Nielsen Recommends Not Masking Passwords

Mark writes "Usability expert and columnist Jakob Nielsen wants to abolish password masking: 'Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn't even increase security, but it does cost you business due to login failures.' I've never been impressed by the argument that 'I can't think why we need this (standard) security measure, so let's drop it.' It usually indicates a lack of imagination of the speaker. But in this case, does usability outweigh security?"

Making my point with humor

[suso]

Usability? What the hell is he talking about? The user doesn't see the dots, only other people see those. The user should see their own password when they type it. Maybe he should check his glasses because those characters must be so blurry to him that they look like dots.

Re:Making my point with humor

[Profane+MuthaFucka]

That comment is 99.99999% funny. It's 0.00001% true in the case of an all asterix passwd.

Re:Making my point with humor

[religious+freak]

Dots? Who the hell has dots? My unix login prompt cursor doesn't even move when I type the password in; I'd love to have some dots!

Re:Making my point with humor

[doti]

That's because knowing the number of characters in a password greatly eases the password guessing.

The masking is indeed a bad idea. Your unix login prompt does the right thing.

Re:Making my point with humor

[bhagwad]

He's crazy.

I've never even seen my password in plain text. I don't want to either. Ever.

Also, what if your kid sees the password you use at home and decides to play around? I know I would have when I was a kid and my instructor used to login to his DOS account with a password (where the cursor never moved let alone display the number of characters with dots).

Irreparable damage

Re:Making my point with humor

[suso]

I've never even seen my password in plain text. I don't want to either. Ever.

That's good, only your hands should know your password.

Re:Making my point with humor

[Gordonjcp]

Lotus Notes had (has?) a login dialog that addressed this by showing a random number of X's for each character rather than a 1-to-1 mapping.
... and bloody awful it was too. What the hell was the point of showing the dots at all? At least with one dot per character you've got visual feedback of how many characters you've typed. Seeing six dots in the password field when you've only typed three characters is confusing and jarring.

Re:Making my point with humor

[transporter_ii]

I think passwords should spin, and any right characters you try should make that digit stop spinning, to let you know that character was right. That would put things more in line with the movies and make hacking a lot more fun.
.

Re:Making my point with humor

[NighthawkFoo]

What's even better is that the dialog doesn't indicate whether it has focus or not, so you end up typing your password into your IM window.

Re:Making my point with humor

[mellon]

Dude, I want *your* computer. Or your glasses. Or something.

You have illustrated the point nicely. However, the fact is that there is a problem here. The average naive user thinks that when they type a password in, and it's hidden, that means that it's secure. They equate the dots with end-to-end security. And of course there is no end-to-end security. So actually the dots are a usability problem - just not the one Mr. Nielsen suggests.

Fundamentally, the problem is that there is no security in the way passwords are done on the net. By this I mean that even though we do have security protocols like SSL, and we do have mechanisms for signing certs, the current security model assumes that the user will discriminate between situations where there is security, and situations where there is not. And nearly every single user of web services is incapable of discriminating in that way. There are maybe one or two thousand people in the world who really understand the security model well enough and are anal enough to actually validate the security of what they are doing when they enter passwords into web forms.

So essentially Mr. Nielsen is right - you might as well not bother with the dots. Because they just give you a false sense of security.

Re:Making my point with humor

[MaskedSlacker]

Why did you bother explaining? Don't you see what a missed opportunity that was? If they don't log in, they can't fuck anything up!

Re:Making my point with humor

[gdshaw]

Actually, the comment is (perhaps unintentionally) insightful. According to the current (25th June 2009) draft of the HTML 5 spec:

"The user agent should obscure the value so that people other than the user cannot see it."

Re:Making my point with humor

[zmollusc]

OMG! Could this be a way to make linux the most widely used OS? Write a GUI that looks like the computers on TV? Although you would need a monitor that projected the text onto the user's face.

Re:Making my point with humor

[lindseyp]

What's even better than that is when the password input window *does* have focus, and the IM window steals it just as you start to type it in.

focus-stealing windows should be banned.

Re:Making my point with humor

[bkpark]

focus-stealing windows should be banned.

And you can ban it. At least in XFCE, it's a standard option whether to give newly created windows focus or not (I leave it on because I find that behavior more intuitive than a window popping up and me having to move my mouse over it to start typing in it).

