Re: MS IE Password inputs

["Mattie Casper" <mattie () mattie net>]

Very interesting find, and I can confirm the same thing happens in
IE6.

I can reproduce it by placing the cursor at the beginning of a
password typed-in like "1234 56789 0ABCDE FGHIJK" and then use
CTRL+RIGHTARROW to move through the asterisks just as if the spaces
were there. (CTRL+RIGHTARROW in some applications like IE will move
you to the next 'word' in a textbox.)

This can come in handy when I typo part of a password and don't want
to retype it all, but this does have some slight security
implications.
-Mattie!

Mattie Casper
http://me.mattie.net

----- Original Message -----
From: "Jon Embury" <jon.embury () f1solutions com au>
To: <bugtraq () securityfocus com>
Sent: Tuesday, November 20, 2001 3:28 PM
Subject: MS IE Password inputs


> Just something I've noticed on IE 4 & 5.5
>
> If you enter a password that contains a mix of non-alphabetic and
alphabetic
> characters to an MS IE password input and then use the keyboard to
select it
> while holding down tab the cursor / selected region jumps between
the
> non-alphabetic characters in exactly the same manner as it does when
you
> apply the same technique in word, Interdev, vb etc.
>
> It doesn't reveal the password, but it would seem to reveal at least
some of
> the structure.
>
> Eg
>
> 1 2 3 4 5
>
>
> Jon Embury
> Developer, F1 Solutions
> www.f1solutions.com.au