avataravatar

Security

Kissaki

Mitigating attacks based on knowing the length of a Windows Hello PIN - The Old New Thing

https://devblogs.microsoft.com/oldnewthing/20240227-00/?p=109456

Describes considerations of convenience and security of auto-confirmation while entering a numeric PIN - which leads to information disclosure considerations.

An attacker can use this behavior to discover the length of the PIN: Try to sign in once with some initial guess like “all ones” and see how many ones can be entered before the system starts validating the PIN.

Is this a problem?