Masked passwords must go Websites should stop masking passwords as users type because it does not improve security and makes websites harder to use, according to two of the technology world's leading thinkers. Usability expert Jakob Nielsen and security expert Bruce Schneier both think websites should stop blanking out passwords as users type them in …
I for one would much prefer my password to be masked out, having friends, colleagues and children around definately makes this important. Although I work in IT support and know people are a nightmare with their paswords, they universally accept that passwords are masked and it increases their feeling of security.
These people are talking rubbish.
On my G1 (and presumably all android based phones) there is an option in the settings for password masking. The default is to show the last character typed onscreen and then change it to dots when you enter the next character.
Would this not be a better solution for those who are still paranoid about shoulder surfing? It should still allow all the other things mentioned in the article.
bearing in mind, most people reuse the same password for pretty much everything, the chnace are, if someone see then typing in their say, work password, it could well be the same as their banking one, their email one etc etc etc.
The real problem is inconstancy. Where
thisismypassword
may be ok on one site, it may have to be
Thisismypassword
on a another
another it may need to be
Thisismypassw0rd
on another and
Th!sIsmypaswordbuttheoldoneistoshort&^%$£
on another.
And another may say No to & \ / @ _ or -'s
We need constancy more than clear type.
"The more uncertain users feel about typing passwords, the more likely they are to (a) ... and/or (b) copy-paste passwords from a file on their computer. Both behaviors lead to a true loss of security," he said.
Copy-and-pasting from a file on your computer leads to greater security! Clearly Nielsen has not heard of MyPasswordSafe.
*banging head against desk* stupid stupid stupid stupid.
Great idea there....if shoulder surfing is such a non-issue why dont we just make password boxes automatically wrap themselves in a <marquee>, <blink> and <font color="#FF0000">???
"bank accounts, you might even check this box by default"
......
Sometimes common sense seem to desert researchers.
Would they also be happy if chip and PIN terminals put your numbers on display for all to see? Why not? After all, shielding your PIN is obviously a hassle and nobody would should-surf?
Have they ever heard of "public kiosks"? Schools? I assume they are also in favour of people writing down their passwords and sticking them to the monitor.
Beggars belief.
I always though Nielsen was a bit of a moron. Now it has been made clear.
I am an office Sys Admin. I have the admin passwords. I need to keep those admin passwords from those that would abuse them.
When I have people in my office demanding that I fix the file server, I do not want the moron standing behind me to know how to get in to the file server with root privileges. It is as simple as that.
If we are to make any change it should be to drop stars and blobs for no echo. But that would just make it harder for users and therefore harder on me.
A phone is easy to cover up if you're with someone. If you're surfing a shopping account with your other half or kids, your boss asks you to get his email working, then you're not going to want to see the password, and covering up the screen or walking away is too much.
A better option is to display only the last character typed, but then to obscure previous characters as soon as a new one is entered. This way, somebody glancing briefly at your screen would not see your full password, but you would still get some visual feedback of the characters you type.
Password entry boxes on some smartphones do this, because some visual feedback is essential for the typo-prone on-screen keyboard.
What? Is there any point in having a password for anything if world+dog can simply look over your shoulder, read it while you type it and use it behind your back.
The whole problem is different. At work, for instance, I have well over 40 passwords I have to remember, they all regularly change and they all use different rules for creating a password. You miss 3 times and your user account is locked out, what lobotomised piece of sh*t thought thàt was a good idea. I'd sure like to meet him/her once (although he/she wouldn't like it very much!).
And yes, I DO keep all my passwords in a file on the shared fileserver here. But it is encrypted with a piece of self-written encryption software. Some of these passwords protect very sensitive information, I cannot take the risk of storing them in any other way. And NO, I do not want them written all over my screen in plain text. God! What a kakamimi idea!!
I much prefer what Gmail does, show me the IP-numbers my account has been accessed from and when. That IS a good idea.
Password masking is, and should be, a choice made by the browser makers, not the website authors. The browser defines how input boxes of type password are rendered.
This article seems to be encouraging people to write their own password handling input boxes, a much worse idea.
Username/Password pages with an onload method to set the focus to the username.
