Slashdot Mirror
Nielsen Recommends Not Masking Passwords
Mark writes "Usability expert and columnist Jakob Nielsen wants to abolish password masking: 'Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn't even increase security, but it does cost you business due to login failures.' I've never been impressed by the argument that 'I can't think why we need this (standard) security measure, so let's drop it.' It usually indicates a lack of imagination of the speaker. But in this case, does usability outweigh security?"
Usability? What the hell is he talking about? The user doesn't see the dots, only other people see those. The user should see their own password when they type it. Maybe he should check his glasses because those characters must be so blurry to him that they look like dots.
Nielsen is finally getting even for that old prank we pulled on him back in the day ;)
http://bash.org/?244321
Usability expert and columnist Jakob Nielsen
Well, I'm glad they found such an unbiased and informed person to make such a statement about security versus usability. And for a second there I was afraid he was just doing this for attention.
... no input is recorded in anyway on the screen. Now that's a usability nightmare when you can't even backspace to correct your errors. I don't think I've seen this since my days in a computer lab at college but I think sacrificing a few login attempts worth of time is worth the security.
Mr. Nielsen, could you send us screen shots of a working example? Perhaps show us how it looks like when you log into the administrative console now with your password entered in and then a screenshot of the way you think it would be more usable. I'll review them and let you know in a most interesting way what I think.
Perhaps you should read up on our friend Kevin Mitnick and NASA "Hacker" Gary McKinnon both of whom are no strangers to the over-the-shoulder-attack. Really, I'm no security expert or pen tester but I'm going to speculate that these 'soft hacks' are some of the most dangerous vulnerabilities left. Your suggestion just makes them all the more easier. Me personally would like to see the standard bumped up to the level of the input box not even being masked
Typically, masking passwords doesn't even increase security ...
[citation desperately needed]
... I mean it's bad enough that the sound waves of my keystrokes are floating around telling people my password. Sorry to go all tinfoil hat on you there.
I think back to the few times when I've entered my password accidentally into the username box because the tab key I hit didn't register or the site didn't support it and I just felt nervous and dirty and needed to change my password. Just knowing that there were photons and radiation everywhere in my cube belying my password to anyone who cared to capture them
My work here is dung.
Shoulder surfing.
Seriously, is this guy is supposed to be an expert?
This is like having a fuel efficiency expert tell you to turn the motor off on your car, stick it in neutral, and push it, since it'll get infinite MPG. Passwords are supposed to be secret. Usernames aren't as critical.
but it does cost you business due to login failures.
I've never been impressed by the argument that 'I can't think why we need this (standard) security measure, so let's drop it.' It usually indicates a lack of imagination of the speaker.
Wake up, buddy.
Whale
Howzabout we make it optional, so people can decide for themselves?
What if I do the same thing, and I do get different results?
nuff said.
Personally, I rather like the way many cellphones handle this: show the letter that was typed for a moment and THEN mask it. This allows you to spot typos and correct them without having to blank the field and start over.
End of lesson. You may press the button.
You know, he makes alot of sense. we should also drop encrypting passwords on the system as well. It's ridiculous that people should have reset a password in order to recover access! it should all be stored in plain text somewhere.
I agree, it's time to switch to the Unix password entry scheme. No feedback is good feedback!
...but the iPhone has a good compromise: as you type in your iTunes password, the letter you just typed in gets bulleted. This is especially important for those of us who have trouble with typos on a regular keyboard, never mind the phone's.
"I guess the moral of the story is, don't paint your airship with rocket fuel." -- Addison Bain
Better to have one and not need it, than to need one and not have it.
does he ever type his password in front of other people?
weinersmith
My guess is that everyone's already figured out what Nielson has suggested, but they don't want to change it for legal reasons. You don't want an expert witness testifying in court that a password may have been stolen through eavesdropping.
Otherwise, yeah... first two attempts should be masked, subsequent attempts cleartext by default with a checkoff option to mask. ATM and debit card readers, always masked, no option.
If you're not sure you're entering your password correctly, look around, ensure nobody's looking over your shoulder, and then type your password into the user id field. If it's correct, back space and enter your user id, and then the password.
Imagine your Willy being smacked until it bleeds.
J.delanoy
Using a masked password to protect security is useless 99% of the time you are typing in a password. The only time it is useful is if you are in a semi-public environment (classroom, coffee shop, etc). I suppose it might also be useful if you log into highly secure sites and are worried about someone across the street with binoculaurs looking through your window, but then you have other security issues to worry about :)
Perhaps a checkbox, off by default, next to password boxes that will toggle the mask.
12345
IMHO passwords should be fully visible when a user is either changing their password, or registering a new account. This means we no longer need to confirm passwords twice when registering. And it still cuts down on the number of times when a password is visible and vulnerable to other people.
A Magic the Gathering Article and Forum Aggregator
Does anyone ever think it's weird to actually look at your password? I never write them down, and I remember them mostly by the location of the keys on the keyboard, not by the actual text. To me, it's quite unnatural to look at a password.
Change your password to **********
The sad truth is that better methods for handling password boxes have existed for years but haven't been picked up for whatever reason. The truth is that Microsoft really does deserve a fair bit of blame considering the OS generates most password boxes.
A nice password box that I've used would display the last character you typed for a very short period of time and then convert it into a dot. So as you type you can read it back to yourself but without really making it easy for anyone around you to see your completed password. Worked great.
I look forward to a future where all computers have biometric equipment and project-natal-esque face recognition SO I NEVER NEED TO REMEMBER ANOTHER PASSWORD AGAIN!
Ever logged in to a computer connected to an LCD projector?
Isn't security always a balancing act against usability? The inconvenience of not being able to read a password as you type seems pretty minimal when weighed against the damage that could be caused when some mildly educated user I pissed off swipes my password by taking a look over my shoulder one day and decides to get even. And I'm pretty sure you could just as easily lose a client whose accounts were so easily compromised...as well as rack up some pretty epic fines in civil litigation if the circumstances are right. Don't we have more important security issues to be debating these days?
Our company has support analysts that will shadow a user's machine for troubleshooting. The masking is a necessity for us. We want plausible deniability if someone claims a hacked account.
I wonder why they don't do this with cash machines, it sure would help with skimming easier, rather than having to look at those fingers! Idiots! Now we can crash a co-workers computer and get got watch the password being typed it.
typically, masking passwords doesn't even increase security, but it does cost you business due to login failures
Lets see here.... In a school setting (college or otherwise) lets say a computer in the lab breaks. You are a simi-competent CS student and the admin goes over to fix it. He types in the root password, if it was visible you just got root into any computer at the university and could do whatever you wanted. However if it was masked, it wouldn't be that easy.
As for business, what person can't type in 6-10 characters (average length of a password) and can't get it right in 1-5 tries? Really, the only excuse for that is if you aren't using a keyboard and even then things like the iPhone assist you in showing the plain text for a time then blanking it. I see no reason not to mask passwords and thousands of arguments for it.
Taxation is legalized theft, no more, no less.
In crowded areas like a call center (and some NOCs) it is necessary to obfuscate passwords. At home or a private office, maybe not. Perhaps letting the admin or user decide is practical. Although the suggestion would no doubt start a major, and hostile, conflagration.
-- Consensus - 50% probability that the majority are wrong.
If people are too stupid to hit the right keys without more feedback than the knowledge they have hit a key then they probably should be taken out back and shot. (or are too intoxicated to be making a purchase and glad or the service)
+----------------- | What is the question!
If someone can shouldersurf, 99% of the time they have physical access and all security is null. If they can see your ***ed password on the screen, than they can see your fingers type they characters of your password on the keyboard (again with 1% exceptions like keyboard covers and remote displays). If a malicious person can see your screen, than they are probably close enough that that can tap your cables, install hardware keyloggers, sniff your EMF, cold boot your RAM and grep it, do audio analysis of your typing and decipher your keystrokes, and etc.
***ing your passwords protects against a very small hole....the situation where someone is allowed to see your screen but is searched to make sure they have no monitoring equipment, has the keyboard kept out of site, and isn't allowed to touch anything.
------ Take away the right to say fuck and you take away the right to say fuck the government.
37signals on Avoiding Preferences
I hate preferences. Just let me sign in and move on.
Really, what good are the dots? It doesn't prevent someone from looking over your shoulder. A villain can just look at your keyboard while you type. Maybe its of some use on a public terminal, but I check my six before I type in a security password anyway.
The obscured pass(word|phrase|key) has been the most aggravating while trying to type in a strong WiFi password on an IPhone (pre 2.something-or-nother update). Try it. The aggravation is pure ecstasy. Luckily Apple has wised up and shows you the last character you've typed at least.
