antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
|  Stop Password Masking
"Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn't even increase security, but it does cost you business due to login failures..."
I don't really I agree with this if the password needs to be entered twice to be sure they are matching. I do like masking and I know passwords can be revealed on unencrypted connections.
What do you guys think?
--
Ant @ »antfarm.ma.cx and »aqfl.net. Please do not IM/e-mail me for technical support. Use the forum! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer | |
|
 
Kilroy
Premium,MVM
join:2002-11-21
Ann Arbor, MI
 ·WOW Internet and C..
| Re: Stop Password Masking The only purpose served by masking the password is to reduce the over the shoulder loss of passwords. My experience has been that it isn't needed. Now, if clear text passwords became the norm would that situation change? Unknown.
I have to agree that it is an issue on mobile devices. I have a Blackberry with the multiple letters per key and entering any password is painful.
For the most part I'd like to see my passwords as I type them, but it doesn't really matter since masked passwords are what I'm used to working with.
--
When will the people realize that with DRM they aren't purchasing anything? | |
|
 |
antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
| Re: Stop Password Masking said by Kilroy  :The only purpose served by masking the password is to reduce the over the shoulder loss of passwords. My experience has been that it isn't needed. Now, if clear text passwords became the norm would that situation change? Unknown. I have to agree that it is an issue on mobile devices. I have a Blackberry with the multiple letters per key and entering any password is painful. For the most part I'd like to see my passwords as I type them, but it doesn't really matter since masked passwords are what I'm used to working with. Isn't that why some forms require to re-enter the password to be sure they match? 
--
Ant @ »antfarm.ma.cx and »aqfl.net. Please do not IM/e-mail me for technical support. Use the forum! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer | |
|
| 
skyroket
join:2001-06-11
Colorado, US
| I am currently using a Samsung Omnia. When you enter a password in most places, it shows you what you typed in for about 1 second, then turns it into a star. The only nuisance is you have to look up from the keys to see what you typed, then look back down, since it's a touch screen, and not a full-sized computer keyboard. | |
|
pog
Premium
join:2004-06-03
Kihei, HI
 ·Hawaiian Telcom
1 edit | From article...
More importantly, there's usually nobody looking over your shoulder when you log in to a website. It's just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue. "Usually" is not "always"... but sure... lets unmask the fields.
edit: Was being a bit sarcastic above... however, since masking is a function of the browser (right?), it could become a user preference. It needn't/shouldn't be up to site operators.
--
My Site | |
|
| Mele20
Premium
join:2001-06-05
Hilo, HI
| Re: Stop Password Masking said by pog :edit: Was being a bit sarcastic above... however, since masking is a function of the browser (right?), it could become a user preference. It needn't/shouldn't be up to site operators. Is it a function of the browser? If so, then where do I change it to unmasked (Firefox, Opera and IE)? Where do I change it in Windows so that I can see what password I type for Vista? I have never used a password on any version of Windows before Vista because I cannot see what I am typing. I always make mistakes. No one is ever looking over my shoulder. I use very simple paswords hoping that will cut down on the mistakes.
So, if there is a setting I can change in my browsers and in Windows please tell me! To me, this has always been extremely inane for home users and for those in offices all the shoulder looker has to do is look at the keyboard. I have never understood how keeping someone from seeing what they typed is a security measure. Rather it is an annoyance and on some sites you get locked out after three tries that are wrong. That would not happen if you could see what you were typing.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason | |
|
| |
pog
Premium
join:2004-06-03
Kihei, HI
·Hawaiian Telcom
1 edit | Re: Stop Password Masking said by Mele20 :Is it a function of the browser? It has to be a function of the browser because what causes it to happen is "type=password" in forms...
That doesn't mean, however, that any browser allows the user to configure the behavior directly. I don't see anything in FF, at least... but someone could maybe write an extension that switches type=password to type=text before rendering.
