Lock Computer and Windows login

Posted By: Maurits | May 25th, 2006 @ 9:27 AM
page 1 of 1
Comments: 9 | Views: 19785
#May 25th, 2006 @ 9:27 AM
Maurits
Maurits
AKA Matthew van Eerde
I locked my computer (in Ctrl-Alt-Delete fashion,) left and came back.
Then I tried to log in and couldn't... because my Caps Lock key was on.

The error I received even asked me to check that the Caps Lock key was on.

So I turned it off and was able to log in.

But here's my question.

Why can't Windows just check to see if the Caps Lock key is on?  There's all kinds of things it could do based on that knowledge.  It likely has my credentials cached, so there's little danger of locking my account out by retrying the password as-if-I-had-Caps-Lock-off.
#May 25th, 2006 @ 9:59 AM
jb43081
jb43081
Maurits wrote:
I locked my computer (in Ctrl-Alt-Delete fashion,) left and came back.
Then I tried to log in and couldn't... because my Caps Lock key was on.

The error I received even asked me to check that the Caps Lock key was on.

So I turned it off and was able to log in.

But here's my question.

Why can't Windows just check to see if the Caps Lock key is on?  There's all kinds of things it could do based on that knowledge.  It likely has my credentials cached, so there's little danger of locking my account out by retrying the password as-if-I-had-Caps-Lock-off.


Well, first of all how is the computer supposed to know which characters and capitalized and which aren't? It needs this since the password is hashed and compared against a stored hash.

Not sure if this was what you were suggesting, hope this helped. Tongue Out
#May 25th, 2006 @ 12:13 PM
SlackmasterK
SlackmasterK
I write my OWN blogging engines
He presents a good point though:  We know it is possible to detect the keyboard lock states, because when we enter apps such as Excel they tell us which locks are on.  I suppose Windows could be designed in such a way that it would detect this and correspondingly invert the text of the password box.  I'd presume the password box is plaintext under those dots, until it gets into the encryption mechanism.  Plaintext cases are easy to alter, and number keys shift states wouldn't be changed.
#May 25th, 2006 @ 12:23 PM
hodo
hodo

If this were the case then the OS would be helping crackers by halving the number of alphabetic combinations to try in brute force attempts.

I would see this as another vector that could be exploited to lessen security.  Really...is this that big of an issue? 

#May 25th, 2006 @ 1:11 PM
Maurits
Maurits
AKA Matthew van Eerde
jb43081 wrote:
Well, first of all how is the computer supposed to know which characters and capitalized and which aren't?


The ones I press while holding down the Shift key are the "capitalized" ones, assuming I didn't realize Caps Lock was on.

Suppose my password is 9J-b%

I normally type this is as:
9
Shift+J
-
B
Shift+5

If I have Caps Lock on, this sequence of keypresses gives me 9j-B% instead.  This will fail.

(
If I left Caps Lock on purposely, I could type in my password correctly with the following different keypress sequence:

9
J
-
Shift-B
Shift-5
)

When it fails, Windows pops up a warning saying "Make sure that Caps Lock is not accidentally on."

There are several possible alternatives.

When it fails, Windows could spit out different warnings depending on whether Caps Lock is on or not:

"Caps Lock is on.  If you think you typed your password in correctly, turn off Caps Lock and try again."

"Caps Lock is off... was it on when you last set your password?  It's a bit of a long shot, but you might try turning Caps Lock on and trying again."

If my password has no letters in it, Windows could pick up on that and skip all the Caps Lock stuff entirely.
#May 25th, 2006 @ 1:13 PM
Maurits
Maurits
AKA Matthew van Eerde
Come to think of it, this could get complicated... what if I change the Caps Lock state while typing in the password, or between typing in the password and clicking OK (or pressing Enter, which is what I usually do?)
#May 25th, 2006 @ 3:37 PM
SlackmasterK
SlackmasterK
I write my OWN blogging engines
Maurits wrote:
Come to think of it, this could get complicated... what if I change the Caps Lock state while typing in the password, or between typing in the password and clicking OK (or pressing Enter, which is what I usually do?)


When this screen is up, everything else is either not running, or is running and is a lower priority than logging the user in (Winlogon runs in 'high' pri). Therefore, it's safe to say we can fire an event upon each keypress which will detect the CapsLock state:

string KbdHwID = [Code to get Hardware ID of keyboard used to type];
[Encrypted string type] Password = PassTxtBox.Text;

static  void PassTxtBox_OnUpdate(object sender, EventArgs e) {
bool CapsLock = GoGetCapsLockStatus(KbdHwID);
Password += GoGetRealChar(KbdHwID, CapsLock, e.CharTyped); }


Obviously this would be radically different, but it should provide an example of my thought process.
#May 25th, 2006 @ 6:06 PM
Zaki
Zaki
Maurits wrote:
I locked my computer (in Ctrl-Alt-Delete fashion,) left and came back.
Then I tried to log in and couldn't... because my Caps Lock key was on.

The error I received even asked me to check that the Caps Lock key was on.

So I turned it off and was able to log in.

But here's my question.

Why can't Windows just check to see if the Caps Lock key is on?  There's all kinds of things it could do based on that knowledge.  It likely has my credentials cached, so there's little danger of locking my account out by retrying the password as-if-I-had-Caps-Lock-off.



It looks like you are typing your password, but you got the third and fifth character wrong. Your password should be "CHaNNeL9". Would you like me to turn CAPS LOCK off or should I just fill in your password?
Strange, because CAPS LOCK warning is fired immediately if you give focus to the password box (in XP). Anyway, most of the users already use weak passwords, so why halve the strength further with all this guessing?

----
Admin1: Are you crazy??? You gave your cat's name for the root password.
Admin2: Hey, what's wrong with 'rk99=s0L#Rn5'?
#May 26th, 2006 @ 4:54 AM
W3bbo
W3bbo
The Master of Baiters
Zaki wrote:
Maurits wrote: I locked my computer (in Ctrl-Alt-Delete fashion,) left and came back.
Then I tried to log in and couldn't... because my Caps Lock key was on.

The error I received even asked me to check that the Caps Lock key was on.

So I turned it off and was able to log in.

But here's my question.

Why can't Windows just check to see if the Caps Lock key is on?  There's all kinds of things it could do based on that knowledge.  It likely has my credentials cached, so there's little danger of locking my account out by retrying the password as-if-I-had-Caps-Lock-off.



It looks like you are typing your password, but you got the third and fifth character wrong. Your password should be "CHaNNeL9". Would you like me to turn CAPS LOCK off or should I just fill in your password?
Strange, because CAPS LOCK warning is fired immediately if you give focus to the password box (in XP). Anyway, most of the users already use weak passwords, so why halve the strength further with all this guessing?

----
Admin1: Are you crazy??? You gave your cat's name for the root password.
Admin2: Hey, what's wrong with 'rk99=s0L#Rn5'?


I wonder how long before Microsoft adds "mouse-based" authentication like most online-banking sites to thwart keyloggers.
#May 30th, 2006 @ 8:56 AM
Maurits
Maurits
AKA Matthew van Eerde
Zaki wrote:
Strange, because CAPS LOCK warning is fired immediately if you give focus to the password box (in XP)


That works.  (I'm still on Windows 2000)