And how about disabling paste from a security box. You can't verify your passkey when you're troubleshooting. A determined villain can get to it anyway, especially if they have access to your machine. Don't even get me started on the 'super' secure entry boxes where you can't paste TO the security edit box.
Why not get rid of the concept of passwords? Isn't public key-cryptography perfectly designed to do so?
One of the most irritating things is the way many websites, especially financial websites, are designed with no thought to the difference between use in a public setting and use in a private setting. For instance, I only ever use my banking website from one place, my den, which is physically secure, yet I have to suffer through all sorts of crap designed to make sure my account doesn't get compromised in a public setting. (The most annoying being automatic log outs for non-use.)
Masking passwords, logging off the user on non-use after ten minutes, and other such security methods do not actually decrease the chance of compromise significantly when the user has physical security. Websites should allow for this.
The cake is a pie
1) If I look outside my office window, I can see about 48 office windows (without standing up) and all of them have the lights on and it's dusk outside. Give me a dSLR and a decent set of long distance lenses and I'll prove you wrong.
2) How many times have you typed in your password while somebody was looking at your screen eg. to show somebody something on a protected website. This happens a lot to tech people as we have to authenticate to solve an issue while somebody is standing next to me waiting for me to fix it.
3) How many times have you given a presentation where your screen view (but not your keyboard input) goes worldwide (eg. teleconference) or over a set of wires that you know haven't been tampered with (conference room) - again, logging in to your webmail or so to find a copy of your presentation.
4) How difficult is it to create a script that takes screenshots - how difficult is it to create a script that captures keyboard entry as well. Answer: the first can be done in userspace (and in the hands of an experienced script kiddie would be unnoticed), the latter usually has to go as a request to a driver, kernel or other layer that requires admin rights. This is true for Windows, Mac and (depending on your GUI) Linux
Custom electronics and digital signage for your business: www.evcircuits.com
And, surprise, that's exactly what TFA recommends! Quote:
Are you adequate?
Having the characters flash like the iPhone totally defeats the purpose of masking the characters in my opinion.
Showing dots instead of characters is a way for people to notice when they accidentally hit two keys instead of one while not giving up that password which is supposed to be secured even if someone is beside you watching over your shoulder.
Then again, the iPhone being a hand-held, it is less likely that someone is indeed watching over your shoulder, but if that's the case, you'll be giving him up your password as though it had been written out in the open.
*****-****-**-********
Don't_mask_my_password
(I used my stealthy password exposer to find that out.)
Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
The cellphone method works great and has never bothered me until I had to enter a 63-character WPA key into an iPhone. This is something you can't do from memory, so you're moving your eyes back and forth between a plaintext copy, and trying to remember just where you left off. Agony.
Basically, in a few situations like this, it would be really handy to turn off masking one-time-only.
The average person, unless you put a gun to their head and MAKE them do differently, will choose a password that an 8-year-old can guess, and he wants to make it easier for unauthorized people to see whole or partial passwords? Rediculous. Not that it matters all that much, I guess, since the average person also treats network security like a joke, and lets co-workers have their password regardless of what policy is.
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
Saved Passwords.
I typically have my web browser save my passwords for things I consider lower risk, but if masking is removed and the browser automatically loads the password into the form, then it's available to anyone. Considering that many users use the same or similar passwords for almost every application, and having it unmasked on one site could give up your info on any number of other sites.
He seems to believe that shoulder surfing and screen snapshot capture simply doesn't exist. I'm left to ask if the complainer is trying to solve his problem at the expense of everyone else.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
Just because you don't think someone is watching over your shoulder, doesn't mean someone isn't watching over your shoulder.
Since we are talking about web logins here there is a simple solution...
Most modern web browsers support remembering passwords and typing them in for you. If you are so unconcerned about security that you want your password to be displayed on the screen for anyone to see then you may as well just let your browser type it in for you and eliminate the typo problem completely.
Only person in room.
Seriously, upwards of 99% of the time I type in a password, I'm the only person in the room and the door is closed. Does displaying bullets (or worse, nothing) really improve security? If I can see the password as I type it, I can write an epic passpoem that's almost impossible to guess, because I can see the typos I make. If I can't, I'm limited to about 30 lowercase alphanumerics, or ten random characters: beyond that, tyops are too common.
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
Masking was intended to keep people from shoulder-surfing your password as you entered it. In the days of public computer rooms where you'd have a dozen people behind you who could see your screen, masking made a lot of sense. When you're already in private, though, and there's nobody behind you to see your screen, password masking doesn't make any sense anymore. However, if you think about it there's still lots of time when you're not in private. In your own home you don't need masking most times, but think about sitting at the local coffee shop. Or in the airport on a trip. Or in an open-plan office. All those times you may have someone behind you who can see your screen. Or who's got a camera with enough resolution he can enlarge the picture later to get the screen contents. Those times I'd prefer the passwords be masked so eavesdroppers can't see them.
Of course the two aren't mutually exclusive. HTML for instance defines fields that're protected/masked. Just use them and let the user control with a setting whether protected/masked fields should be masked or their contents displayed. Then the user can decide which to use, and they're the ones who'll have to bear the consequences if their password gets out so they've an incentive to make a reasonable choice.
What TFA is suggesting is probably one of the dumbest ideas I've heard since... EVER. That said, the dots are a usability issue -- I've got plenty of otherwise very smart users who screw up passwords constantly.
As a compromise measure I propose stealing something from Apple's playbook: The iPhone password entry interface. The last character typed is visible for 2-3 seconds, everything else is masked (and backspacing doesn't reveal characters, just makes the dots go away). The design doesn't suck, and the security compromise isn't as bad as "leave the password on-screen for everyone to see" like the article is suggesting.
/~mikeg
[browsers] remember what you put in normal text fields.
Well, here's an easy fix: browsers add a checkbox-ish context menu item to password fields saying "don't hide text behind dots". Pages don't have to do anything, and browsers don't need to change caching behavior.
On the other hand, we only post passwords over HTTPS which browsers don't cache anyways. Right, slashdot? Right? Harumph :(
[I'm Mark Duval of Belgium, and I'm an idiot.] Now what?
Don't worry. It's done.
Here's something people don't realize:
Remember all those laws about "in plain sight" and all that how law enforcement can steal your info just because something isn't locked away etc?
Well guess what happens to passwords like this. Spy through a window at home, etc.
Is this really that big of a problem? Are corporations losing millions of dollars a year in downtime due to people typing in their passwords incorrectly? Maybe throwing computers out of windows? It is pretty idiotic to assume that there is no use for password masking -- in my office there are plenty of opportunities for a passerby to take a peek at my screen, I don't want my password visible! Yesterday I started typing my password in the username box and immediately changed my password, lest anyone else saw it. This would be a HUGE security hole and a HUGE step back -- how do idiots like this get to call themselves experts?
To the haters: You can't win. If you mod me down, I shall become more powerful than you could possibly imagine
Funny thing is that unmasking passwords would/could make the system more vulnerable to certain memory attacks.
On modern systems, the password itself is never stored, only the hash. So when someone wants to login to a remote server, the local system will take the password then compute the hash. The hash is then sent to the authenticating mechanism. The mechanism will then return a pass/fail to the local system. The password is never transmitted.
Internally, different systems use different methods of calculating the hash. Some will take the plain password then run it through another function that returns the hash. For a brief moment this plain password is available in a memory dump of the system. An attacker could potentially cause the process to crash at the appropriate time and then capture the memory dump and retrieve the plain password.
To get around this, some implementations don't even store the plaintext password even temporarily. As keys are typed, the hash is recalculated with a time-based salt key. At no point is the entire password available in a memory dump.
Long live to the Clue Glyphs!
Those pretty birds and eyes that represented that our password was typed ok!
About 999 times out of 1000, I'm sitting in an environment (either at home or in the office) where I really don't care if anyone sees my password. For that one time where I do care, maybe we can have a checkbox for making the password invisible while we type.
The problem with security is really that once you start down that path, nothing is ever enough - at least not to the security gestapo (motto: "our work ain't done until you can't do yours"). Stellar example: the FTP at work is configured to have a ~10s delay after logging in, "to stop the evil h4x0rz". It's driving me nuts, so I suggested accepting the first connection without any delay, and then introducing a delay for each following connection if it occurs within 10s. That way hardly anyone will be bothered by the delay, but the h4x0rz will still be unable to flood the server with their evil password-attempting ways. But nooo, that was completely unacceptable! Because it would be INSECURE! Only a long delay guarantees security!
In many places in OS X, there is a "display password" checkbox under password entry fields. So, by default the password is hidden, but if needed, you can click the checkbox and it will be displayed. best of both world I think.