Oh... here's something that might help... »techie-buzz.com/featured/unmask-···lds.html
edit: the above greasemonkey script works well... you'll need the greasemonkey extension, of course!
--
My Site | |
|
| | | Mele20
Premium
join:2001-06-05
Hilo, HI
| Re: Stop Password Masking I can't install any extensions currently. I get an install date of 1970 and notice of incompatibility with Fx3. (I can't update the ones I have either). I would try it though.
I need something that is global as Firefox is not the only browser I use. Besides, I like to keep my number of extensions to 10 or less if possible.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason | |
|
|
|
Kilroy
Premium,MVM
join:2002-11-21
Ann Arbor, MI
·WOW Internet and C..
| Re: Stop Password Masking said by EGeezer :How about setting a default which can be overridden depending on the user's or administrator's preferences or requirements? That was in the article. Basically set a default configuration, either masked or not masked, and a check box to let the user change it to their liking.
--
When will the people realize that with DRM they aren't purchasing anything? | |
|
| 
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
·AT&T Midwest
| How about setting a default which can be overridden depending on the user's or administrator's preferences or requirements? I'm wondering what people are talking about here. Where would a default be set?
I use passwords in numerous places and in numerous ways. It seems to me that there would be almost as many default settings as there are passwords.
What I find more troubling, are the web pages that are designed to prevent your browser or password manager from remembering the passwords for you.
--
AT&T dsl; Speedstream 5100b modem; openSuSE 11.0; firefox 3.0.11 | |
|
| | OZO
Premium
join:2003-01-17
| Re: Stop Password Masking said by nwrickert :How about setting a default which can be overridden depending on the user's or administrator's preferences or requirements? I'm wondering what people are talking about here. Where would a default be set? What do you want to know?
Usually it's s standard control (type Edit Control, flag Password) and therefore it could be changed in one place (including this additional feature to show password in clear text or cover it with ***). Are you asking where settings should be kept? In registry, perhaps. In HKLM hive for all users, HKCU for particular user...
Actually it's a good idea and I support it. 99.9% cases I type password in environment where there is no any risk that someone is looking for it over my shoulder. In the rest of the cases (0.01%) I do not mind to ask - please give me a sec of confidentiality if person sitting close to me do not understand what's going on and what is appropriate behavior everyone should exhibit here... There some dumb folks around like in this case, but it's very rare.
Edit Control may show additional check boxes close to it (on any side of it) or react on the infamous occasion like setting CapsLock is on in a different way - when it's on - show *** (but accept typed characters without converting to upper case), when it's off - show clear password. There are other possibilities if one wants to think.
In my practice with IE I use IE7Pro script "Show Password on MouseOver". It mitigates the problem a bit. But I'd prefer a system wide solution to show password in clear text in almost all cases, except I'd ask to do otherwise.
--
Keep it simple, it'll become complex by itself... | |
|
| | |
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| Re: Stop Password Masking Usually it's s standard control (type Edit Control, flag Password) and therefore it could be changed in one place (including this additional feature to show password in clear text or cover it with ***). Are you asking where settings should be kept? In registry, perhaps. In HKLM hive for all users, HKCU for particular user... Okay, thanks for clearing that up.
Now if you could explain where I find that setting in linux, in solaris, in my SSH server, ... 
--
AT&T dsl; Speedstream 5100b modem; openSuSE 11.0; firefox 3.0.11 | |
|
| | | | OZO
Premium
join:2003-01-17 | Re: Stop Password Masking Well, that's why applications should use standard controls. There is no need for different implementations of GUI control sets.
--
Keep it simple, it'll become complex by itself... | |
|
| | | | |
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| Re: Stop Password Masking Well, that's why applications should use standard controls. There is no need for different implementations of GUI control sets. That doesn't help with entering passwords in command line applications.
--
AT&T dsl; Speedstream 5100b modem; openSuSE 11.0; firefox 3.0.11 | |
|
| | | | | | OZO
Premium
join:2003-01-17
1 edit | Re: Stop Password Masking Everything could be possible if you have a determination. I suppose that entering passwords in command line could be redesigned too. It requires additional care, because buffer may keep that for a while, but it's possible to mitigate as well.