Nothing more annoying than typing your username, getting to the password field and then realising that the focus has been shifted back to the username box because you didn't wait for the 15mb+ login page to load completely and you're typing your password into the username box in cleartext for anyone around you to see.
Virgin Media's webmail used to/probably still does this along with quite a few other sites.
I work in an office like most people (other than Bruce). I have a constant stream of people coming over to chat and/or discuss problems. I often need to log on to service with someone staring over my shoulder at my screen. Masking by default please.
Websites do not mask passwords, browsers do!
Websites simply use <input type="password" ...> and the browser decides how to handle this. If you want the passwords visible, that is a browser issue, not a website issue.
Bruce, please report to HTML 101 for a very basic introduction to the way websites work!
Websites do not actively do anything to mask passwords: they just use the 'password' input type (including this website, on the form I'm now using). The web browser does the blanking, because the input type in question is a password, and that's how the browser handles that data type. They don't have to do this, and this behaviour could be customisable at a global level within the browser, rather than obliging websites to use a less descriptive input type, and providing some sort of 'roll-your-own' functionality to switch password masking on and off against it.
Surely the user is likely to have the same opinions about password display, wherever they are on the Web. Why make users wrestle with setting this on every single password-portected website that they use? And why ask all websites to store yet more metadata about user preferences?
The fact that a user does or does not want to see their password is a matter between the user and their browser. Websites should continue to use the password input type, in my view, because it describes the fact that the value held there is a password. The data should describe itself, not how the user thinks the data should look. The principle is sound enough, but by saying "Most websites ... mask passwords", Nielsen is identifying the wrong culprit. We just need better web browsers than the broken grey rectangles we're being fobbed off with, at the moment.
Looks like I'm an odd one out.
I agree with the point that Schneier and Neilsen are making - which way will be the least secure? Masking a password which then encourages the user to use a simpler phrase in order to reduce the chance of typing it wrong or show the text and risk someone looking over their shoulder.
Bear in mind that if someone is watching, that person could just as easily watch what keys they press, so the screen could be irrelevant.
We use a system that fills the logon box with asterisks - you don't even know how many letters you have typed. There is no question that this has resulted in people making mistakes and we have to reset their passwords about 3 times more frequently than was the case previously.
We also seen them start to write the passowrd on post it notes - I go around the offices and have removed some 25-30 of these at various times, so people now hide the post-it somewhere - I've a found a couple in drawers.
I am amazed at all the negative comments, just because you think (or have been told) that it makes it more secure doesn't mean it really does make it more secure.
Masking passwords is about as secure as changing your passwords every 30 days, don't tell me you still do that?
For those that want to live on the edge there is a FF plugin "Show my Password" that unmasks passwords https://addons.mozilla.org/en-US/firefox/addon/8016
...why bother with a password at all? Hell, why we are at it, lets show PIN numbers on ATM's and Chip and Pin terminals.
Surely the whole point of a password is to make something secure? I agree that there are a lot of places where password blanking is not so important but as stated in other posts, most people use the same passwords or variations of passwords. Therefore the minor inconvienience of the blanking is much less of an issue than the security risk if it were to be removed.
There are times when I definatly don't want my password to appear on screen.
1. When at college a common cyber bullying techneque was to log in to a "friends" email account and send dodgy emails. A school pc lab is easy to glance over someone shoulder and learn their password (probably for evreything).
2. When I have my mates over to show them something on youtube say I would rather they did not know my password. Come on admit who hasn't tried to watch their mates fingers to get their password to have shifty at their email or know at least one person of the 'oh so funny' practical joke type who probably use those phone jokes in the back of lad mags would love to get their hands on your email account.
3. As mentioned above who wants their child (or perhaps PC illiterate mother) to know the unblock password for the antivirus or admin account?
4. I suppose it will make cheating harder for some rogues. It is a lot eaiser to quickly type your password and log in to your personal email than to tell the girlfriend to turn around while you log in (knowing some emails go straight to a low level folder)
Also copying and pasting a random string from a password safe program is the prefered method I thought, then you have a different unguessable password for each site?