I'd rather be sailing...
just use a password made of *s; this way everyone wins.
i can type my password without even looking
watch, i'll enter my bank account password without looking
fluffybunnies
see? i didn't even need to...
oh crap...
unsubmit
where's the damn unsubmit!
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
On my old website, I had for a while password fields with no bullets. I had assumed, that given the low-importance nature of the site and all, no one would really care, and it did make it easier.
A few weeks after opening, I had found out that a few people had not created accounts, because they had the strange idea that not having bullets somehow made the site less secure. That somehow, *I* would be able to see their password, more than if there were bullets.
Needless to say, I changed over my password fields to bulleted, because I didn't want to lose any possible members to such a stupid problem. I still think that plain text is better, but it has become mandatory security theater. Much like an SSL cert makes even the most questionable site legitimate, lacking bulleted passwords makes people think you're being sneaky somehow. It is sad, but it's reality.
Great Intellect...
Most users will pick an easy to remember password that they are less likely to fat finger. Making the mask optional would help. Users rarely surf in public.
I like how it's done in keyPass - be default all passwords are masked, but you can use a button adjacent to the password box to turn off masking.
I think 8-10 character passwords should be masked to eliminate shoulder surfing issues, but who was the idiot in the Microsoft networking UI team that thought that WPA keys were passwords and decided they needed to be masked? That's just nonsense. Encryption keys are not passwords. They should be long and shoulder surfing is not an issue because you only enter them once. Every time I connect to a wireless network with windows I curse that idiot... I'm sure I'm not the only one.
Generally, I think passwords should be represented by asterisks. When I remote access a machine (VNC), or log into a website that takes forever to POST and load the next page, then it certainly is useful.
However, one place that I think asterisks is really, really stupid is for entering a WPA / WEP key for Windows-managed wireless adapters. In OSX there is a checkbox that allows you to show the key you type. In windows it is DOUBLY stupid. First, entering in a 128 bit WEP key (26 chars) is a tedious error-prone process. So having it visible would be extremely helpful. There are very, very few people that could remember a 26 place hexadecimal number after seeing it only for a couple seconds, so I don't see this as a security risk. But the real stupidity is that Windows makes you enter it twice! Perhaps there is a process in which a WAP can be configured without actually having the WAP in range, but for me, I'm always setting up a connection interactively. Thus if I've entered the wrong key I will know immediately. So I'm really not sure why I have to enter a 26 place hex number, represented by asterisks, TWICE to connect to an AP.
Better known as 318230.
the biometric password would not need to enter text
and the fingerprint scanner's importance would grow.
text pass-codes could be a back up or vice versa.
Most phones have been doing this well before the iPhone existed.
What about when web forms fill in the password for you???
I know that isn't secure, and they could log in there anyway. But if people can go to my yahoo when I'm not at my computer and see my password, then they could log in sometime later. I'd never know, no danger at being caught. Plus most people use the same few passwords over and over.
Not to mention the trouble you could get into with a password like "mywifeisawhore"
My Nielsen, you should use the internet before you come up with such ridiculous ideas.
This man has obviously never had to log into a machine or remote console on a PC during an office meeting that is being projected for others to see. Bad time for password "shitcockballs"
.. should probably not leave his day job - EVER.
I can't believe this even got on slashdot..
Generally I agree with him but not this time. I don't want someone looking over my shoulder and seeing my password. I touch type very fast. I don't need to see the passwords and I certainly don't need other people seeing them.
Well, passwords alone are ungood...
Story Time: Back in the Nineties I worked for a .com that was planning to provide a total network solution for Doctors, Clinics and Hospitals.
Because of the liabilities associated with medical records we were looking at token based security. Basically an electronic key that a computer could read to allow access to the network. Now the idea was that this would be available from anywhere, so the main problem was they we'd have to give away readers along with the tokens.
Flash forward to today. The only things that should have password protection only are things where we don't really care about security. Oh, and FYI, any website that asks "What is your grammar school name?" are disqualified from having decent password security. (Even if they Email your password, how do they know you aren't logging into the Littlest Petshop's Web Board, while standing over your victim's corpse and his open Webmail connection? Well?)
Meanwhile, we have the perfect token reader in the form of USB ports, but I don't know anyone who uses them for that.
I see peoples' passwords constantly. Here are some popular ones:
Wife's Name
Kid's Name
Sports Team
Sometimes they mix it up with something really secure, like the current year. I don't blame people though, I'm paranoid that people will guess my passwords even though I create the important ones by rolling dice...
"MIT betrayed all of its basic principles."
I personally think that in a lot of places (office, home) I'd love to be able to hit a checkbox and turn that feature off. In other places (Starbucks, college campus), I'd rather have it on.
I don't see why it has to be so binary. I want it both ways.
http://www.unfocus.com/
I like the way Lotus Notes used to do it. As you typed you'd get a random heiroglyphic. As long as your glyph matched what you remembered, you knew that you'd typed the password correctly. Nobody could guess by watching the monitor even how long your password was.
When our name is on the back of your car, we're behind you all the way!
What people don;t remember Shoulder Surfing?
The idea has been floating around before iPhone showed up. For example, PalmOS uses the same approach.
I can't think why we need this (standard) security measure, so let's drop it.
If you can't think of a reason we need it, and you keep it, then isn't that security theater?
Over the shoulder attacks aren't much harder without the password being echoed. Just watch the keyboard instead of the screen. Systems could be set up to clear the password if no typing is done before a short timeout has expired. This would greatly reduce typos while probably only reducing security by a small amount. This might be a good topic for a small research project. At the least it should be looked into before being dismissed.
What password masking does prevent is accidental password snooping. Let's face it. Unless you're quite hardcode and have pure random password, it is probably a word or phrase with some amount of dictionary thwarting added. It is all to easy for a coworker to catch a glimpse of that word and remember because it's Passive. watching keystrokes requires Active snooping.
This is a boring sig
I do not want my password displayed on my screen. A capable person (or a security device) can already look over my shoulder and record my keystrokes. I do not need the idiot in the cube behind me seeing my password in plain-text. The more difficult it is for a person to guess my password, the better.
Long passwords, such as WPA keys, are a different story, but I have not found one that does not have the option to disable the obfuscation (if the person trying to steal your wireless single/data is already in your house, you have other things to worry about).
If a person cannot remember their password, or cannot remember their last 16 key-presses, then they obviously do not know how to type and should not be working in a field that requires them to log in to a system.
That has never seen Lotus Notes? There are plenty of ways to increase user feedback without showing their password to the world. There is also absolutely no evidence that a mistyped password causes a user to not attempt again. How high could the typo rate be a person's password?
I did a project where keystroke timing was used in addition to characters to create a password. This caused a failure rate in users of around 75%. For the 3 months that I had it up nobody didn't try until they succeeded. I must be right.
Seriously, do you close your bank account because you can't type your password right?
The Americans with Disabilities Act was supposed to help people in wheelchairs. Now we have pit bull "assistance dogs" on buses, oinkers complaining they're being discriminated against because they can't get into nightclubs, and easier exams for mental defectives. This has gotten out of hand. Parts of the ADA need to be repealed to get it back to its original intent.
When I enter PIN's or other private information on a digital pad, I make it a habit of using 3 fingers (2nd, 3rd, 4th fingers) and just move it between the 3 rows of the numeric keypad. It's not as inconvenient or gauche as covering the keys (and your other hand might be busy covering up the screen anyway), and at least they can't tell the difference between 1/2/3, 4/5/6, or 7/8/9. If the digit 0 exists in the number, I will cover the keys 7/0/9, and also use the same finger pattern for the other numbers so 1/5/3 look the same, 4/8/6 look the same, etc. (This refers to a phone-type keypad with 1-2-3 at the top. For calculator-type keypads with 7-8-9 at the top, the same applies, but for different digits, of course.)
My own favourite, about which I've posted before, is to gradually (but exponentially) increase the delay between entries, so after 1 failure, you can retry in 1 second; after 2 failures, 3 seconds. The third failure locks it for 9 seconds, and by the time the brute-forcer is on the 5th time, he'll be waiting almost a minute and a half (and rapidly increasing --you can only do 9 tries the first hour).
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
I wouldn't suspect my roomie of peeking over my shoulder when I type in a password. HAHAHA DISREGARD THAT, I SUCK COCKS
This summary is false to the article. ("It's time to show most passwords in clear text as users type them")
The knee jerk reactions by people who read the summary but not the article have all been addressed in the article.
I'm a Programmer. That's one level above Software Engineer and one level below Engineer.