--
Keep it simple, it'll become complex by itself... | |
|
| 
Its a Secret
Whatever
Premium
join:2008-02-23
U B Funny
·Shaw
| said by EGeezer :How about setting a default which can be overridden depending on the user's or administrator's preferences or requirements? Now there's an idea.. Darn, there ya go making sense again... 
--
"In the future, that which is not mandatory will be illegal"
"Nobody knows the age of the human race, but everybody agrees that it is old enough to know better" - Anonymous | |
|
sivran
Long Live The Suite
Premium
join:2003-09-15
Arlington, TX
clubs:
·RoadRunner Cable
| I could see this maybe being an option for the home users, where the chance (and consequences) of shoulder-surfing are generally far less. I doubt any corporate IT departments would approve though. (PHBs may override, of course, as they often do.)
And I'll definitely echo Kilroy 's sentiment about password entry on a phone. Even with a full keyboard, typos are more likely on a phone. And on the subject of typos, PC, phone, or whatever, with a masked field, if you fat-finger something or even think you fat-fingered, you have to start all over, which with a long password can get fairly annoying.
--
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon profitable cause... | |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| "Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn't even increase security, but it does cost you business due to login failures..." Some of my use of passwords is where the only feedback is the key click or the keyboard feel. And with modern crappy keyboards, that's nothing to shout about.
I do have situations where I login from my office, with a student watching. Or where the student logs in while I'm watching (to see what he is doing wrong). Having the password appear in the clear in that situation is a security issue, so the "doesn't even increase security" assertion is wrong.
--
AT&T dsl; Speedstream 5100b modem; openSuSE 11.0; firefox 3.0.11 | |
|
Kearnstd
Elf Wizard
Premium
join:2002-01-22
Mullica Hill, NJ
| there is also the fact that many people keep their PWs written somewhere by the PC anyway. especially in work places where the network admins make you change passwords every 30 days.
--
[65 Arcanist]Filan(High Elf) Zone: Broadband Reports | |
|
MacGyver
Bell Sucks
Premium,ExMod 2003-05
join:2001-10-14
Orleans, ON
·TekSavvy Solutions..
·Bell Sympatico
1 edit | said by antdude :"Usability suffers when users type in passwords and the only feedback they get is a row of bullets..." What do you guys think? I think the person who wrote the article is a {insert term here} who doesn't give two hoots about security. Look at his own website: »www.useit.com/jakob/
And this: »www.useit.com/jakob/photos/ just in case you want a high resolution wallpaper of his many portraits for your desktop wallpaper! | |
|
DownTheShore
Maddie Knows Poopie
Premium
join:2003-12-02
Beautiful NJ
clubs:
| My laptop has a fingerprint scanner and when I am setting up automatic log-in information, the typed in password shows as a series of dots, but there is also a button entitled "show password" which when pressed shows the actual password so that I can visually confirm it. | |
|
| 
Anon users
@anonymouse.org
| Re: Stop Password Masking Just DON't do it IF... you are in London streets... especially enjoying WiFi in a outdoor cafe ... there are THOUSANDS of security cam zooming on your unmasked password | |
|
| |
DownTheShore
Maddie Knows Poopie
Premium
join:2003-12-02
Beautiful NJ
clubs:
| Re: Stop Password Masking said by Anon users :Just DON't do it IF... you are in London streets... especially enjoying WiFi in a outdoor cafe ... there are THOUSANDS of security cam zooming on your unmasked password LOL - very little chance of that scenario ever occurring in my life.
--
Patriotism is not waving a flag, it is living the ideals
Bush & Co. didn't keep us safe - 9/11 happend on their watch! | |
|
marigolds
Gainfully employed, finally
Premium,MVM
join:2002-05-13
Saint Louis, MO | Not that saved passwords aren't already a significant security issue... but wouldn't this reveal a saved password? | |
|
Zubenelgenubi
@scinternet.net | Firefox does have an addon called unhide passwords. I use it because I can't type worth a darn.