If you can't configure this basic option in your window manager, well, maybe it's time to change your WM?

Re:Making my point with humor

[jc42]

According to the current (25th June 2009) draft of the HTML 5 spec:

"The user agent should obscure the value so that people other than the user cannot see it."

But if you read that carefully, you'll note that it does not say that the user can see it. It allows for implementations that totally obscure the password, and implementations that let the user see the password (as long as others can't). And it doesn't suggest how the latter might be done.

I think it was very carefully worded. Or maybe it was just an accident.

Re:Making my point with humor

[beav007]

Or, programs should be able to lock focus when they are actively being typed into.

Re:Making my point with humor

[Khyber]

The internet would speed up so much it would be insane. Just have a program hunt down every site that shoves a pop-up in your face and nuke the entire thing. ISPs and Telcos would have no choice but to start advertising higher speeds or die out to competition that realizes it first and takes advantage of it!

hunter2

[beaviz]

Nielsen is finally getting even for that old prank we pulled on him back in the day ;)

http://bash.org/?244321

Re:hunter2

[digitalgiblet]

Seriously, if you only evaluate software based on usability, then it is BAD to even require a password.

Requiring a password INSTANTLY makes software harder to use. Not requiring a password makes the user's life much easier and simpler.

Now if you care about more than just usability, then you may want to reconsider dropping or masking passwords.

Re:hunter2

[El_Muerte_TDS]

Hmm... I always thought the forums I frequent had some censor for bad words, but I guess it's a password filter. That's neat.

I wonder if /. also has a feature like that, let me try it. Pen1s

Re:hunter2

[suso]

Hmm... I always thought the forums I frequent had some censor for bad words, but I guess it's a password filter. That's neat.

I wonder if /. also has a feature like that, let me try it. *****

Hey that worked, try some of your other passwords.

Re:hunter2

[El_Muerte_TDS]

Neat, let me try a longer one. Erecti0n

Re:hunter2

[mcgrew]

Well, I'm glad they found such an unbiased and informed person to make such a statement about security versus usability

He's not a security expert, but he IS a useability expert (even though I, a non-expert, often disagree with some of the things he writes). On the whole, though web developers would do well to read his columns.

Perhaps you should read up on our friend Kevin Mitnick and NASA "Hacker" Gary McKinnon both of whom are no strangers to the over-the-shoulder-attack.

That will work even WITH masked passwords, which I found out when a woman watched me use my debit card. Lot of good it did me for the numbers to not be displayed when she simply had to look at what keys I was pressing. In the case of ATMs, masking it "security theater". Lesson 1: don't use a debit card to get money for more booze. Lesson 2: just don't use debit cards!

However, Nielson adds

Yes, users are sometimes truly at risk of having bystanders spy on their passwords, such as when they're using an Internet cafe. It's therefore worth offering them a checkbox to have their passwords masked; for high-risk applications, such as bank accounts, you might even check this box by default. In cases where there's a tension between security and usability, sometimes security should win.

Sounds like a good idea to me. Why do I need password masking alone in my own living room? Logging on to my work computer, yes, especially in a cube setting. But not on most internet sites.

I have to applaud what he says about reset buttons on forms, especially long ones. They have no use whatever except to make you retype everything if you hit the stupid thing by mistake.

I think sacrificing a few login attempts worth of time is worth the security.

Good security involves locking out the user after a certain number of attempts in order to stop a "dictionary attack". I just had to reset a users PW twice this afternoon because she locked herself out of her account. Sure, it's extra hassle but the security is worth it.

[citation desperately needed]

If Stephen Hawking says something about physics, do you require a citation from him? Nielson is recognized as one of the leading experts in his field.

Re:hunter2

[Darkness404]

About the only thing that requires a complex password for most people is work. At work, most everyone is too scared of being fired to really mess with people's accounts. Really the only point of passwords there is to keep out network attacks or so people can work at home. If someone can't remember 6-8 characters with a number thrown in there for good measure, perhaps they should not be on the internet.

Re:hunter2

[Useful+Wheat]

System Error:

Password too short.

Re:hunter2

[NeverVotedBush]

Not entirely. A telescope and photomultiplier or phototube aimed at someone's office window will get you everything on their screen if they are using an older CRT monitor - regardless of if it is visible from the window or not. If they have their monitor visible through a window then just a telescope will do it for you.

