Slashdot Mirror

← Back to Stories (view on slashdot.org)

Nielsen Recommends Not Masking Passwords

Posted by timothy on from the *****-****-**-******** dept.

Mark writes "Usability expert and columnist Jakob Nielsen wants to abolish password masking: 'Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn't even increase security, but it does cost you business due to login failures.' I've never been impressed by the argument that 'I can't think why we need this (standard) security measure, so let's drop it.' It usually indicates a lack of imagination of the speaker. But in this case, does usability outweigh security?"

20 of 849 comments (clear)

  1. Two words by RollingThunder · · Score: 5, Insightful

    Shoulder surfing.

    Seriously, is this guy is supposed to be an expert?

    This is like having a fuel efficiency expert tell you to turn the motor off on your car, stick it in neutral, and push it, since it'll get infinite MPG. Passwords are supposed to be secret. Usernames aren't as critical.

    1. Re:Two words by tomhudson · · Score: 5, Insightful

      I'd rather have to retype the occasional password than have it visible to anyone shoulder surfing.

      Think about your bank card, your PIN, etc.

      FTFA:

      It's therefore worth offering them a checkbox to have their passwords masked; for high-risk applications, such as bank accounts, you might even check this box by default. In cases where there's a tension between security and usability, sometimes security should win.

      Retarded doesn't begin to cover this. Offering a default to turn OFF password masking for bank accounts? I'm sure the banks will just LOVE this one. We have enough problems with identity theft already.

    2. Re:Two words by amicusNYCL · · Score: 5, Insightful

      Oh, c'mon.

      So, password masking doesn't even protect fully against snoopers.

      No, it doesn't protect fully, but it does protect from everyone who can't see the keyboard when you type. In other words, it protects against every shoulder-surfing scenario except when the person is looking directly at the keyboard when you type. And even then, if you're typing fast enough or the keys are close enough together you won't be able to guess the password by watching the keyboard. Hell, I'm sitting right in front of the keyboard and I still can't look through my hands to see which keys my fingertips are actually pressing. So, password masking does protect from shoulder-surfing. It might not protect against people looking directly at your keyboard, but that might be because it's designed specifically to protect against people looking at the goddamn monitor.

      More importantly, there's usually nobody looking over your shoulder when you log in to a website. It's just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue.

      OK, so this is a great usability solution for websites that only get accessed by people sitting alone in their offices without the possibility of a co-worker standing there as they log in. For all other sites that people might access in an internet cafe, or at the airport, or in a coffee shop, or wherever else, I guess it doesn't apply at all.

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
    3. Re:Two words by radtea · · Score: 5, Insightful

      Retarded doesn't begin to cover this.

      The best thing about the article, typical of an unfortunately large amount of usability literature, is the complete absence of empirical data. He simply asserts, for example, "users will not be confused by this" without offering a shred of empirical evidence for the claim. I'm not a typical user, but I'd sure as hell be confused if plaintext started to appear in the UI where a decade or two of experience has taught me to expect a line of bullets. I sure as hell wouldn't want to be on a helpdesk for a system that has just made this change.

      Usability is an important area of software design, but it is still in its infancy, and the lack of usability experts chiming in to call this guy a blithering idiot is depressing. All claims about usability of any feature should be considered nonsense until someone comes to you with empirical data from real users that tell you what they find usable. Otherwise you're arguing mythological hypotheticals--how many users can dance on a pinhead.

      --
      Blasphemy is a human right. Blasphemophobia kills.
  2. How about a compromise? by Verteiron · · Score: 5, Insightful

    Personally, I rather like the way many cellphones handle this: show the letter that was typed for a moment and THEN mask it. This allows you to spot typos and correct them without having to blank the field and start over.

    --
    End of lesson. You may press the button.
  3. Re:Um, here's a thought. by Yetihehe · · Score: 5, Insightful

    It's possible, the only problem is with browsers. Almost all of them remember what you put in normal text fields. Next time on page - just press down arrow and voila!

    --
    Extreme Programming - Redundant Array of Inexpensive Developers
  4. Easy solution by wjousts · · Score: 4, Insightful

    Change your password to **********

  5. One word for Nielsen: Projector by tcsh(1) · · Score: 5, Insightful

    Ever logged in to a computer connected to an LCD projector?

  6. Indeed lack of imagination by guruevi · · Score: 5, Insightful

    1) If I look outside my office window, I can see about 48 office windows (without standing up) and all of them have the lights on and it's dusk outside. Give me a dSLR and a decent set of long distance lenses and I'll prove you wrong.

    2) How many times have you typed in your password while somebody was looking at your screen eg. to show somebody something on a protected website. This happens a lot to tech people as we have to authenticate to solve an issue while somebody is standing next to me waiting for me to fix it.

