34

When Lotus Notes asks for the password, it displays a screen with a picture that appears to change after a new character is entered after the fifth character.

Lotus Notes password prompting Lotus Notes password prompting Lotus Notes password prompting Lotus Notes password prompting Lotus Notes password prompting Lotus Notes password prompting

I have noticed the sequence of pictures is the same between closing and reopening Lotus Notes. Is this to distract an attacker from looking at the keyboard as someone types? Has this ever been proven effective? Also as far as I can tell a random amount of x's are added after each character is typed in. I guess this is so an attacker can't see the password length, but is there a point to having anything at all because the user doesn't know how many characters are typed?

EDIT: for what it's worth I didn't even realize the pictures were the same each time I typed in a password.

Celeritas
  • 10,039
  • 22
  • 77
  • 144
  • 10
    This un-thing still exists? – Tobias Kienzler Aug 27 '13 at 10:57
  • What is "un-thing" and are you speaking English? – Celeritas Aug 28 '13 at 08:02
  • 3
    I translated the German "unding" (=absurdity, something preposterous) syllable-wise to emphasize just _how_ absurd everything I learned about Lotus Notes is. Incidentally it's a nice wordplay on unthinkable as well... – Tobias Kienzler Aug 28 '13 at 08:38
  • Did Notes always suck or did IBM screw it up? – Celeritas Aug 28 '13 at 08:41
  • 1
    IDK, but you can find rants about this dating back long time. The now defunct but archived [lotusnotessucks](http://web.archive.org/web/20120516010837/http://lotusnotessucks.4t.com/index.html) has been around since 2005, and I think it has also been mentioned on multiple occasions on [TDWTF](http://thedailywtf.com/), e.g. [here](http://thedailywtf.com/Articles/The-ShoeIn.aspx) and [here](http://thedailywtf.com/Articles/Circling-the-Solution.aspx) (Warning: May consume your time). From all I read about it I am glad I never had to use it, but who knows what the future holds... – Tobias Kienzler Aug 28 '13 at 08:48

3 Answers3

49

There is some information on this defunct page. Apparently, the idea that the "moving picture" is there to distract shoulder surfers is widespread, and wrong. That's not how this picture works; what it does is actually worse, although it proceeds from good intentions.

When you type the password letters, Lotus employs a "fairly complicated" but deterministic algorithm to map the password as entered to a picture; this basically is a hash function with a very small output size (the output is a "value" in the set of possible pictures). It is possible that the said hash function includes some server-specific secret, but it won't matter much. The real point is that, as you observe, when you enter your password you always end up with the same picture for a given password. The good intention is to achieve the two following properties:

  • Give an early visual warning as to whether the password was entered correctly or not; the user will soon learn the sequence of pictures for his own password, and thus if a picture changes, then the user knows that he typed the wrong key at that point (or possible a few characters before).

  • An attacker who tries to mimic this login popup and make the user type his password in a fake popup would supposedly find it "difficult" to recompute the pictures and display them correctly.

The second reason is pure baloney, when you think about it: the "complicated algorithm" cannot be kept secret (especially if the fake popup is actually a man-in-the-middle attack and the true popup is used under the covers to get the actual pictures), and making pictures which move on the screen is really easy: that's what 99.9% of the Web is about.

The first reason, however, includes the seeds of destruction: this leaks information on the password. The pictures are on the screen and very visible; quite prominent, even. The "shoulder surfer" can see them from afar. And he can use them to prune out potential passwords. Indeed, if there are four possible pictures, then this leaks 2 bits per character: for an 8-character password, which would have, realistically, about 30 bits of entropy, this is then reduced to a meagre 14 bits.

Indeed, this feature is analogous to a system which would write on the screen, in big letters, and for each password character: "this character is a digit" / "this character is an uppercase letter between A and M" / ...

Therefore, this "picture" system is downright dangerous and should be banned.