Zuben | |
|
Shark_615
join:2006-01-17
Pickering, ON | One solution to this 'problem' that I have used and like is to show the character for a brief second as you type and then mask it.
My Samsung Jack does this and it makes it a lot easier to type in password with the small multi-key keyboard | |
|
JAAulde
yum yum yum yum yum
Premium,MVM
join:2001-05-09
Hagerstown, MD
1 edit | There is no change needed in browser code as far as this behavior goes. If a site operator decides that he is OK with possible over-the-shoulder password lifting for accounts on his site, he can use an input field of type "text" rather than type "password". The browser behavior of masking is the only difference between the two field types, and should be left as is such that the option is available.
Further, a site developer could even add a way for user to toggle the masking on and off via client scripting which can switch the field type.
--
No eat apple, eat cookie. Apple spoil dinner.
My Development Sandbox | LinkedIn Profile | |
|
| OZO
Premium
join:2003-01-17
| Re: Stop Password Masking said by JAAulde :There is no change needed in browser code as far as this behavior goes. If a site operator decides that he is OK with possible over-the-shoulder password lifting for accounts on his site, he can use an input field of type "text" rather than type "password". The browser behavior of masking is the only difference between the two field types, and should be left as is such that the option is available. You're right, it's possible to change web page code. There are some problems though.
• Who knows better the way to enter password, web master or person who enters it? I think it's the latter one. He may look around and decide that it's secure to type in password in clear text. But what if he must to enter it covered with *** and page contains "text" type of filed?
• Some people want the browser to keep passwords for them. It's not secure and I'd not recommend it, but that's what they want. I guess browsers save those value for fields with type "password". But if web developer will omit this type in forms - it may change the way how passwords are saved in browser.
So, I think the way how to enter password (secure or insecure) should be in hands of user who actually does it.
--
Keep it simple, it'll become complex by itself... | |
|
| |
JAAulde
yum yum yum yum yum
Premium,MVM
join:2001-05-09
Hagerstown, MD
1 edit | Re: Stop Password Masking said by OZO :said by JAAulde :There is no change needed in browser code as far as this behavior goes. If a site operator decides that he is OK with possible over-the-shoulder password lifting for accounts on his site, he can use an input field of type "text" rather than type "password". The browser behavior of masking is the only difference between the two field types, and should be left as is such that the option is available. You're right, it's possible to change web page code. There are some problems though. • Who knows better the way to enter password, web master or person who enters it? I think it's the latter one. He may look around and decide that it's secure to type in password in clear text. But what if he must to enter it covered with *** and page contains "text" type of filed? • Some people want the browser to keep passwords for them. It's not secure and I'd not recommend it, but that's what they want. I guess browsers save those value for fields with type "password". But if web developer will omit this type in forms - it may change the way how passwords are saved in browser. So, I think the way how to enter password (secure or insecure) should be in hands of user who actually does it. I believe the site operator should have some say in things depending upon the nature of his site, though users who wish to modify behavior should certainly be free to do so.
That said, I also said:
said by JAAulde :Further, a site developer could even add a way for user to toggle the masking on and off via client scripting which can switch the field type. And I am now writing a jQuery plugin for this.
--
No eat apple, eat cookie. Apple spoil dinner.
My Development Sandbox | LinkedIn Profile | |
|
DaveNJ
No Fear
join:1999-09-01
New Jersey | It doesnt work right, The last letter should always be visible for a few seconds, so you can confirm it. | |
|
Wills
join:2001-01-03
Port Charlotte, FL | But what if your password IS 8 astricks? | |
|
NefCanuck
join:2007-06-26
Mississauga, ON
·Bell Sympatico
| Honestly, given the way that most sites require you to confirm your password and the fact that most browsers allow "remembering" the login/password combo per user account, this makes zero sense to me.