However I do think on mobile phones there is no need for ****** especially as you are entering the password.
Lay out the welcome mat
Oh, please, the risk is not only unknown passersby peering over your shoulders. There are many, many, many occasions when you're sitting at a table with your boss, a coworker, a friend or your boyfriend and you just do not want them to see what your password is.
It is true that password obscuring is often overdone -- like when being forced to type in blind a 50 character long Wifi password, TWICE, when most likely you're alone and not only there is no need to get the password right two times, but getting it wrong once invalidates it.
What should be standard is a button (or key combination) to switch to clear password mode. Obscured should be the default, of course, because it would be rude and or embarrasing to switch to obscured when you are sitting with your boss or coworker... or boyfriend!
(Paris because she surely has in her email many things to hide)
I cannot disagree with these idiots strongly enough. On top of 'shoulder surfing' all you would need was some virus or something with screen grabbing capability now, whenever it sees a password box and the enter key is pressed.
Perhaps these guys were once 'security gurus' but it would appear a little time at the top and the thin air has got to their heads. I seriously hope no one out there listens to them and thinks "Yeah...well, they must know what they are talking about"!
I'm glad to see so many people having the same obvious and sensible reaction against this junk. I hope the register follows these people up with calls and mention how many people think they are idiots.
I think the anonymous poster of "No no no and again no", commenting on inconsistency of websites that require a capital letter and a number and a symbol character in the password (or any variable combination [inc none] of those rules, cause the most problems. This commenter has a good point in that mark, and consistency should be considered for this area.
From what is said, the real problem is on the phones and small handheld devices where typing is not very easy.
Why then remove the blanking out from the computers?
And for the devices where it's a problem, it means the keyboard is very small; this usually means the screen is also very small, and that in turn means noone can look over your shoulder unless they're so close to you you can't help notice they're watching.
As a consequence, it is probably indeed useless to blank out the passwords on hand-held devices.
Conclusion should be clear: the blanking out should be browser-based and not site-based. The site should just indicate with a tag that this or that field is meant to receive sensitive information, and it is not the site's problem what YOU want to do it with.
Then, everyone could choose his own settings as they see fit: the dumbasses who can't type a password would un-blank it, and the security paranoids would blank it.
Of course, since most people wouldn't even understand what it's all about, a sensible default would be provided: on PC browsers, default would be to blank the sensitive info out, and on handheld devices' browsers, the default would be to display.
and that way, there's no need for a debate on whether one or the other is good: what's good is what people want, specifically adpated to each person and each usage.
"Shoulder surfing is largely a phantom problem"
Really! I used to work in a large college where "Sholder surfing" was the main method of gaining passwords by looking at the keys the person typed, if this is displayed on the screen as well then it will just make it easier for them!
Also, if you tell a web browser to remember your password, then authentication may pop up at an inappropriate time when someone else is looking at the page with you, then you loose your password.
Got to love these so called experts.
Messers Nielsen and Schneier need to wake up and smell the coffee writ massive.
Picture this... You're in a crowded internet café, you're logging into your email account, where there's all manner of personal information, and, because it's a crowded shop, you haven't a blasted clue who's looking over your shoulder.
The password you enter is shown in-clear on the screen where anyone with half a brain and apair of glasses can see it.
A few days later, you find all your bank accounts have been emptied, and your personally identifiable data has been used to draw loans of impossiblly silly amounts, forge a passport application, and so on. All because someone was able to see your unmasked username/password combination.
Never happen, you say? Wrong. This has, and will continue to happen too, whether we have masked or unmasked passwords.
However, continuing to mask passwords on a computer monitor WILL help to keep it a challenging task to access such data.
So, Messers Nielsen and Schneier, wakey bloody wakey *slap* *slap*
Worth bearing in mind that password masking has been the norm since long before the web came along.
Back in the day the true test was being able to pick up someone's password by watching their hands as they touch typed it at 70WPM** (the two finger hunt and peck brigade were no challenge at all).
** Ahem, purely in the interests of not having to spend half an hour of every helpdesk call chasing them around the building despite having said "This will take 30 seconds to fix, so please don't wander off as I'll need you to log back in and test it".
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