As for the password length, the number of characters is very easy to get for the attacker, because each key stroke is highly audible. The shoulder surfer just needs to be within earshot of the victim, and could easily record the sequence with his smartphone to listen it later on, suitable slowed down, and thus obtain the password length. Under these conditions, hiding the length from the user himself is pointless.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • 6
    I don't understand the general hate for this concept and I am not convinced that it is that fundamentally dangerous. Yes it leaks information, but can you really say it leaks 2 bit per character if you only attribute 3.75 bit per character? I believe it would completely reasonable to factor the entropy leak and still come up with a perfectly secure password policy. So at the end you the trade this feature for a more restrictive password policy - which may or may not be an overall gain in usability. – Zulan Aug 26 '13 at 18:16
  • 2
    Yes, I can really say that. If there are four possible pictures, then it mathematically leaks _exactly_ 2 bits per character. This is unavoidable. – Tom Leek Aug 26 '13 at 18:21
  • 3
    But this is under the assumption that the attacker doesn't already know any of these "two bits". If you say each character has only 3.75 bits, then you already know a lot about that character. To stick to your analogy 3.75 bit would be a password which only contains lower case [a-m] - then "this character is a lower case a-m" does not reveal any additional information. – Zulan Aug 26 '13 at 18:44
  • 1
    The "3.75 bits" is on average. For a given first half of a password, the next character can be one among a set of "possible characters" which is not all the characters because humans choose cheesy passwords; e.g. after "P@Ssw" the next character will probably be an "o" or "O" or "0". Since the "picture" is a hash which is (on average) uniform over possible value, about 1/4th of possible next characters will actually match the observed picture, so the attacker will not have to try all possible next characters there, only 1/4th of them. And THAT is a reduction of entropy by 2 bits. – Tom Leek Aug 26 '13 at 19:16
  • 3
    That is exactly what I mean. If the next character is "o" or "O" or "0" anyway - then the attacker does not have to try 1/4th of the options, but 1/3rd (1.585). Actually it is even worse for the attacker since it is unlikely that 3 characters will map to unique 2-bit hashes. You cannot reduce entropy that doesn't exist in the first place. – Zulan Aug 26 '13 at 19:36
  • @Zulan Doesn't your argument only work if there's already less than 2 bits of entropy per character? And only because, in that case, the attacker can guess the password exactly from the picture sequence so often? – MartianInvader Aug 26 '13 at 23:49
  • The entropy reduction from knowing the image will combine with existing entropy a little like probabilities do. It would remain quite close to 2 bits per character entered, until number of bits already known per character gets down to a fairly low value. If for some reason, attacker can reduce options to 4 possible characters before knowing picture, the picture will, on average, identify 1.5 of those characters as the right ones. So entropy would reduce from 2 bits to 0.6 bits for that character. The reduction is still quite high = 1.4 bits. – Neil Slater Aug 27 '13 at 07:12
  • Does it matter that the icon is only updated after typing the fifth character of the password? – Scott McIntyre Jan 17 '14 at 16:27
47

Nope, the picture on the left of the password field has nothing to do with the security of the login process. This is, sadly, a "usability" feature. It's called a Visual Hash (here's an example). Actually, the avatar you're currently using is an example of visual hashes.

Because Lotus Notes displays a random number of X in the password field, the "ingenious" R&D team at Lotus (and later, IBM) thought that displaying a picture according to the entered password will help the user keep track of the entered password so far.

That picture is a result of specially hashing the password as you type it and choosing the corresponding picture according to that hash. For example, if your password is MyPass1sAwesomeY3ah, as you enter MyPass1s you'll see a certain image corresponding to that password, and when enter the next character your password becomes MyPass1sA you'll see a different one, and so on.

The more you login, the more your brain begins to notice and memorize the patterns and sequences of those images, so later you'll instinctively know when there's something wrong. For example, after you type MyPass1s, you accidentally type a B, you'll be shown a different picture and you'd know, on a subconscious level, that there's something wrong and you'd back up and change that letter.

Personally, I think it's stupid.

Adi
  • 43,808
  • 16
  • 135
  • 167
  • Very interesting, I had no idea. Great answer. – Abe Miessler Aug 26 '13 at 17:14
  • 2
    _"you'd know, on a subconscious level, that there's something wrong and you'd back up and change that letter"_ - I have heard this notion before and it is utterly ridiculous. (I guess you think so too.) It does not match my experience, or that of anyone I have talked to. Did they test whether this feature works? Or is it just another reason that [Lotus Notes is rubbish](http://thunderguy.com/semicolon/2008/07/10/lotus-notes-is-rubbish/)? – Bennett McElwee Aug 27 '13 at 02:47
  • 17
    Hm. Somehow your post only gives arguments *in favour* of this technique. Your conclusion, “it’s stupid” is so far unsubstantiated. And yet this garners tons of upvotes. Maybe the implied reason for its stupidity is obvious to everybody else but I kind of wish you’d spelled it out instead of just bashing it (well, we *are* talking about Lotus Notes here, so go right ahead with that). – Konrad Rudolph Aug 27 '13 at 09:25
  • 1
    +1 to @KonradRudolph, I didn't get why you consider it stupid either. – avakar Aug 27 '13 at 11:24
  • Heads up all.. The web.archive.org link gets flagged as a 'page containing malware' by kaspersky... – NULLZ Aug 27 '13 at 11:35
  • @KonradRudolph We've had the same discussion yesterday in the chat. I beleive that Thomas' answer is much better than mine and it should be the accepted one. The only reason mine has gathered more votes is because I posted it 5 minutes before Thomas. – Adi Aug 27 '13 at 12:22
  • It's a very fair assessment that any UI feature that Lotus Notes uses is one that should be avoided by any software that is actually user-friendly. – Lotus Notes Aug 28 '13 at 05:11
  • It's been my impression that these visual hashing schemes aren't intended to inform the user AS THEY TYPE, but AFTER they've FINISHED typing, such that they can know before they hit Enter whether they've messed up their password or not. I actually use Lotus at work for email, and I don't even look at the pattern while I type. But if I finish typing my password and I don't see a purple keychain, I know already that I have to start over (without having to hit Enter, get a "failure prompt, and THEN know that I messed up) – loneboat Aug 30 '13 at 14:22
3

At a previous workplace we were using Lotus. I remember asking the guy who installed it for us about that exact feature. He said "this will help you know when you enter the wrong character before submitting the password".

Green Fly
  • 1,957
  • 1
  • 16
  • 21