Just a random thought, on many mobile devices (where missed key-presses are more common), the screen shows only the least character pressed (e.g. h, *u **n, ...) . This makes shoulder surfing much harder but also give feedback to the user about whether he's doing it right. Also, no, backspace does not reveal the previous letter -- once it's masked it never comes back.
If you wanted to be even more hardcore, mask the last letter (or, if you are into the whole UNIX paradigm, don't echo it back, but you should be using keys for SSH anyway) after 2 seconds or the next keypress.
...am quite happy *not* to have sure nobody's looking when entering my password, thank you.
A good education is a bit like a STD - it makes you unsuitable for a lot of jobs and gives you a desire to spread it.
Just another blowhard 'export'.
Remember Edward Yourdon? He wrote "Decline and Fall of the American Programmer" and, at the time, everyone thought the gig was up. He sold a lot of copies, but it was just so much drivel designed to sell books.
Don't get me wrong, it is great if you are one of these guys. I'll take the money...
Having the characters flash like the iPhone totally defeats the purpose of masking the characters in my opinion.
Only if the purpose it to stop someone determined to find out your password by staring at the screen and memorizing what's typed. If it's purpose is to prevent people from casually glancing at the screen and seeing your password then I'd say it does an admirable job.
Track your TV Shows with your iPhone - FREE
When you go to change your password in limesurvey, as expected the characters are bulleted out.
The funny part comes when you click 'change password' and immediately you are presented with a page stating your username and plain text password.
Genius.
As a potential lottery winner, I totally support tax cuts for the wealthy
I can't count how many times I've blindly typed the first few characters of a password into the login field of a terminal when I thought the password field was active. I've seen the passwords of my colleagues a dozen or more times this way. Fortunately for all of us, we respect each other's privacy and no harm has come of it. But I shudder to imagine if my passwords were out in the open every time I typed without realizing who might be gazing over my shoulder. This is a ridiculous idea.
The problem isn't the use of password asterisks, but the use of passwords in the first place. Good password usage requires a password to be 8 or 14 characters long, contain lower case, UPPER CASE, &ymbols, numb3rs, etc., and be unique: never repeat a password on multiple systems.
This is a lot of work, and these rules are being applied in cases where they are completely unnecessary.
In the real world, we understand that some situations require a solid steel door with a $300 deadbolt, and other situations only require a plywood door with a $1.99 padlock. And some don't require a lock at all, a simple "keep out" sign is enough.
We need to have better conventions to deal with trivial sites like Slashdot and Facebook, where it really is not at all serious if someone hacks my account, and important sites like my credit card company or Paypall, where a hacker can cause significant financial damage.
I'd love it if every site that required a login would offer 3 levels of security:
a) No security: anyone who types in my username can pretend to be me. This site is not allowed to store any financial details about me, and everyone knows that it is trivial to impersonate someone.
b) Minimal security: A simple password or browser cookie is enough. Someone hacking my account might embarrass me, but it's no great damage. This site is not allowed to store any financial details about me.
c) Significant security: SSL and a good password, or client certificate based security. Anyone hacking this site can get access to my bank account or credit cards.
I hate it when I make a joke and I get modded "+5 insightful". Mod the stupid comments "funny", not "insightful", pleas
Some interlocutor might learn the password to my account on the Greater Cleveland Beanie Baby Collectors web forum.
I freak the hell out whenever I start typing a password and suddenly realize I'm typing in an unmasked textbox.
The unmasked password suggestion is idiotic, but he's right about the 'reset form data' thing, those buttons serve zero purpose
How about not showing any starts at all?
Knowing the length of the password is half the battle.
Same issue as those old POS terminals that would beep on each key pressed. Luckily they weren't beeping in different frequencies like phones.
I guess Nielsen has nothing to protect and thus surmises incorrectly this perceived inconvenience of his.
I think Jacob Nielsen is both right, slightly wrong, and not so slightly wrong.
First, the personal anecdote. There's one place and time where I really want to look at my password. That's when I'm installing a new OS.
I'm typically alone in my room when I'm doing that. Or I'm doing it for a friend who trusts me (and I could install a back door if I had one anyways). I use the Dvorak keyboard layout, but my point works equally well just for just about any layout except the US bog standard. The trick is: I'm not used to using the installation software. I don't know whether it has really picked up on my keyboard layout---in debian/ubuntu installers, the password is among the first things I type. I would _really_ like to (at my discretion) have the password displayed.
Next, let's consider what Nielsen is saying.
Providing feedback and visualizing the system's status have always been among the most basic usability principles.
True.
Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed. So, password masking doesn't even protect fully against snoopers.
I tried that against a sales representative today, twice. Didn't work. But I'm not truly skilled. If the password had been on the screen, I'm sure it had been a lot easier.
It's not like masking passwords buys you nothing. It does buy you something. If he has evidence that the value doesn't exceed its cost, I'd like to see it.
But maybe masking rarely buys you anything?
[Usually] It's just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue.
Could be true, but that actually makes unmasking a problem. I'll get to that.
Yes, users are sometimes truly at risk of having bystanders spy on their passwords, such as when they're using an Internet cafe. It's therefore worth offering them a checkbox to have their passwords masked; for high-risk applications, such as bank accounts, you might even check this box by default.
As we all know, the expected utility of any uncertain event is its probability times its utility.
Nielsen does address security compromises with a large (negative) utility, such as bank account passwords. He fails at considering the probability.
Why is that crucial?
The probability of compromise can be largely influenced by use context. That is, am I sitting alone in my cubicle? Am I giving a presentation using a projector? Am I using a public kiosk?
I don't know about you guys, but when I look at any login screen I'm used to using, I type my username and password without asking myself "is my security at risk?". When I'm using a projector, I'm reflecting over the fact that other people can't see my password while I'm typing it.
Said another way: the correct system for logging in changes from
To
I think the second habit is much harder to form, and takes more thought. Most users will fail. He points out that loss of security is a danger with masked passwords. With unmasked passwords, it's a certainty. We need fail-safe, because failures an inevitable. If one of your employees accidentally forgets to check the checkbox at a trade show, your competitor can now log in as that employee and steal your trade secrets.
Dan Ariely gave a great TED talk about how we go with defaults if the options are complicated: http://www.ted.com/talks/lang/eng/dan_ariely_asks_are_we_in_control_of_our_own_decisions.html
We need a fail-safe default.
On the other hand, don't listen to me. Listen to the evidence. Note how I don't have any, and Jacob doesn't have any. I think that's the biggest failure. Sure, well-controlled studies of his hypothesis are hard to do, so other evidence will have to make do.
But he doesn't have any.
In a secure environment, with no one looking over my shoulder why not leave the chars in the clear?
Give 'em a checkbox: "Echo password []" which defaults to "unchecked" of course.
Good judgement comes from experience, and experience comes from bad judgement.
- W. Wriston, former Citibank CEO
On the one hand, this is silly. If you don't have the mental machinery to reliably type a password, you're likely too dumb to be trusted doing online banking and other important things.
On the other hand, why do so many stupid sites need a 10+ char c0mP13X_p@s5w0rD (hidden with asterisks) just to exchange casserole recipes with other soccer moms?
Ask me about my sig!
Passwords and security experts are the last things making the Internet frustrating and difficult to use for a lot of people. Both are a waste of everyone's valuable time and someone could make a lot of money by finding a reliable way to get rid of them. Having to have 27 different passwords to get to one's email means that people frequently have to ask the support people to reset passwords, unlock accounts, etc. because they can't remember how many X's they added on to the end of their 14 letter password that doesn't contain any dictionary words this month.
why is the WPA passkey field ever masked?
It breaks my pluginses, my precious!
Some of the better designed applications have a 'reveal password' button. Most of the time there is no-one looking over your shoulder, so this option can indeed improve usability.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
And you would too if you worked around other people, or if there's even a remote possibility of someone being around when you type in a password.
The microsoft wireless access passwords are done like that because they are complete idiots. Why do you have to type it in twice?? If it works on the first try, why use the second field at all?
In counterpoint, I've never been impressed by the argument that "It's a standard security measure that everyone does." It usually indicates a lack of critical thinking of the speaker.
For a specific example, passwords that expire after a certain time period. Especially those that expire after, say, the windows standard period of 42 days, and start reminding you that it's going to expire fourteen days prior to the actual expiration. This means you only get 28 days of nag-free logins. After which, you have to dismiss an additional modal dialog before you can log in and begin working. Not to mention that for the first few days to a week after you've been forced to increment the number on the end of your password as you do every 42 days, you invariably enter it wrong the first few times, often locking yourself out, and necessitate additional work from the IT guys and lost time by the users.
Another example is those absurd legal disclaimers at the end of emails that apparently carry little legal weight, if any.
