Are partially typed passwords a potential security risk?

Corporate espionage is a thing.

There could be a security risk if someone has seen you typing your password, or guesses the last two characters. It's not all that difficult to notice people's keystrokes and subconsciously remember them, especially the last few keys.

In the case of corporate espionage, someone might want to watch you type your password, and they might remember it.

or maybe save the state so you can keep retrying from that partially completed point?

You have to admit, given the circumstances, this seems like next-level tinfoil hattery. I can just picture a guy in a grey suit walking up to your desktop, looking for your 20+ GB virtual machine disk, plus accompanying configuration data within a couple minutes, and taking it to a seedy cubicle in the corner of the office, then madly brute-forcing while cackling maniacally:

Dr. Evil laughing while brute-forcing OP

Let's take off the foil for a second. If you are running a virtual machine, then it's quite possible. You could save the state of the virtual machine at that point, and keep trying. The likelihood of this happening to you during a coffee break is pretty much zero. Same with the app state, only not as unlikely as a virtual machine.

With the virtual machine, a colleague would have to copy the contents of your virtual hard-drive, plus the accompanying settings, and mount it. More than likely, this would be in excess of 20 GB. Copying this virtual drive in such a short time while other people are around seems quite unlikely.

Someone will notice something.


What if this were a web page login as opposed to a desktop app?

Let's put on our tinfoil hats and see what we can do to retrieve the partially-typed password using only readily-available tools. Put yourself in the shoes of the attacker: how would you quickly get the password before the coffee break is over?

  1. Using the developer console, you can modify the web page to change this:

    <input type="password" name="pass" id="password"/>
    

    To this:

    <input type="text" name="pass" id="password"/>
    

    (Removed jQuery as suggested by Doyle Lewis)

  2. We can also get the values through the console input: you can use a variation of these (F12 > Console > Enter input):

    • console.log($("#password").val()); (jQuery)
    • console.log(this.pass.val);
    • console.log(document.getElementById("password").value); (dom)
  3. Apparently Windows 8 and Windows 10 Enterprise have an "eye" icon that allows you to reveal the plain-text password when holding down the eye button. This becomes an even bigger threat when someone else can just click that one button, bypassing all of the effort used in the examples above.


But why would this be a potential security risk?

Re-equipping our [Tinfoil Hat (Mythic Warforged)], let's assume a worst-case scenario:

With your username and password, in an enterprise setting where it definitely isn't difficult to find your username (usually your badge ID, or email username), a malicious colleague can attempt to impersonate you on the network. For example:

  1. Your corporation has WiFi access which requires your employee badge number and password to sign in.
  2. Malicious colleague logs onto the corporate network using your credentials, on an unauthorized device, and then wreaks havoc / steals things without it leading back to them. Most security policies should require device registration first, but there are unfortunately ways around that.
  3. You get blamed. It looks like you did it. And the spy who screwed things up may get away scott free.

How do I protect against this?

This very unlikely, but possible attack, and many other attacks that require physical access to your machine (not including hardware-based infections), is completely mitigated by locking your workstation before getting up, and not entering partial passwords. Make this your habit, and you won't have to worry about anyone doing something like this.

Don't get complacent, though.


In addition to the other answers, while you were away I installed a keylogger on your keyboard.

In the short term, I have the last 2 characters of your password. I could use that to reduce the search space considerably for a brute force attack.

But I am lazy and a long term thinker. I am just going to wait until you log in again and I will have your complete password.


As noted in the comments, some version of Windows have an "eye" symbol that can be clicked to show what you've typed into the password box.

If you leave six of your characters in the lock screen password box, it takes only one click on the eye to expose the plaintext. This does not mean the attacker would know how long your password is, but does mean it would weaken your password's security because the first six characters are exposed.

I can confirm, Windows 10 Enterprise does indeed have this eye.