    3) How many times have you given a presentation where your screen view (but not your keyboard input) goes worldwide (eg. teleconference) or over a set of wires that you know haven't been tampered with (conference room) - again, logging in to your webmail or so to find a copy of your presentation.

    4) How difficult is it to create a script that takes screenshots - how difficult is it to create a script that captures keyboard entry as well. Answer: the first can be done in userspace (and in the hands of an experienced script kiddie would be unnoticed), the latter usually has to go as a request to a driver, kernel or other layer that requires admin rights. This is true for Windows, Mac and (depending on your GUI) Linux

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
  7. Ever typed a long WPA key into an iPhone? by Anonymous Coward · · Score: 5, Insightful

    The cellphone method works great and has never bothered me until I had to enter a 63-character WPA key into an iPhone. This is something you can't do from memory, so you're moving your eyes back and forth between a plaintext copy, and trying to remember just where you left off. Agony.

    Basically, in a few situations like this, it would be really handy to turn off masking one-time-only.

  8. Two more words for Nielsen: Security Cameras by hoosbane · · Score: 5, Insightful

    Just because you don't think someone is watching over your shoulder, doesn't mean someone isn't watching over your shoulder.

  9. Re:hunter2 by Darkness404 · · Score: 4, Insightful

    About the only thing that requires a complex password for most people is work. At work, most everyone is too scared of being fired to really mess with people's accounts. Really the only point of passwords there is to keep out network attacks or so people can work at home. If someone can't remember 6-8 characters with a number thrown in there for good measure, perhaps they should not be on the internet.

    --
    Taxation is legalized theft, no more, no less.
  10. Re:Making my point with humor by doti · · Score: 5, Insightful

    That's because knowing the number of characters in a password greatly eases the password guessing.

    The masking is indeed a bad idea. Your unix login prompt does the right thing.

    --
    factor 966971: 966971
  11. Re:hunter2 by vidarh · · Score: 5, Insightful

    If Stephen Hawking says something about physics, do you require a citation from him? Nielson is recognized as one of the leading experts in his field.

    No, but if Stephen Hawking made a claim that flew in the face of established conventions in - say - psychology, I would expect a citation. Nielsen is a usability expert, not a security expert, and GP questioned his claim about the security aspect.

  12. Re:hunter2 by adamstew · · Score: 5, Insightful

    If Stephen Hawking says something about physics, do you require a citation from him? Nielson is recognized as one of the leading experts in his field.

    Yes! I would! I would want to see the research that lead him to his conclusion in physics. Or, more specifically, I would want another physicist to look at his research and give his validation to say that it's sound.

  13. You could always let the user choose by marcus · · Score: 5, Insightful

    In a secure environment, with no one looking over my shoulder why not leave the chars in the clear?

    Give 'em a checkbox: "Echo password []" which defaults to "unchecked" of course.

    --
    Good judgement comes from experience, and experience comes from bad judgement.
    - W. Wriston, former Citibank CEO
    1. Re:You could always let the user choose by Narcocide · · Score: 4, Insightful

      Your sig should be "Don't shoulder surf my password bro!" This is a situation where compromise is not appropriate. The unix login prompt has proper behavior. The story post is correct; obscured characters are dumb. The assumption that therefore they should be shown in plain text is incorrect. Your password should not be shown at all as you are typing it or at any time in any representation.

  14. Microsoft wep key by blueskies · · Score: 4, Insightful

    The microsoft wireless access passwords are done like that because they are complete idiots. Why do you have to type it in twice?? If it works on the first try, why use the second field at all?

  15. Re:Making my point with humor by mellon · · Score: 4, Insightful

    Dude, I want *your* computer. Or your glasses. Or something.

    You have illustrated the point nicely. However, the fact is that there is a problem here. The average naive user thinks that when they type a password in, and it's hidden, that means that it's secure. They equate the dots with end-to-end security. And of course there is no end-to-end security. So actually the dots are a usability problem - just not the one Mr. Nielsen suggests.

    Fundamentally, the problem is that there is no security in the way passwords are done on the net. By this I mean that even though we do have security protocols like SSL, and we do have mechanisms for signing certs, the current security model assumes that the user will discriminate between situations where there is security, and situations where there is not. And nearly every single user of web services is incapable of discriminating in that way. There are maybe one or two thousand people in the world who really understand the security model well enough and are anal enough to actually validate the security of what they are doing when they enter passwords into web forms.

    So essentially Mr. Nielsen is right - you might as well not bother with the dots. Because they just give you a false sense of security.

  16. Re:Making my point with humor by lindseyp · · Score: 5, Insightful

    What's even better than that is when the password input window *does* have focus, and the IM window steals it just as you start to type it in.

    focus-stealing windows should be banned.

    --
    j'ai découvert une démonstration vraiment admirable (de ce théorème général) que cette si