Question everything
Mr. Nielsen has obviously never worked in an environment where security is important and in particular where whoever might be looking over your shoulder (or a reflection off something behind you) is uncontrollable. The zoom lens in a high end cell phone camera can read text from reflection of a screen from 100 feet away, so making sure no one is behind isn't even sufficient. Higher end cameras can do it from even farther away, even from a building across the street. It's one of the most common and "usable" methods of scavenging information available to hackers today.
I guess he had ever had to make a presentation in a conference room or lecture hall, and had to use an already in place computer which he had to log in, or had his laptop go into screen saver mode because it was on battery and you talked more than 30 seconds on a single slide. Because he would then immediately say, "Gee, I sure wish I didn't have to show the 200 people here my password." Especially since at least a large portion of those same people will likely have access to the internet and potentially the same computer network his account is and can log in even while the presentation is on-going...
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
at first I just closed the tab out of disgust, but then decided it needed my comment - kiss my ass JN - you're just trying to garnish publicity - I hope you die sucking ahmadinejad's cock.
Why you have to type our WiFi password twice:
The first time sends the password to my botnet.
The second time actually logs you in.
-- Terry
I've seen radio buttons (dd_wrt) that un-mask the password for trouble shooting. This is kinda nice.
boycott slashdot February 10th - 17th check out: altSlashdot.org
It doesn't matter that you're only logging in to post "F1RST!!!!11" on FailBlog. If the wrong person watches you do it, they're going use it on your email account or your online banking. (Not you per se, fellow Slashdot readers, you Princes of the Internets. You would never be so naive as to use the same password for all of those.) At the very least, password masking should always be on by default, and the option to turn it off should be up to the browser.
But all signs indicate that Nielsen thinks you should just go ahead and implement this on your website. If users could be trusted to properly judge when to turn masking on (and they cannot), introducing optional masking to your website would actually harm the usability of the login form. You know what's a bigger barrier to logging in than a masked password? Having to always stop and evaluate:
In the words of another usability advocate: Don't make me think!
In the span of one hour, there are more than a dozen solid reasons posted as to why this is not a good idea. Just about all of them obvious. Did Nielsen not consider these? Does he pull these declarations out of his ass without any thought?
In TFA: "Let's clean up the Web's cobwebs and remove stuff that's there only because it's always been there."
Agreed. Let's begin with self-appointed usability gurus.
When I have a friend in the room, I'm glad I don't have to send them out to type my password.
Most people can't track my fingers on a keyboard. They can, on the other hand, read.
-- Lattyware (www.lattyware.co.uk)
If people have so much difficulty entering their passwords, they should fix themselves, not the computers they are using. I've been entering passwords for 20 years, and masking doesn't bother me in the slightest. Actually, I prefer Linux style...like another poster said: "No mask is a good mask"...except null.
Clearly it is insecure to type your normal password in a plaintext box, so I will assume* he means you should use one-time passwords. One-time passwords are random and unfamiliar, therefore hard to type correctly the first try, so plaintext password fields would complement this technology well. It doesn't matter if someone sees such a password, since it becomes a useless string of characters within seconds.
*For the sake of conversation
My webcomic
And I recommend masking passwords... Am I an expert now?
So this would probably be a bad time to suggest to Mr. Nielsen that what's really needed is stronger authentication. Computer security breaches of the last few years increasingly convince me the security community should more widely deploy techniques like smart cards (or other means of protecting a private key from casual intercept or replication.) Biometrics may also play a role, but there are lots of issues there to first be addressed.
Maybe make an option for dotless login, so that people can use it if they choose. Accompanied, of course, by adequate (?) warnings about shoulder-surfers and safe environments. It could be under the accessibility umbrella.
Nielsen is mixing up usability, the science of making interfaces more efficient and usable, with promoting stupidity, the method of making it easier but actually less efficient and useful, to get even the biggest idiot to be able to use it, at the cost of all those more intelligent.
This itself would be ok, if you chose to have dumber people as your target group.
But as soon as you do it, nature invents bigger idiots. And then most companies are making it even simpler. Until it is basically useless, if you got half a brain.
Good examples of what this results in, are those moments where you notice that the reason you were unable to get your OS / electronics device to do what you like, is that you actually understood what you are doing, and as soon as you just thought like an idiot, you got to the right function.
Any sufficiently advanced intelligence is indistinguishable from stupidity.
I wrote about that option when I first read Nielsen's article: http://live2dev.blogspot.com/2009/06/should-we-stop-masking-passwords.html
Yea really... what makes someone an expert in usability?? Usability is up to the consumers and users. Personally the only time I have ever failed to log in is because I forgot the password.. Honestly it is kinda sad if you give up trying to log in if you can't type in the correct password.
...from people who've dedicated decades to intelligent-guessing of TV shows.
And not necessarily sucessfully; Star Trek was taken off, then began a 40 year progress into other forms, including 4-5 other series.
Ya know, if they want to offer advice about how many people have used a shower, based on the number of residents in a town, I'll ask them. They have no track record of IT breakthroughs.
I wish there was a better way; biomedics is flawed (not to mention, who wants to lose a thumb/eye/etc?) so until something better comes along, this will have to do.
It's precisely the same argument about so-called "green" electricity. If it's not nuclear, it can't get anywhere NEAR the cost of coal/oil. Nothing can. There's not anything even 'coming around the corner' that could possibly fill the void. Yet the public perception, until it's bought and tried, is that they're one and the same.
Some things need to be left alone. Change it, and see.
--- For a good time mail uce@ftc.gov
After having skimmed through the referenced blog, it is obvious that the author is either joking or a spotty teenager. Let's hope he is just joking.
Quote: "Password masking has become common for no reasons other than (a) it's easy to do, and (b) it was the default in the Web's early days."
"Web's early days"? I can clearly remember using passwords a full decade before the Web was invented. And I will bet there are people lurking around here who can beat me by a couple of decades.
Do we even need to discuss this one? Looks like the "Hollow earth" theory of IT secuity to me...
It would be better if windows didn't disable your account after so many bad guesses and just made you wait a second after each guess. It makes it impossibly long to brute and still is comfortable to use. I think linux already does it.
But in this case, does usability outweigh security?
(from TFS)
9 times out of 10, yes. But that 10th time is the only one that matters.
I can't tell you how many times I've had to login to something -- a server, a web page, e-mail -- on someone else's computer, with them sitting right next to me, watching as I log in. I'm comfortable enough not to worry about them stealing my password by watching my hands on the keyboard, but if I had to entere an unmasked password into a login prompt, that would be another thing entirely.
Keep masking the password prompt, please.
MCSE? No, sir...I don't do Windows. Yes, I am an idealist. What's your point?
I've been in hundreds of meetings (literally) where someone has logged into an account in front of us using the projector. Whether this was a windows account or a website (as the author is talking about) password masking was in play. Password masking is a good thing. Someone shouldn't have to reset their password every time they demonstrate something at a meeting because everyone watches them type in their clear text password. If someone is incapable of typing in their password without seeing it on the screen in front of them then perhaps they shouldn't be using computers.
This is the best thing in a long time! I've been saying the same for years. All the idiots who don't understand STFU.
The comparison is so stretched, it's just ridiculous...
This is a stupid argument. Passwords need to be masked.
Lets say your at a friends house and you use his/her computer to check your email account or facebook account to show them something. If they are sitting next to you, having password masking helps. Or everytime you'll have to ask your friend to turn away.
Of course that little inconvenience might be ok, but what about if it was a girlfriend or spouse sitting next to you? If you ask them to look away, you'll probably end up with an argument about why can't she know? Let's avoid this problem by keeping passwords masked.
Anytime your password is visible in plain text is bad. This includes when it's stored in a database, written on a post-it and pasted to your monitor, or anywhere else.
As a software developer, there is no reason for me to ever show you your password in plain text even while it's being entered. In my opinion, the security benefits of the mask definitely out-weigh the usability costs.
Just like how your stored passwords are visible in plain text in Firefox and Chrome to anyone with a few seconds alone with your computer, showing them in plain text while entering them into passwords fields is a horrible idea.
If it were up to him, the www would still be plain text and images. His philosophy boils down to "Lets design all websites to the lowest common denominator", which is fine if your website needs to have the widest possible audience, but most don't, just like most other forms of published content. Just think. No password masking+browser form persistence features means that I just have to be able to go to, say, gmail on your machine, double click the username field, tab once, and I know your google password. Then I can go to the coffee shop, log into your blogger account, create some nice posts in your name, then log into your analytics account do some bad stuff there, etc.
