Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Security IT

'Weird' Nintendo Switch Issue Makes it Easier to Guess Passwords (vice.com) 34

Posted by msmash from the security-woes dept.
A security researcher has found an odd issue with how the Nintendo Switch console handles login credentials, potentially making it easier for hackers to figure out peoples' passwords, and raising questions about how Nintendo is storing passwords. From a report: The issue revolves around how users log into the eShop from a Nintendo Switch. As security researcher Runa Sandvik explained it, when logging into the eShop before typing in a password, the 'OK' dialogue box is greyed out. When a user enters their correct password, it lights up and lets the user log in. Expected behaviour, so far. But Sandvik found that the 'OK' box also lights up if the user only enters the first eight characters of their password. The eShop won't let the user actually login -- they still need to enter their complete password -- but it does provide visual feedback to someone trying to guess a password that they're on the right track. Essentially, this could give a hacker a better chance of figuring out your password if they only have to determine what comes after the eighth character, although of course they would still need to get that first section too.
This discussion has been archived. No new comments can be posted.

'Weird' Nintendo Switch Issue Makes it Easier to Guess Passwords More

'Weird' Nintendo Switch Issue Makes it Easier to Guess Passwords

Comments Filter:

  • Interesting (Score:2, Insightful)

    by satanicat ( 239025 )

    This was probably something of an intended feature with an unexpected side effect, given the age of so many users. Cant lock an account constantly by entering the wrong password if you cant submit tye login request.

    I doubt they are storing passwords though, can easily have the same effect by hashing the first 8 characters of a password during a successful login.

    • So are you saying it's deliberate? It is difficult to imagine how an honest programming mistake could have caused this behavior, if they really are not storing passwords.

      • As he pointed out, they could be storing a hash of the first 8 characters. Kinda how (IIRC) the old NTLM scheme where the first 8 characters and the remaineder of the password were store as two separate hashes, making it much much easier to brute force them.

      • Re: (Score:3)

        by msauve ( 701917 )
        As pointed out below, they could simply be enabling the "enter" button when the minimum password length has been met, whether or not the first 8 characters are correct. The article makes no mention of even trying that before shouting that the sky is falling.

      • Yes im suggesting this was probably deliberate. I was theorizing that it might have been put in place to make it more likely that failed login attempts would be much less possible because young children would be more likely to entsr an incorrect password even if they knew it.

        Not saying I agree with that as a design however.

  • That's not that terrible IMO.

    • I think if anything is scary about it, it's the fact that there is clearly more being done with the password than just submitting it to log in. In many cases platforms aren't even storing password, they're storing things like JWT tokens which can be revoked, and in that case neither your client nor your service has had an opportunity to even look at the password.

      Even in cases where I might be using something like Basic Authentication, my services never have a chance to see the password, if the authenticati

      • In this specific example, I can't right off the top of my head think of how this could be overly dangerous, assuming they are just storing a hash of the first 8 characters

        Back up for a second, to the point where you are designing this login dialog.

        When have you ever designed a system that would specifically enable submission on partial, known invalid input?

        To the point where not only would you store a password has, but a first eight character password hash as well...

        No way. In fact what I think it happening

        • I dont think it would have been designed to dubmit a partial unknown. It was probably designed that way intentionally to not know the whole password, rather to make it less likely a child would submit and potentially lock an account due to typos etc.

          For the record, im not a fan of it. (Assuming that is in fact the case)

  • Does it light up .. (Score:5, Insightful)

    by WoodstockJeff ( 568111 ) on Friday May 22, 2020 @04:36PM (#60092304) Homepage

    ... ONLY if the CORRECT first 8 characters are entered, or when a minimum of 8 characters, correct or not, are entered?

    Many login screens won't enable the button until a POTENTIALLY legal password has been entered. If the requirement is "8 or more characters", there is no need to submit 7, because it cannot be valid.

    • Re:Does it light up .. (Score:4, Informative)

      by JeffSh ( 71237 ) <jeffslashdot@[ ]0.org ['m0m' in gap]> on Friday May 22, 2020 @04:51PM (#60092372)

      yeah im not sure how it made it this far. what kind of security researcher is this? it's allowing the submission of any set of characters that are 8 or more. it doesn't do any pattern matching or verification of partial password. you can type in any 8 characters and the submit button becomes available.

      this is a major nothingburger. embarassing its even here and people are writing articles about a user interface that requires 8 character passwords before allowing submission.

      • Re:Does it light up .. (Score:5, Informative)

        by darkain ( 749283 ) on Friday May 22, 2020 @05:21PM (#60092482) Homepage

        Just verified on my Nintendo Switch. It will check to ensure there is at least 1 letter, 1 number, and 8 characters. Almost ANY combination matching this will enable the OKAY button. It also verifies that there isn't a certain number of repeated characters.

        But otherwise, yeah, anything that matches their "password strength requirements" will light up the OKAY button.

        This article is total bullshit.

        • Wish I still had mod points today for this. I had been thinking out loud taking the summary as gospal, hadn't taken the switch from my Son yet to check.

        • msmash is total bullshit. so is slashdot if they accept another of their submissions. is there a way to report this to editors or is slashdot just a bunch of bots?

      • Re: (Score:2)

        by tlhIngan ( 30335 )

        what kind of security researcher is this

        Sadly, they are becoming the norm - submitting bugs along the lines of "I can get root! Just do these steps! (One of said steps requires using sudo...)"

        I presume it's because of bug bounties and everyone and their dog seeing a get-rich-quick scheme.

        It doesn't matter who you ask - Microsoft, Apple, Google, etc. THeir security response teams are inundated with such inane "security flaws".

        I've seen writeups involving standard UI features as well. "Clipboard allows progra

        • Re: (Score:2)

          by Junta ( 36770 )

          In my experience, those are people who disagree with the way things were done and are trying to leverage their title as 'security professional' to try to force the design to change in a climate where security is taken seriously. This article is an example of an overzealous person jumping the gun in hopes of getting fame, and there is plenty of that too.

          Anyway, if you want a prime example of what you describe:
          https://www.techjuice.pk/googl... [techjuice.pk]

          Google authenticator is horribly insecure... if you sideload an app

    • The whole time I read this article, I was thinking the same thing. The "hackers" figured out that Nintendo expects a password minimum of 8 characters. :) That doesn't give any clues how many more you need, nor does it validate the first 8 characters... just that there are 8. *shrug* I guess the author has never written a UI before. :)

  • plenty of big iron only used first eight characters of password, and that just enough so if it's proper mix of characters 8 ^ 96 possible combinations, one a second gives up to 228 million years to get it right.

    • that's 96 ^ 8 seconds I mean for the 228 million years at 1 per second. 9 characters gives 22 billion years and sun burns out....

    • Why 8^96? Shouldn't that be 96^8? That's a significantly smaller number. (Funnily enough, judging from your final result you actually calculated it correctly but somehow only mistyped the expression.)
  • Either the poster is right and Nintendo is very wrong and storing passwords in open text or the poster is suffering from Dunning-Kruger effect. If the first 8 characters are entered incorrectly does the behavior change? If not it's simply the GUI responding to a minimum length password before allowing the user to attempt authentication. haha... I expect it is the latter... Anyone with a switch confirm?

  • Seriously, could this possibly be any more clickbaity?

    • "'Weird' Nintendo Switch Issue Makes it Easier to Guess Passwords" ( Friday May 22,) followed a day later with " Bumblebees' 'Clever Trick' Fools Plants Into Flowering" These editors are reading too many popular news article headlines, and now they are infected too.

Slashdot Top Deals

If you have a procedure with 10 parameters, you probably missed some.

Close