I agree with eldavojohn and everyone else who has the various examples/anecdotes/satirical comments. Showing passwords to anyone nearby or with binoculars, telescopes, or cameras is not very bright.

What is the value of the data you are trying to protect? Is it worth the few seconds required to re-type a password?

Re:hunter2

[CopaceticOpus]

Neat, let me try a longer one. ********

Cool, that worked also. Do you have anything harder?

Re:hunter2

[vidarh]

If Stephen Hawking says something about physics, do you require a citation from him? Nielson is recognized as one of the leading experts in his field.

No, but if Stephen Hawking made a claim that flew in the face of established conventions in - say - psychology, I would expect a citation. Nielsen is a usability expert, not a security expert, and GP questioned his claim about the security aspect.

Re:hunter2

[Crazy+Man+on+Fire]

You might want to RTFA before typing out such a long post. If you did, you'd notice a few things.

1) He's specifically advocating this for login forms on the web
2) He specifically says that security trumps usability in some instances
3) He gives a very clear example of a way to enable/disable this feature

With the proliferation of mobile devices with tiny, sometimes virtual, keyboards, typos are very common. When you can't even see that you've made a typo because it is obscured by dots, then you have no chance of correcting it.

Wouldn't it be nice if you could uncheck a little box that says "Obsure my password"? If you're paranoid, you could just check the box before entering your password or leave it checked, depending on the default.

Re:hunter2

[adamstew]

If Stephen Hawking says something about physics, do you require a citation from him? Nielson is recognized as one of the leading experts in his field.

Yes! I would! I would want to see the research that lead him to his conclusion in physics. Or, more specifically, I would want another physicist to look at his research and give his validation to say that it's sound.

Re:hunter2

[plague3106]

If Stephen Hawking says something about physics, do you require a citation from him? Nielson is recognized as one of the leading experts in his field.

Not at all. But I wouldn't listen to his ideas on beating the Taliban in Afganistan.

Re:hunter2

[Knuckles]

Same thing with email addresses in online forms, why do I always have to type those in twice?

That's to reduce the chances you have a typo. Some even explain that.
I have no idea about the MS thing, it's probably because their WLAN taskbar applet sucks hard.

Re:hunter2

[ImaLamer]

Harder than erecti0n?

Re:hunter2

[ColdWetDog]

Good point. It is far too difficult for the guy with the telescope and photomultiplier tube to aim the thing at your keyboard, capture your hand motions and play them back at low speed. The dots are totally secure.

That's why you should always use a Dvorak keyboard. Without the letters on the caps. Just to be sure.

Re:hunter2

[Denihil]

you don't? SWEET i am so going to be disposableaccount@yahoo.com! I AM SO HAPPY

Re:hunter2

[Intron]

What ever happened to the chord keyboard? Does anybody still use them?

Re:hunter2

[Trecares]

Stephen Hawking would generally be expected to have something to back up his statements. People don't just come up with stuff out of thin air. They do research, experiment, formulate hypotheses and test them. That becomes the body of evidence on which Hawking would base his statements. What kind of evidence does Nielsen have to back his remarks? Polls? Focus groups?

Nielsen is essentially recommending that usability should trump security which is not necessarily the right answer. Now if he wants to recommend redesigning the authenication system, then I suggest that he collaborate with security experts and come up with a new authenication method then that is both user friendly, and secure.

I wonder if Nielsen's research considered instances where people forgot or entered the incorrect password. Cases in which, seeing the password in cleartext would not help. The easy answer is to look at the keyboard and see what you're pressing if you cant tell what you're pressing.

Re:hunter2

[cliveholloway]

dild0?

Re:hunter2

[macslut]

I'm so disappointed as I was hoping to find an answer here. I've been wondering about the whole entering the password twice for Microsoft on a wireless network for years now. I have a Mac, and every time a Windows user asks me to repeat the password, I ask them why...they tell me they need to enter it twice, so I ask *why*. Nobody has ever offered me an answer. That would drive me friggin nuts as a Windows user...not just doing it, but knowing there was no valid reason as to why. Now email addresses on online forms are a different story, they're just trying to make sure you did it correctly by making sure the addresses match. For the wireless network login this makes no sense because if you did get it wrong, then no loss, just that's when you'd have to enter it the second time. I think someone really screwed up at Microsoft on this, but why was it left this way after numerous patches? Apple does allow you to hide or reveal your password for the wireless network, which is funny because this option is a bit more of a risk than just letting you see your password while entering it. By allowing you to reveal the password after it's been entered, they're allowing anyone to walk up to a Mac that's connected and see the wireless password when the user is away.