FIIINGERPRIIIIINTS!!!!! EEEYEEES!!!! Just don't use the damn passwords if they're that much trouble. Get a fingerprint reader or USB key auth or iris detection! Bloody hell, I'd have thought someone would have thought of this already!
So my password will at last give a meaning, no more ********* but now the more meaningful KlYtgHjd8 - GREAT! If this will be mandatory with visual letters I will change my password back to the trustworthy *********, no one will guess nine stars anyways, to simple to break.
In order to form an immaculate member of a flock of sheep one must, above all, be a sheep.
With the amount of people that use computers in public, having a easily viewable password is just dumb. If you can't manage to remember what you've typed then slow down and think about your actions.
Concerned that having to type in a password twice or mistyping a password might deter users from signing up for their website, I was asked by my employer to change the sign-up page to show a single password box with the password in plain text while the user was typing the password, switch it over to masked text when the password box lost focus, and clear the password box if the user set focus on it again. I thought it was unconventional and a bit crazy, but it wasn't like we were securing highly classified materials.
Every once in a while I'll make a mistake such as entering my password in the user name field. It is jarring to see the plain password. I have an unsettled and disturbed feeling; and immediately realize I goofed.
Putting aside the shoulder surfing threat, the bullets in the password field give feedback that my secret password has been entered into the right place and the computer on the other end will try to handle it securely. Without that feedback, I might accidently put my password in the subject field on some Internet forum. To me, it would hurt usability if the passwords weren't masked.
It is hard for me to imagine that masked passwords are a problem. Anyone with bare minimum computer literacy expects the passwords to be masked. I'm sure I'm not the only one who find it distracting to see their plain password.
Firefox saves passwords!!!! - Now that is usability. Of course if you're on a public computer or work computer you will not save your password, and as many have stated you need to mask you password in a public environment. My personal computer, at home, only I use, so I get firefox to save my passwords so I only type it once per password, it's masked and most important I don't suffer from incorrect logins.
I thought the whole point of security is to suffer a bit of inconvenience in the name of being secure.
It is a really pain in the behind to have to unlock your car and put the key in the ignition. It's really annoying when you lose your keys, so remove the key and locks? nope, didn't think so.
Password masking stops people stealing your password when you are unaware of being watched. There are ways around the inconvenience of masking, type your password into notepad and then paste it into the login window.
I love how IBM makes a selling point of Lotus Notes that everytime you type a character in your password it generates a random low number of characters to keep on lookers from knowing exactly how many characters were typed. How about you focus on making notes work nearly as well as Office. Then add goofy crap like this on at the end? I dont mind asterisks for passwords. If not being able to see your password as you type it in is slowing you down and is wasting business time. Pack your bags and GTFO. Plenty of hungry kids out there quite capable of remembering a damn password more than willing to take your job.
And this has been another installament of Captain Obvious!
I think in general it would be a bad idea to show the password by default. However, it would be nice to have an option to show it. I'm sure there's a firefox extension or greasemonkey script for that.
My school started using passphrases and if you didn't it would bug you to change to one every time you logged into the network, or checked your email, or the online courseware, or the library. So I eventually changed to a passphrase that is several words long.
It is really frustrating to get halfway into the sentence and realize you typed a wrong letter and have to start all over again because you can't tell if you typed one character wrong or more than that. But I also often type my passphrase into the computer in front of my students and I'm sure at least one of them would love to get into my account to cause mischief.
http://www.popularculturegaming.com -- my blog about the culture of videogame players
Security camera resolution.
The magical uber-photo-enhance software Chloe O'Brian used at CTU does not exist. ;-)
Normal text-entry widgets and password boxes have different usability and security requirements. For instance, you don't want your webrowser to show a dropdown list of all your passwords as plain text. As soon as both widgets look mostly the same you can be quite sure half of the website programmers out there starts using the wrong widget.
I also don't get the amount of money they're paid to say things like "password blanking is soooo confusing to noobs". Yeah every thing is til you take time to learn it. This country is going down the shitter fast.
Instead of echoing asterisk characters, the system should echo a random letter or number for each keystroke.
Lots of people are knocking TFA's suggestion due to over-the-shoulder vulnerability, but with the proliferation of malware I'd be more worried about malicious software screen scraping an unmasked password.
Arguing about vi versus Emacs is like arguing whether it's better to make fire by rubbing sticks or banging rocks.
Human weakness will always overcome ANY security. CBC, here in Canada did a survey which revealed the fact that 40% of their users has written their PW on the bottom of their keyboard.
Use capslock status to trigger the dots. You'll still have case sensitivity, and it will discourage having dots for anyone who can't cope with a backwards shifter. It will even indicate that your caplock is on or off.
The disconnect between sales and science is enormous.
For programs I write for myself, including an open-source encryption program for cellphones and desktops, I have for years simply provided a checkbox so the user can decide whether to mask the password. I can't stand masking on my cellphone, and rather doubt it's at that big a risk.
I'm beginning to think that retinal scans are the way to go. At least then the user always has their key on them.
I wish I could mask my username and password to tell you the truth. I have so many people that have a tendency to float around me whenever I need to login to anything. Seriously, this guy is off his rocker.
I think it really is depends on context.
Like somebody mentioned that unix passwords don't even reveal how many characters are there in your password. I think all unix(including linux but not macs) applications should work that way. Even cross-platform browsers like firefox should completely hide passwords (Or just display a symbol indicating the password has been typed).
Compare with 80% of Windows users. You should just assume their system is infected, they write down their passwords on post-its and paste them in the monitor, the clever ones paste it under the keyboard.
They even tell their passwords to their friends and family due social preassure or parental surveillance.
Core windows applications like msn messenger send passwords in clear text through the network.
The kind of protection provided by masked passwords is moot in this context.
Considering the same level of protection can be achieved by physically looking around for bystanders or placing you hand over the monitor makes it further moot.
MacOS... I don't know, the average MacOS user is not as clueless as the randomly chosen Windows user tends to be, but a significant share of them are of the "don't want to know shit outside my specialty" variety, so unmasked passwords still seem a good idea in that platform.
But... the future refused to change.
"Password fields are text with a green border" by JoeSimmons:
http://userscripts.org/scripts/show/50622
That's exactly what I thought when I saw this article: password masking makes shoulder surfing a little harder. With this recommendation Nielsen has shown himself to be a first-class retard who doesn't really know anything about usability. Why do people listen to this imbecile?
That's the problem, he is not a security expert.
Hiding the password is not for increasing the security, but for decreasing user embarrassment. Nobody needs to know the name of you favorite porn actress/porn actor (especially if he has the same sex or makes BDSM movies).
Put control in the user's hands. On the preferences section of your website, after the first login, allow users to decide whether or not they'd like to have their password masked on the login screen. There, I just ended your entire adolescent bickering match over which option is better, now you can all go flame-war each other over some other trivial issue in another article.
Yes, keystroke snooping is a great way to obtain passwords, and password masking won't protect against that... but there are situations where a background, headless app will quietly take screenshots at some predefined interval (or when certain trigger events occur) when you're on the system, and any unmasked passwords can easily be captured this way. Many companies have a policy of recording screen captures of their employees' computers during the work day, and you wouldn't want to trust sensitive password information to a low-level tech monitoring those screen captures for evidence of malfeasance. Someone who's low-paid enough might be tempted to snag a bank password (many employees bank from work online) or the password to some other sensitive site in order to profit, directly or indirectly. Or just to have a little hooligan fun at someone else's expense.
Some folks may be working in such a paranoid environment and may not realize it. Where I work, this isn't done routinely — that I know! — but the capability exists through one of a few packages that are installed by default as part of our core workstation image.
Surely I'm not the only one who remembers Van Eck phreaking... ? That's why you don't ever want your password displayed on the screen. http://en.wikipedia.org/wiki/Van_Eck
How does he support the claim that it costs businesses money to mask passwords? If your banking site didn't mask your password, would you use it? I wouldn't. Not in this age of high resolution zoom camcorders being able to take 18 hours of straight video.
this sounds likea troll. the guy cant be that much of an asshat.
Let's please also abolish stupid websites asking for my e-mail address twice (plainly visible in both cases) to "confirm" it. I absolutely donot see the point as all I end up doing is copy pasting the first version.
Maybe he should just learn how to type. Showing unmasked passwords is stupid. The Unix way is best (duh, it's Unix :)).
The reason is in many occassion, people waiting beside you will watching you type if the password is masked.
And that mask is effortless, just as the bank telling us to cover the kebpad when entering the password. The clicking sound sold it really well. And a hidden mic would really unnotice.
If you feel the need, cover the screen with your hand, that also tell people it is unpolite to watch you typing a password.