Unless you are constantly using other machines and even then there are programs to assist, like RoboForm for instance.
It is, as others have expressed, a major security hole that isn't needed (in addition to all the other security holes that are already present, including the nut attached to the keyboard )
NefCanuck | |
|
| Mele20
Premium
join:2001-06-05
Hilo, HI
| Re: Stop Password Masking said by NefCanuck :Honestly, given the way that most sites require you to confirm your password and the fact that most browsers allow "remembering" the login/password combo per user account, this makes zero sense to me. Unless you are constantly using other machines and even then there are programs to assist, like RoboForm for instance. It is, as others have expressed, a major security hole that isn't needed (in addition to all the other security holes that are already present, including the nut attached to the keyboard ) NefCanuck A MAJOR SECURITY HOLE is allowing a browser to save passwords! I have NEVER allowed that and never will. I always look up the password in my file (I don't use the same password for every site) and type it in. At sites where I visit every day, I allow permanent cookies and tell the site to always remember me. Otherwise, I allow no cookies especially no session ones which are really dumb as most folks never shut down their computers these days, or browsers, so session cookies become permanent ones ...thus you need to not allow cookies except at a very few trusted sites where you wish to stay logged in, or want to purchase something, etc.
Besides, what does that have to do with Windows? I'm going to remove my password on my Vista account as I can't see what I am typing and I keep getting it wrong. I don't have a laptop and hope to never have one so I don't have the problem of using a computer in public. In fact, I leave my home in order to get AWAY from the computer not to drag it with me and use it in a coffee shop!
I tried Roboform and it promptly locked the computer so bad at 100% CPU that I could not even bring up Task Manager. I tried it years ago on 98SE and more recently on XP Pro with the same result and this was on three different machines. I think Roboform is a terrible program. I got no help either. Roboform just told me to uninstall it.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason | |
|
| | 
Grail Knight
Who Dares Wins
Premium
join:2003-05-31
·Verizon Online DSL
| Re: Stop Password Masking Another MAJOR SECURITY HOLE is to write passwords and usernames down on paper thinking that no one will ever be in your home to see them other then that landlord with the wandering eye. 
Never had an issue with roboform ever and it is a top notch program for those it works for which by all appearances is widespread.
I personally will never own a desktop again when notebooks offer the freedom to roam and as free wi-fi here anyway is available I can surf and drink coffee.
--
"Facts not FUD!" | |
|
james
join:2001-02-26
antarctica | I like password masking, I'd rather not have to cover my screen so some douchebag walking by doesnt find out my password. | |
|
|
techjoe
Premium
join:2004-02-20
Schererville, IN
| As someone else mentioned, the only time I want my password unmasked is on my berry. I use complex 10+ char passwords for *everything* and it's like doing a finger ballet to type them out with symbols, caps, numbers, etc. Don't forget to navigate into the Symbol menu to get to the ones NOT on the default keyboard layout. !@@#$*(#&@$@#
As for web sites, workstations, etc I like masking. I do a lot of screen sharing and work amongst others on a regular basis and it's easy enough to tell if someone's tailgating line of sight to the keyboard. I type fast too. Those make me feel more secure than trying to ensure nobody is watching the monitor. And in situations where others are remotely viewing it, no way at all obviously.
--
Baka wa shinanakya naoranai | |
|
Its a Secret
Whatever
Premium
join:2008-02-23
U B Funny | Ahh, the aliens have returned the real Mele. Welcome back! | |
|
|
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| Re: Stop Password Masking I think Schneier sums it up well with
said by Schneier :
I was certainly too glib. Like any security countermeasure, password masking has value. But like any countermeasure, password masking is not a panacea. And the costs of password masking need to be balanced with the benefits.
--
AT&T dsl; Speedstream 5100b modem; openSuSE 11.0; firefox 3.0.11 | |
|
|
|
|
·