nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
 ·AT&T Midwest
| reply to antdude
Re: Stop Password Masking
I think Schneier sums it up well with
said by Schneier :
I was certainly too glib. Like any security countermeasure, password masking has value. But like any countermeasure, password masking is not a panacea. And the costs of password masking need to be balanced with the benefits.
--
AT&T dsl; Speedstream 5100b modem; openSuSE 11.0; firefox 3.0.11 |
|
antdude
A Ninja Ant
Premium,VIP
join:2001-03-25 |  reply to antdude
Bruce Schneier comments on this:
»www.schneier.com/blog/archives/2···_co.html |
|
Grail Knight
Who Dares Wins
Premium
join:2003-05-31
·Verizon Online DSL
| reply to Mele20
Another MAJOR SECURITY HOLE is to write passwords and usernames down on paper thinking that no one will ever be in your home to see them other then that landlord with the wandering eye. 
Never had an issue with roboform ever and it is a top notch program for those it works for which by all appearances is widespread.
I personally will never own a desktop again when notebooks offer the freedom to roam and as free wi-fi here anyway is available I can surf and drink coffee.
--
"Facts not FUD!" |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to pog
I can't install any extensions currently. I get an install date of 1970 and notice of incompatibility with Fx3. (I can't update the ones I have either). I would try it though.
I need something that is global as Firefox is not the only browser I use. Besides, I like to keep my number of extensions to 10 or less if possible.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason |
|
Its a Secret
Whatever
Premium
join:2008-02-23
U B Funny | reply to antdude
Ahh, the aliens have returned the real Mele. Welcome back! |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to NefCanuck
said by NefCanuck  :Honestly, given the way that most sites require you to confirm your password and the fact that most browsers allow "remembering" the login/password combo per user account, this makes zero sense to me. Unless you are constantly using other machines and even then there are programs to assist, like RoboForm for instance. It is, as others have expressed, a major security hole that isn't needed (in addition to all the other security holes that are already present, including the nut attached to the keyboard  ) NefCanuck A MAJOR SECURITY HOLE is allowing a browser to save passwords! I have NEVER allowed that and never will. I always look up the password in my file (I don't use the same password for every site) and type it in. At sites where I visit every day, I allow permanent cookies and tell the site to always remember me. Otherwise, I allow no cookies especially no session ones which are really dumb as most folks never shut down their computers these days, or browsers, so session cookies become permanent ones ...thus you need to not allow cookies except at a very few trusted sites where you wish to stay logged in, or want to purchase something, etc.
Besides, what does that have to do with Windows? I'm going to remove my password on my Vista account as I can't see what I am typing and I keep getting it wrong. I don't have a laptop and hope to never have one so I don't have the problem of using a computer in public. In fact, I leave my home in order to get AWAY from the computer not to drag it with me and use it in a coffee shop!
I tried Roboform and it promptly locked the computer so bad at 100% CPU that I could not even bring up Task Manager. I tried it years ago on 98SE and more recently on XP Pro with the same result and this was on three different machines. I think Roboform is a terrible program. I got no help either. Roboform just told me to uninstall it.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason |
|
techjoe
Premium
join:2004-02-20
Schererville, IN
| reply to antdude
As someone else mentioned, the only time I want my password unmasked is on my berry. I use complex 10+ char passwords for *everything* and it's like doing a finger ballet to type them out with symbols, caps, numbers, etc. Don't forget to navigate into the Symbol menu to get to the ones NOT on the default keyboard layout. !@@#$*(#&@$@# 
As for web sites, workstations, etc I like masking. I do a lot of screen sharing and work amongst others on a regular basis and it's easy enough to tell if someone's tailgating line of sight to the keyboard. I type fast too. Those make me feel more secure than trying to ensure nobody is watching the monitor. And in situations where others are remotely viewing it, no way at all obviously.
--
Baka wa shinanakya naoranai |
|
antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
1 edit | reply to antdude
»it.slashdot.org/article.pl?sid=0···/1856214 posted this UseIt article.
Someone brought up a good point about masked password that is shown in public like on a projector. |
|
JAAulde
yum yum yum yum yum
Premium,MVM
join:2001-05-09
Hagerstown, MD
1 edit | reply to OZO
said by OZO :said by JAAulde :There is no change needed in browser code as far as this behavior goes. If a site operator decides that he is OK with possible over-the-shoulder password lifting for accounts on his site, he can use an input field of type "text" rather than type "password". The browser behavior of masking is the only difference between the two field types, and should be left as is such that the option is available. You're right, it's possible to change web page code. There are some problems though. • Who knows better the way to enter password, web master or person who enters it? I think it's the latter one. He may look around and decide that it's secure to type in password in clear text. But what if he must to enter it covered with *** and page contains "text" type of filed? • Some people want the browser to keep passwords for them. It's not secure and I'd not recommend it, but that's what they want. I guess browsers save those value for fields with type "password". But if web developer will omit this type in forms - it may change the way how passwords are saved in browser. So, I think the way how to enter password (secure or insecure) should be in hands of user who actually does it. I believe the site operator should have some say in things depending upon the nature of his site, though users who wish to modify behavior should certainly be free to do so.