Then use your goddamned fingerprint reader. Seriously though, I like this guy. His arguments are clear and they make sense. This isn't pitting security against usability at all, because masking isn't secure anyway. One omitted fact is that client scripts can capture your input on these fields, which could be a security hole. I'd like to see a password textbox that is inaccessible by client script, but visible in clear text. I would bet that out of all the websites you/I use, there are many that don't protect against XSS.
I usually just type my email address once and copy/paste it to the second box. It really serves no purpose if you ask me. On the other hand typing a password twice *is* useful if the input is masked. You have no way of seeing if you typed what you thought you did or if you made a mistake.
Read the ENTIRE article. Sure the headline reads "Stop Password Masking (but that's marketing), later he points out why and even some later he says:
"Yes, users are sometimes truly at risk of having bystanders spy on their passwords, such as when they're using an Internet cafe. It's therefore worth offering them a checkbox to have their passwords masked; for high-risk applications, such as bank accounts, you might even check this box by default. In cases where there's a tension between security and usability, sometimes security should win."
So, yes, he's right.
So, instead of having a simple password field, we now have a checkbox that changes the functionality of the password field based on its state.
Is that not complex? Is simplicity not a factor in usability anymore?
Who cares if someone sees my password, the HR people in Bozeman already know it!
No.
Michael Jackson dies and the major networks devote 2 unscheduled hours to his 'life and times'...
People are seriously considering echoing passwords on the screen in the clear...
What's next? Dogs living with cats? Giant marshmallow men rampaging through NYC?
Seriously, I can't believe anyone is discussing this idea.
FingerAuth w/a fingerprint scanner mouse?
Forget typing, why bother even remembering passwords? I'm surprised people still mess with those things.
Even my login is blanked... and I leave the numlock key on to obsfucate my login and pwd... so I ignore the lame warnings about the caps and numlock keys being active...
I don't understand why anyone listens to Jacob Nielson. He's out of touch, a complete crank, is utterly upposed to design and doesn't seem to understand that the web has evolved from the days of black text on a white page. Change or die, Jacob.
People think Google is a program you install on your computer. People think their headset is called a "blue tooth". People think that TCP/IP is a chain of yogurt shops.
You can go ahead and do that if you want, but any system I ever sell, administer, maintain, or own, password entry will be as obscure as possible. If you can't handle typing a password, you have no business performing operations which require one.
CAn'T CompreHend SARcaSm?
https://addons.mozilla.org/en-US/firefox/addon/462
The problem have already been solved for Firefox users. And I agree with Nielsen it's a pain if you are sitting in an area with privacy.
In fact I think some website are just a pain in the neck with the security requirement they inflict.
WTF would you need an 8 char password to comment on a newspaper article when my bank only requires 6. It's poor usability to max out security on sites that have minimal need.
I had to explain ONCE and ONCE ONLY to my eight year old son and to my six year old daughter, that the password shows as black dots so that nobody can read the password off the screen. It is such a simple idea, that they both understood it straight away.
Add to this, the fact that almost EVERYBODY (all the people I've watched, plus myself) will watch where their fingers are on the keyboard when entering a password, and you reach the conclusions that displaying the password on the screen as it is being typed:
Ergo, the status quo should be kept, until change is proven necessary. K.
Has this doofus actually ever mistyped a password?? I don't look to see where my mistake was, then key over to it and fix it... I blow it all away and start over. Much quicker, and removes the need to see it.
Question 2: Has this doofus ever owned a password?? Does he not get cold sweats for a brief moment anytime he accidentally sees the letters? I see mine so rarely I don't even recognize it at first. Then the shock sets in and I kill it asap, before scanning the room to see who saw.
Just use "******" as your password!
There, problem solved! Next!
@neonux
...a truly skilled criminal can simply look at the keyboard and note which keys are being pressed. So, password masking doesn't even protect fully against snoopers.
I guess that because condoms don't fully protect against pregnancy/STDs we should just abandon all hope of security and go with what feels best. Raw dogging it with not even an attempt at birth control, much less STD protection.
Seriously, I'm tired of Jakob Nielsen, why won't he just crawl back into whatever hole he came out of?
Porquoi?
***-*** *
As of Postgres v6.2, time travel is no longer supported.
The developer can usually rely on the users being in an environment that's not secure enough for password to be displayed in the clear, though secure enough to assume nobody is video recording keypresses.
With unmasked passwords, you'd have to change important passwords whenever someone walks past you just as you're typing them in. This scenario can be so common - office, starbucks, etc.
Nielsen talks about usability, so how usable is that?
In contrast if someone was _standing_ close by and you suspect him of trying to see what keys you were pressing, you can usually turn to him and say "Hey, do you mind?" or take appropriate countermeasures.
Most people aren't allowed to kill random strangers who just happened to see unmasked passwords. So if someone just walks past, it's password change time. Whoopee for usability.
So I recommend not relying on Nielsen for advice on security at all. And if this is typical of the level of thinking he does, I recommend that people not waste time reading his stuff.
After all if users are in such secure environments as he claims, why bother having passwords at all? Why not just let the website recognize their cookie and log them in right away?
That defines a moron I guess.Next he will need a autofill of his password instead as soon as he enters his login. Talk about usability to a Moron.
BORING.
Slashdot = Sarcasm
Tech support: Hello? :P
User: I can't log in the internet!
Tech: What's the problem?
User: I type my password and it seem to be invalid.
Tech: Which one is your password?
User: I saw it when my dad was typing it. It is eight stars.
Tech: Duh
The "H-Word" has died for me.
Kudos to Jakob for his legacy of work, but sometimes he just points out problems and does not suggest solutions. Sure passwords are a necessary evil in this day and age, and obscuring them will make it arguably more difficult for users to not make a mistake. But I guess that's the point really - security requires focus and unless you suffer from something like ADHD you should be able to focus on what you're typing for 5 or 10 seconds.
Besides, usability covers learnability of the interface, and I don't think it's very hard to understand that dots, exes, whatever represents the letters that you type and warns you that you should be careful when you type this thing in.
I think it's a great idiom - it stresses importance and calls for focus and vigilance - which is exactly what you want when you're dealing with sensitive information.
So until fingerprint readers or retinal scanners are the main means of authentication, obscured passwords are one of the more successful ways to marry usability and security.
You already get this on Mac OS X, in some dialogs at least: a checkbox to select whether or not you want to hide the password while you're typing. Very useful when you're either not worried about the password, you're on your own, or trying to enter a slightly tricky password and not sure whether you got it right.
Public key authentication
Oh how the world could be with broader support. Imagine logging in on all your web-based application with no password.
If you mod this up, your slashdot background will turn into a beautiful sunset!
Someone must say this brilliant man the masking is used to avoid OTHER PEOPLE to spy on your password as you type it. The point in having a password is not usability; is security. And if someone is dumb enough to register the same password wrongly twice, then he deserves it.
Actually he's probably angry because he did just that. He could ask mom to help confirm if he typed twice. Or even type in notepad, confirm, then paste.
Btw I'm not "Anonymous Coward", I'm just lazy to open up an account.
With all due respect to Mr. Nielsen, I do question his position on this. I've worked in the network security field for 12+ years now. Most recently, because of a family illness, I've spent way too much time visiting hospitals. During this time, I've seen many nurses and other health care providers log in, with a password reset required, in the presence of myself and others in the room. If my mind wasn't concentrated on my ailing family member, it would had been very easy for me to grab that password (without being masked) and have access to every patient's EMR (Electronic Medical Record) in the system. I do recognize that this may be costing to some organizations, however, isnâ(TM)t it still a critical in some, i.e.; HIPPA compliant environments?
when users type in passwords and the only feedback they get is a row of bullets.
That's a bit harsh for just typing a password...
There are a few good reasons why passwords are masked, more than just the over-your-shoulder password spying. It is possible to capture a monitor signal either from interfering with the cabling, or special equipment capturing reflected light (suprisingly effective with CRTs). I've heard of information being stolen by a VGA splitter installed on a machine - but they didn't get any sensitive passwords.
Next, a technician may be remotely supporting a user, be viewing their desktop session and require the user to enter a password that the technician does not have clearance to know. Or even in a screen sharing session during collaboration. One can access and demonstrate systems without giving away passwords, this is especially good when one has their laptop plugged into a projector in a meeting room.
(I once had to do this, giving a presentation on a software package, and the password entry for this package as not masked... as I was about to type I suddenly remembered my password was something really rude)
There are many scenarios where password masking is useful and there are little compelling reason to have clear text password entry. In terms of cost to business for support, allowing more than 3 password attempts, ie 5 or 6, would solve more problems with less security risk. If this was what Jakob Nielsen was talking about I would bother reading past the first few lines of the Slashdot post.
