antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
|  Stop Password Masking
»www.useit.com/alertbox/passwords.html
"Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn't even increase security, but it does cost you business due to login failures..."
I don't really I agree with this if the password needs to be entered twice to be sure they are matching. I do like masking and I know passwords can be revealed on unencrypted connections.
What do you guys think?
--
Ant @ »antfarm.ma.cx and »aqfl.net. Please do not IM/e-mail me for technical support. Use the forum! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer |
|
Kilroy
Premium,MVM
join:2002-11-21
Ann Arbor, MI
 ·WOW Internet and C..
| The only purpose served by masking the password is to reduce the over the shoulder loss of passwords. My experience has been that it isn't needed. Now, if clear text passwords became the norm would that situation change? Unknown.
I have to agree that it is an issue on mobile devices. I have a Blackberry with the multiple letters per key and entering any password is painful.
For the most part I'd like to see my passwords as I type them, but it doesn't really matter since masked passwords are what I'm used to working with.
--
When will the people realize that with DRM they aren't purchasing anything? |
|
pog
Premium
join:2004-06-03
Kihei, HI
 ·Hawaiian Telcom
1 edit | reply to antdude
From article...
More importantly, there's usually nobody looking over your shoulder when you log in to a website. It's just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue. "Usually" is not "always"... but sure... lets unmask the fields.
edit: Was being a bit sarcastic above... however, since masking is a function of the browser (right?), it could become a user preference. It needn't/shouldn't be up to site operators.
--
My Site |
|
antdude
A Ninja Ant
Premium,VIP
join:2001-03-25
| reply to Kilroy
said by Kilroy  :The only purpose served by masking the password is to reduce the over the shoulder loss of passwords. My experience has been that it isn't needed. Now, if clear text passwords became the norm would that situation change? Unknown. I have to agree that it is an issue on mobile devices. I have a Blackberry with the multiple letters per key and entering any password is painful. For the most part I'd like to see my passwords as I type them, but it doesn't really matter since masked passwords are what I'm used to working with. Isn't that why some forms require to re-enter the password to be sure they match? 
--
Ant @ »antfarm.ma.cx and »aqfl.net. Please do not IM/e-mail me for technical support. Use the forum! Disclaimer: The views expressed in this posting are mine, and do not necessarily reflect the views of my employer |
|
EGeezer
Go Bobcats
Premium
join:2002-08-04
Country!
 ·Callcentric
·RoadRunner Cable
·AT&T CallVantage
| reply to antdude
How about setting a default which can be overridden depending on the user's or administrator's preferences or requirements?
Now there's an idea..
--
The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis |
|
sivran
Long Live The Suite
Premium
join:2003-09-15
Arlington, TX
clubs:
·RoadRunner Cable
| reply to antdude
I could see this maybe being an option for the home users, where the chance (and consequences) of shoulder-surfing are generally far less. I doubt any corporate IT departments would approve though. (PHBs may override, of course, as they often do.)
And I'll definitely echo Kilroy 's sentiment about password entry on a phone. Even with a full keyboard, typos are more likely on a phone. And on the subject of typos, PC, phone, or whatever, with a masked field, if you fat-finger something or even think you fat-fingered, you have to start all over, which with a long password can get fairly annoying.
--
The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon profitable cause... |
|
Kilroy
Premium,MVM
join:2002-11-21
Ann Arbor, MI
·WOW Internet and C..
| reply to EGeezer
said by EGeezer :How about setting a default which can be overridden depending on the user's or administrator's preferences or requirements? That was in the article. Basically set a default configuration, either masked or not masked, and a check box to let the user change it to their liking.
--
When will the people realize that with DRM they aren't purchasing anything? |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
·AT&T Midwest
| reply to antdude
"Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn't even increase security, but it does cost you business due to login failures..." Some of my use of passwords is where the only feedback is the key click or the keyboard feel. And with modern crappy keyboards, that's nothing to shout about.
I do have situations where I login from my office, with a student watching. Or where the student logs in while I'm watching (to see what he is doing wrong). Having the password appear in the clear in that situation is a security issue, so the "doesn't even increase security" assertion is wrong.
--
AT&T dsl; Speedstream 5100b modem; openSuSE 11.0; firefox 3.0.11 |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| reply to EGeezer
How about setting a default which can be overridden depending on the user's or administrator's preferences or requirements? I'm wondering what people are talking about here. Where would a default be set?
I use passwords in numerous places and in numerous ways. It seems to me that there would be almost as many default settings as there are passwords.
What I find more troubling, are the web pages that are designed to prevent your browser or password manager from remembering the passwords for you.
