to prison for sex. Sure,
>> you'll get it, but it's going to be rough" - Adam Hills
>>
>
> --
> Regards,
> Mark Hurd, B.Sc.(Ma.)(Hons.)
>

RE: Mobile passwords

2015-11-10 Thread Ken Schaefer 
I think the PIN idea is good, as long as you’re able to tie it to some unique 
device hardware ID. Then you have a form of two-factor authentication 
(something you have + something you know). This does limit the end user to only 
being able to use their PIN with a single active/authorised device though.

Another alternatives would be to use one-time pad or token (e.g. SMS a unique 
security code for each login)

From: ozdotnet-boun...@ozdotnet.com [mailto:ozdotnet-boun...@ozdotnet.com] On 
Behalf Of Greg Keogh
Sent: Wednesday, 11 November 2015 2:25 PM
To: ozDotNet <ozdotnet@ozdotnet.com>
Subject: Re: Mobile passwords

I like how some apps (banking in particular) map the login details to a 4 digit 
pin on the device. Gets rid of this problem.

Hey Dude, I had a chat the person managing this app and they said the customer 
wants to stick with mixed case passwords. So for now, it's reduced to a human 
problem that's solved by emailing out some instructions to the users.

iPads are a bit too slick with the keyboards though, and case changing does 
require caution. Although I think my iOS might be a bit old and I vaguely 
recall reading that Apple recently changed the behaviour slightly.

In future though I'm going to remember this problem and consider using PINs 
where it's suitable.

GK

Re: Mobile passwords

2015-11-10 Thread mike smith 
Device entry of passwords is a nightmare.  If you multi-hit the virtual
keyboard even slightly you get accented characters which of course do not
work.  This is one time the ***  to represent a password field is
infuriating.  Yes, I know its wrong, now show it to me so I can see where
it is wrong!  Some apps have a check box to display the password or not.
 ++1 for these!

Secondly make sure your max password char count when you enter a new pw is
the same as when you're entering it.   Expect users to use cut and paste
into your pw field.  "Remember me" buttons are a probable security
loophole, depending on how they are done.  

Fingerprints.  Coders don't have fingerprints on the tips of their fingers.
If you have a Samsung S6 you can set a fingerprint that won't be usable.
Finger about 1cm from the end works :)

On Wed, Nov 11, 2015 at 4:22 PM, Ken Schaefer <k...@adopenstatic.com> wrote:

> I think the PIN idea is good, as long as you’re able to tie it to some
> unique device hardware ID. Then you have a form of two-factor
> authentication (something you have + something you know). This does limit
> the end user to only being able to use their PIN with a single
> active/authorised device though.
>
>
>
> Another alternatives would be to use one-time pad or token (e.g. SMS a
> unique security code for each login)
>
>
>
> *From:* ozdotnet-boun...@ozdotnet.com [mailto:
> ozdotnet-boun...@ozdotnet.com] *On Behalf Of *Greg Keogh
> *Sent:* Wednesday, 11 November 2015 2:25 PM
> *To:* ozDotNet <ozdotnet@ozdotnet.com>
> *Subject:* Re: Mobile passwords
>
>
>
> I like how some apps (banking in particular) map the login details to a 4
> digit pin on the device. Gets rid of this problem.
>
>
>
> Hey Dude, I had a chat the person managing this app and they said the
> customer wants to stick with mixed case passwords. So for now, it's reduced
> to a human problem that's solved by emailing out some instructions to the
> users.
>
>
>
> iPads are a bit too slick with the keyboards though, and case changing
> does require caution. Although I think my iOS might be a bit old and I
> vaguely recall reading that Apple recently changed the behaviour slightly.
>
>
>
> In future though I'm going to remember this problem and consider using
> PINs where it's suitable.
>
>
>
> *GK*
>



-- 
Meski

 http://courteous.ly/aAOZcv

"Going to Starbucks for coffee is like going to prison for sex. Sure,
you'll get it, but it's going to be rough" - Adam Hills

Re: Mobile passwords

2015-11-10 Thread Greg Keogh 
>
> I like how some apps (banking in particular) map the login details to a 4
> digit pin on the device. Gets rid of this problem.
>

Hey Dude, I had a chat the person managing this app and they said the
customer wants to stick with mixed case passwords. So for now, it's reduced
to a human problem that's solved by emailing out some instructions to the
users.

iPads are a bit too slick with the keyboards though, and case changing does
require caution. Although I think my iOS might be a bit old and I vaguely
recall reading that Apple recently changed the behaviour slightly.

In future though I'm going to remember this problem and consider using PINs
where it's suitable.

*GK*

Re: Mobile passwords

2015-11-10 Thread DotNet Dude 
Even a "save credentials for next time" or "remember me" option works ok

On Wed, Nov 11, 2015 at 2:24 PM, Greg Keogh  wrote:

> I like how some apps (banking in particular) map the login details to a 4
>> digit pin on the device. Gets rid of this problem.
>>
>
> Hey Dude, I had a chat the person managing this app and they said the
> customer wants to stick with mixed case passwords. So for now, it's reduced
> to a human problem that's solved by emailing out some instructions to the
> users.
>
> iPads are a bit too slick with the keyboards though, and case changing
> does require caution. Although I think my iOS might be a bit old and I
> vaguely recall reading that Apple recently changed the behaviour slightly.
>
> In future though I'm going to remember this problem and consider using
> PINs where it's suitable.
>
> *GK*
>

Re: Mobile passwords

2015-11-10 Thread Greg Keogh 
>
> Even a "save credentials for next time" or "remember me" option works ok
>

D'oh, I should have thought of that. I'll ask if the users would like that
(subject to security issues about who carries around the iPads where and
when) -- *GK*

Re: Mobile passwords

2015-11-10 Thread DotNet Dude 
Yeah won't work well if they share the device or if they don't secure the
whole device with a PIN or Touch ID

On Wed, Nov 11, 2015 at 2:32 PM, Greg Keogh  wrote:

> Even a "save credentials for next time" or "remember me" option works ok
>>
>
> D'oh, I should have thought of that. I'll ask if the users would like that
> (subject to security issues about who carries around the iPads where and
> when) -- *GK*
>