March 12, 2007

Major security flaw in Windows

I just found a major security flaw in Windows.

If you type your password somewhere, even though it is shown as a row of dots, when you press CTRL+arrow keys, the cursor stops at all the special characters in your password.

Here's the explanation in pictures.

  1. I use Internet Explorer, and I go to the login page, typing my password strong.password.

    My password, strong.password, displays as a row of dots.

  2. I put my cursor at the end of the password box.

  3. I press CTRL+left arrow.

    The cursor stops in the middle. This is the position just after the character . (period) in my password.

  4. I press CTRL+left arrow again.

    The cursor stops one position over. This is the position just before the character . (period) in my password.

  5. I press CTRL+left arrow one more time.

    The cursor stops at the first position of the password box.

Incredibly, I have discovered that my password contains a single special character, and that that character is at position six. This allows me to, with full confidence, declare that the words from positions zero to five, and seven to 14 are weak passwords.

This is an awful problem, and hundreds of secure bank account are sure to be wiped clean within minutes. Unless they are running on Vista. So please, don't ever type in your password anywhere if you use Windows, and if you have to, then upgrade to Vista first.