--
AT&T dsl; Speedstream 5100b modem; openSuSE 11.0; firefox 3.0.11 |
|
OZO
Premium
join:2003-01-17
| said by nwrickert :How about setting a default which can be overridden depending on the user's or administrator's preferences or requirements? I'm wondering what people are talking about here. Where would a default be set? What do you want to know?
Usually it's s standard control (type Edit Control, flag Password) and therefore it could be changed in one place (including this additional feature to show password in clear text or cover it with ***). Are you asking where settings should be kept? In registry, perhaps. In HKLM hive for all users, HKCU for particular user...
Actually it's a good idea and I support it. 99.9% cases I type password in environment where there is no any risk that someone is looking for it over my shoulder. In the rest of the cases (0.01%) I do not mind to ask - please give me a sec of confidentiality if person sitting close to me do not understand what's going on and what is appropriate behavior everyone should exhibit here... There some dumb folks around like in this case, but it's very rare.
Edit Control may show additional check boxes close to it (on any side of it) or react on the infamous occasion like setting CapsLock is on in a different way - when it's on - show *** (but accept typed characters without converting to upper case), when it's off - show clear password. There are other possibilities if one wants to think.
In my practice with IE I use IE7Pro script "Show Password on MouseOver". It mitigates the problem a bit. But I'd prefer a system wide solution to show password in clear text in almost all cases, except I'd ask to do otherwise.
--
Keep it simple, it'll become complex by itself... |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| Usually it's s standard control (type Edit Control, flag Password) and therefore it could be changed in one place (including this additional feature to show password in clear text or cover it with ***). Are you asking where settings should be kept? In registry, perhaps. In HKLM hive for all users, HKCU for particular user... Okay, thanks for clearing that up.
Now if you could explain where I find that setting in linux, in solaris, in my SSH server, ... 
--
AT&T dsl; Speedstream 5100b modem; openSuSE 11.0; firefox 3.0.11 |
|
OZO
Premium
join:2003-01-17 | Well, that's why applications should use standard controls. There is no need for different implementations of GUI control sets.
--
Keep it simple, it'll become complex by itself... |
|
skyroket
join:2001-06-11
Colorado, US
| reply to Kilroy
I am currently using a Samsung Omnia. When you enter a password in most places, it shows you what you typed in for about 1 second, then turns it into a star. The only nuisance is you have to look up from the keys to see what you typed, then look back down, since it's a touch screen, and not a full-sized computer keyboard. |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| reply to OZO
Well, that's why applications should use standard controls. There is no need for different implementations of GUI control sets. That doesn't help with entering passwords in command line applications.
--
AT&T dsl; Speedstream 5100b modem; openSuSE 11.0; firefox 3.0.11 |
|
OZO
Premium
join:2003-01-17
1 edit | Everything could be possible if you have a determination. I suppose that entering passwords in command line could be redesigned too. It requires additional care, because buffer may keep that for a while, but it's possible to mitigate as well.
--
Keep it simple, it'll become complex by itself... |
|
Its a Secret
Whatever
Premium
join:2008-02-23
U B Funny
·Shaw
| reply to EGeezer
said by EGeezer :How about setting a default which can be overridden depending on the user's or administrator's preferences or requirements? Now there's an idea.. Darn, there ya go making sense again... 
--
"In the future, that which is not mandatory will be illegal"
"Nobody knows the age of the human race, but everybody agrees that it is old enough to know better" - Anonymous |
|
Kearnstd
Elf Wizard
Premium
join:2002-01-22
Mullica Hill, NJ
| reply to antdude
there is also the fact that many people keep their PWs written somewhere by the PC anyway. especially in work places where the network admins make you change passwords every 30 days.
--
[65 Arcanist]Filan(High Elf) Zone: Broadband Reports |
|
MacGyver
Bell Sucks
Premium,ExMod 2003-05
join:2001-10-14
Orleans, ON
·TekSavvy Solutions..
·Bell Sympatico
1 edit | reply to antdude
said by antdude :"Usability suffers when users type in passwords and the only feedback they get is a row of bullets..." What do you guys think? I think the person who wrote the article is a {insert term here} who doesn't give two hoots about security. Look at his own website: »www.useit.com/jakob/
And this: »www.useit.com/jakob/photos/ just in case you want a high resolution wallpaper of his many portraits for your desktop wallpaper! |
|
DownTheShore
Maddie Knows Poopie
Premium
join:2003-12-02
Beautiful NJ
clubs:
| reply to antdude
My laptop has a fingerprint scanner and when I am setting up automatic log-in information, the typed in password shows as a series of dots, but there is also a button entitled "show password" which when pressed shows the actual password so that I can visually confirm it. |
|
Anon users
@anonymouse.org
| Just DON't do it IF... you are in London streets... especially enjoying WiFi in a outdoor cafe ... there are THOUSANDS of security cam zooming on your unmasked password |
|