That said, I also said:
said by JAAulde :Further, a site developer could even add a way for user to toggle the masking on and off via client scripting which can switch the field type. And I am now writing a jQuery plugin for this.
--
No eat apple, eat cookie. Apple spoil dinner.
My Development Sandbox | LinkedIn Profile |
|
OZO
Premium
join:2003-01-17
| reply to JAAulde
said by JAAulde :There is no change needed in browser code as far as this behavior goes. If a site operator decides that he is OK with possible over-the-shoulder password lifting for accounts on his site, he can use an input field of type "text" rather than type "password". The browser behavior of masking is the only difference between the two field types, and should be left as is such that the option is available. You're right, it's possible to change web page code. There are some problems though.
• Who knows better the way to enter password, web master or person who enters it? I think it's the latter one. He may look around and decide that it's secure to type in password in clear text. But what if he must to enter it covered with *** and page contains "text" type of filed?
• Some people want the browser to keep passwords for them. It's not secure and I'd not recommend it, but that's what they want. I guess browsers save those value for fields with type "password". But if web developer will omit this type in forms - it may change the way how passwords are saved in browser.
So, I think the way how to enter password (secure or insecure) should be in hands of user who actually does it.
--
Keep it simple, it'll become complex by itself... |
|
pog
Premium
join:2004-06-03
Kihei, HI
·Hawaiian Telcom
1 edit | reply to Mele20
said by Mele20 :Is it a function of the browser? It has to be a function of the browser because what causes it to happen is "type=password" in forms...
That doesn't mean, however, that any browser allows the user to configure the behavior directly. I don't see anything in FF, at least... but someone could maybe write an extension that switches type=password to type=text before rendering.
Oh... here's something that might help... »techie-buzz.com/featured/unmask-···lds.html
edit: the above greasemonkey script works well... you'll need the greasemonkey extension, of course!
--
My Site |
|
james
join:2001-02-26
antarctica | reply to antdude
I like password masking, I'd rather not have to cover my screen so some douchebag walking by doesnt find out my password. |
|
NefCanuck
join:2007-06-26
Mississauga, ON
·Bell Sympatico
| reply to antdude
Honestly, given the way that most sites require you to confirm your password and the fact that most browsers allow "remembering" the login/password combo per user account, this makes zero sense to me.
Unless you are constantly using other machines and even then there are programs to assist, like RoboForm for instance.
It is, as others have expressed, a major security hole that isn't needed (in addition to all the other security holes that are already present, including the nut attached to the keyboard )
NefCanuck |
|
Wills
join:2001-01-03
Port Charlotte, FL | reply to antdude
But what if your password IS 8 astricks? |
|
DownTheShore
Maddie Knows Poopie
Premium
join:2003-12-02
Beautiful NJ
clubs:
| reply to Anon users
said by Anon users :Just DON't do it IF... you are in London streets... especially enjoying WiFi in a outdoor cafe ... there are THOUSANDS of security cam zooming on your unmasked password LOL - very little chance of that scenario ever occurring in my life.
--
Patriotism is not waving a flag, it is living the ideals
Bush & Co. didn't keep us safe - 9/11 happend on their watch! |
|
DaveNJ
No Fear
join:1999-09-01
New Jersey | reply to antdude
It doesnt work right, The last letter should always be visible for a few seconds, so you can confirm it. |
|
JAAulde
yum yum yum yum yum
Premium,MVM
join:2001-05-09
Hagerstown, MD
1 edit | reply to antdude
There is no change needed in browser code as far as this behavior goes. If a site operator decides that he is OK with possible over-the-shoulder password lifting for accounts on his site, he can use an input field of type "text" rather than type "password". The browser behavior of masking is the only difference between the two field types, and should be left as is such that the option is available.
Further, a site developer could even add a way for user to toggle the masking on and off via client scripting which can switch the field type.
--
No eat apple, eat cookie. Apple spoil dinner.
My Development Sandbox | LinkedIn Profile |
|
Shark_615
join:2006-01-17
Pickering, ON | reply to antdude
One solution to this 'problem' that I have used and like is to show the character for a brief second as you type and then mask it.
My Samsung Jack does this and it makes it a lot easier to type in password with the small multi-key keyboard |
|
Zubenelgenubi
@scinternet.net | reply to antdude
Firefox does have an addon called unhide passwords. I use it because I can't type worth a darn.
Zuben |
|
marigolds
Gainfully employed, finally
Premium,MVM
join:2002-05-13
Saint Louis, MO | reply to antdude
Not that saved passwords aren't already a significant security issue... but wouldn't this reveal a saved password? |
|