After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
Your coworker seeing over your shoulder is one thing. Remote assistance sessions are another. I routinely use remote access sessions to assist customers, and users often need to log on to websites or other programs for which I need not know the password. The passwords showing up in cleartext visible to me just introduces needless risk and mistrust. I don't WANT to know a user's password. It's suspicion I can do without.
"Usability" concerns like this is what lead Microsoft to add so many features to their products that have made malware so easy on their platforms (and "compatability" lead to maintaining these features far too long.)
If you, as a business, are worried about the convenience to your users of visible passwords in order to use your site, then perhaps you ought to re-evaluate why you need a login at all. If it's just a matter of user preferences, then perhaps you should do without passwords entirely - if you're willing to take the hit when your users start messing each other up.
And if you're concerned about the "usability" impact of passwords on your site, then surely you must throw a fit if you actually do any e-commerce - all that extra stuff to do the credit-card or PayPal will surely drive your users away.
Sure, password masking suggests security that might not be there - and so perhaps discredits those sites where security is taken seriously. However, password masking does add *some* security - especially if it's done by the browser rather than some ad-hoc Javascript. At least with the browser, there's only ONE piece of code to secure (by taking precautions to wipe the password from memory after it's been used.)
On the other hand, the issue of the "Reset" button has some validity - I do like having a reset button, but it shouldn't be placed too close to the input areas. More often, though, I find my input being wiped by the browser when I use a key-stroke that does an "erase-to-end-of-line" in my favorite editor that instead wipes my entire input and sends me off some strange direction. Compared to that, the "Reset" button is far less relevant than focus issues of my GUI/window environment.
BTW: What makes this guy a "Usability Expert", other than having written a bunch of articles since 1995? Has he actually been involved in improving any product or process? Who vouches for this guy?
The fact that he's a so-called security expert REALLY scares me.
I hate it when products/software don't mask passwords. like the Wii. Type in your credit card number or wi-fi password so everyone looking through your window or over your shoulder can see it SWEET.
This guy must be related to the guys who allow web developers to develop web apps that send you your password to you in plain text through e-mail when you sign up, or worse, once a month in a newsletter.
- Alex
So the author states that the row of bullets is useless, and costs us business, and doesn't increase security? While password security is the weakest form of security we have, it IS better than nothing. And the use of bullets to mask passwords is essential. The author would like to pretend that no one has ever had to enter a password where a screen is available to multiple viewers, but that is indeed, sometimes the case. The downturn is usability because someone can not see what they are typing is minimal at best. Ridiculous.
Open Source: Eroding the Digital Divide
There's a registry mod for Windows XP and earlier to prevent apps from stealing focus (TweakUI can handle it for you). They flash on the taskbar instead, as they should. I can't find anything for Vista/7 unfortunately (the XP tweak works, but the setting seems to get "lost" somehow)
:(
KDE has a similar tweak. I can't find anything for Gnome
All GUIs should prevent any kind of focus-stealing though. The capability should just not be accessible to applications - it should be reserved for special system functions if it must exist. Locking focus when typing in a password box could be useful, but if implemented improperly it could be just as ripe for abuse.
"When information is power, privacy is freedom" - Jah-Wren Ryel
Finally the hours I spent practicing typing my password in the least amount of time possible will pay off!
Maybe they should've read the research on the topic, some more than five years old.
While the "think tanks" write bullshit papers, companies like Apple already implement what's been found to be the optimal trade-off: Display the last letter that you just typed for a couple seconds. Turns out that this largely eliminates shoulder-surfing and accidental password disclosure if someone catches a short glimpse of your monitor, and brings typos to almost the same level as normal typing.
Assorted stuff I do sometimes: Lemuria.org
This guy is a total idiot. he knows nothing about being in the IT field and about security. you got to be stupid to find it hard to know what you are typing in. as an administrator you have to type in your password A LOT while someone is watching. there is no point of having in clear text. you might as well have no password. because that is the point of having a password to keep it SECRET.
What is really retarded is that Microsoft requires you to type a 26-character WEP key TWICE when connecting to a secured wireless network? Why the F%^&* should you have to confirm that key? You are not setting a new key, just entering one that already exists.
Ubuntu has it right - in most places where you have to enter a password, you can optionally unmask the characters.
- midtoad
Umwelt schützen, Fahrrad benützen
The Treo browser shows the last character of the password for a few seconds, then masks it.
It's a really nice feature on small keyboards, but could work everywhere.
-Dan
It all depends on the environment in which you are conducting your business. In an unclassified typical office where every worker has his/her own cube - no - there's no reason to mask the password. In a classified office or an office space that involves workers sharing the same work space - yes - password masking is an absolute necessity. It just comes down to how much value you place on the sensitivity of the information on any given user's box. If it wouldn't be terrible should someone unauthorized gain access - then sure, broadcast your passwords to the world... otherwise (and I believe this is much more often the case), mask them.
Obvoiusly this guy has never used a Kiosk or sat at Starbucks. Shoudlder surfing is bad enough, but every public place has survielence cameras, and web cams are cheap enough and small enough to leave a few pointing at likely places. If the password is shown on the screen, it is also on a video somewhere as well. Now if we went to one-time passwords, then echoing the password wouldn't be a problem, but as long as we keep replayable passwords, I don't want it echoed back to the sceen.
Android had a nice half-way option for this. When you type a password in the last character you typed appears and the rest are bullets. It can be turned off so it's all bullets. This way you have feedback on what you typed without completely losing security. Some of the dialogs also have a show password option. So if you really want to you can let other steal your password more easily...
This guy is flat out wrong. I have been doing IT in a K - 12 school environment for quite a while. When it comes to password problems, I have seen it all.
When someone fails in typing their password, they just retry and get it right the second or third time. If they still can't get in it is because they forgot their password, never changed their password from the one I gave them initially, have their caps locks on, or have mistyped their user name with a leading or trailing space. Password blocking is never the problem.
If you want to make things easier, institute password and user name recovery and code your user name input fields to ignore white-space characters.
You'll have to PRY the dots and asterisks out of my COLD DEAD HANDS! I've got a lot of over the shoulder on lookers, why next week they'll be asking for my 128bit encryption! (Microsoft removed what? wait I don't care, I use Slackware.)
Don't mind my paranoia to protect my non critical "pornographic" data, and why don't I just post all my user names and relative passwords social security number, mothers maiden name, home address and phone number all on twitter while I'm at it!
Actually, I had a coworker once, at a company that deals with security of nuclear facilities, who would try to look over my shoulder to see me type my password, but I am too fast. He even installed a keylogger when I walked away, before the screensaver w/ password kicked in, to take a bathroom break. I scan my PC daily for viruses/malware and ended up finding it before he could collect the password, and from then on I locked my PC manually before walking away. I became paranoid enough that I began checking my keyboard plug to make sure no one had installed a hardware keylogger. He eventually ended up giving up on the password stealing approach and instead looked up a vulnerability in VMWare, which I had installed to test the software we were developing to make sure it worked on a freshly installed OS and not just the dev PC. He found a zero-day vulnerability and exploited it in order to remotely launch a virus on my machine that he had written that created thousands of shortcuts and caused my computer to lock up even on a reboot. He then gloated about it and laughed as I wasted an hour recovering my system, time that could have been spent completing the software project that we needed to deliver. A month later I got laid off, and he's still there even a year and a half later.
Will not showing a password on the monitor keep you safe from shoulder surfers trying to steal your password? Yes, if you type your password quickly enough. But, it won't stop someone who is determined to ruin your day from finding a way.
so you unmask the password and now you have to make software that detects keylogggers AND any software that can do a quick screen cap... theres a reason this guy isnt in charge...
Well, as I said in my posting,
If the screen shows what you are typing in, then you'll want to cover the screen. This is the case when I pay at a gas station and have to enter my code to use my card: the digits are displayed on the screen for all to see. If you're typing with your right hand, then you only have your left hand to either cover the screen or cover your typing right hand, but not both.
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
Funny... I bought a top-of-the-line Lenovo ThinkPad a few months ago. At first, the fingerprint scan was fun. Then it stopped working reliably. I scan over and over and get that damn red circle. Now it's not worth trying anymore. And no, my fingerprint is not scarred, not wrinkled from being wet, not altered in any way.
I thought of re-scanning, but the Lenovo Support Tech said that, thanks to a quirk in their wonderful Client Security layer, I had to use my _original_ Windows password, not the password I had had the audacity to change recently. Needless to say I didn't remember my original password. Nor do I want to reset the BIOS (as he suggested).
Complexity dooms technology (see "Knob in the Shuttle window").
Slashdot entertains. Windows pays the mortgage.