

Ask HN: Caps lock warnings - tonteldoos

This is really just a small rant, but I&#x27;m curious nonetheless.<p>One of the principles of secure programming, is to not provide too much information to the user when failing on an authorisation attempt.  In other words, a potential attacker shouldn&#x27;t be given information about a failed attempt that could help him&#x2F;her narrow the possibilities.<p>Why then, do all the major OSs warn you when you&#x27;ve turned caps lock on while you&#x27;re trying to login?<p>I can think of similar examples in cloud services as well (telling the user the email address doesn&#x27;t exist, instead of just saying that the login failed), but that is a topic for another day...
======
mooism2
You get warned about caps lock being on _before_ you enter your password, so
it's not a security issue.

Before OSs did this, when I mistakenly had caps lock on while entering my
password, my thought process after each password attempt went something like
this:

\- oh, did I mistype my password?

\- I'm sure I typed it right, are the key presses not registering?

\- oh ffs, did I change my password? No. Wait, is caps lock on?

\- yes, that was it, argh

It just stressed me out for no good reason, and I'm glad I get warned about it
now.

------
privong
> Why then, do all the major OSs warn you when you've turned caps lock on
> while you're trying to login?

It's not clear to me that this is a security issue or that it reveals any
information to an attacker? Presumably the keyboard also provides notification
that caps lock is no, so the login system is not providing any additional
information not already available to an attacker.

~~~
tonteldoos
This is partially true. However, a fair few keyboards (and laptop keyboards)
aren't making it THAT clear that caps lock is on anymore. Given that most
people would rather use shift to make an uppercase in a password (at least the
ones I know), leaving caps lock on when you're away from your computer is a
quick and dirty deterrent from someone who may have watched you enter
passwords earlier...

~~~
mooism2
If someone is memorising your password from watching you type it in, caps lock
being in an unexpected state is not going to hold them up for long.