Re:hunter2

[grahamd0]

He's not a security expert, but he IS a useability expert (even though I, a non-expert, often disagree with some of the things he writes).

He's the seventh grade English teacher of usability experts. Everything he says is useful the first time you hear it, but most of it is wrong.

Re:hunter2

[six11]

If Stephen Hawking says something about physics, do you require a citation from him? Nielson is recognized as one of the leading experts in his field.

Nielsen is not universally revered in HCI (/usability) circles, and we don't really have a Steven Hawking-like figure. He has done some pretty solid work in the past, but that only goes so far. A lot of UI/UX/ practitioners I know don't think highly of his recent stuff. So, [citation needed] is right, but [open mind needed] is as well.

I love my field, but it is really fluffy---most of what we accept as "true" is really just "things we generally accept or don't want to argue about any more". Like most pundits, Jakob is taking an extreme position to get practitioners to think about alternative methods of designing user interactions.

hunter2

[eldavojohn]

Usability expert and columnist Jakob Nielsen

Well, I'm glad they found such an unbiased and informed person to make such a statement about security versus usability. And for a second there I was afraid he was just doing this for attention.

Mr. Nielsen, could you send us screen shots of a working example? Perhaps show us how it looks like when you log into the administrative console now with your password entered in and then a screenshot of the way you think it would be more usable. I'll review them and let you know in a most interesting way what I think.

Perhaps you should read up on our friend Kevin Mitnick and NASA "Hacker" Gary McKinnon both of whom are no strangers to the over-the-shoulder-attack. Really, I'm no security expert or pen tester but I'm going to speculate that these 'soft hacks' are some of the most dangerous vulnerabilities left. Your suggestion just makes them all the more easier. Me personally would like to see the standard bumped up to the level of the input box not even being masked ... no input is recorded in anyway on the screen. Now that's a usability nightmare when you can't even backspace to correct your errors. I don't think I've seen this since my days in a computer lab at college but I think sacrificing a few login attempts worth of time is worth the security.

Typically, masking passwords doesn't even increase security ...

[citation desperately needed]

I think back to the few times when I've entered my password accidentally into the username box because the tab key I hit didn't register or the site didn't support it and I just felt nervous and dirty and needed to change my password. Just knowing that there were photons and radiation everywhere in my cube belying my password to anyone who cared to capture them ... I mean it's bad enough that the sound waves of my keystrokes are floating around telling people my password. Sorry to go all tinfoil hat on you there.

Two words

[RollingThunder]

Shoulder surfing.

Seriously, is this guy is supposed to be an expert?

This is like having a fuel efficiency expert tell you to turn the motor off on your car, stick it in neutral, and push it, since it'll get infinite MPG. Passwords are supposed to be secret. Usernames aren't as critical.

Re:Two words

[tomhudson]

I'd rather have to retype the occasional password than have it visible to anyone shoulder surfing.

Think about your bank card, your PIN, etc.

FTFA:

It's therefore worth offering them a checkbox to have their passwords masked; for high-risk applications, such as bank accounts, you might even check this box by default. In cases where there's a tension between security and usability, sometimes security should win.

Retarded doesn't begin to cover this. Offering a default to turn OFF password masking for bank accounts? I'm sure the banks will just LOVE this one. We have enough problems with identity theft already.

Re:Two words

[dkleinsc]

expert(n): Someone who will charge you a large amount of money to state the obvious (possibly to someone else who needs to be convinced of something).

The real geniuses of the world don't go around calling themselves "experts", they just do nifty things and solve interesting and difficult problems.

Re:Two words

[amicusNYCL]

Oh, c'mon.

So, password masking doesn't even protect fully against snoopers.

No, it doesn't protect fully, but it does protect from everyone who can't see the keyboard when you type. In other words, it protects against every shoulder-surfing scenario except when the person is looking directly at the keyboard when you type. And even then, if you're typing fast enough or the keys are close enough together you won't be able to guess the password by watching the keyboard. Hell, I'm sitting right in front of the keyboard and I still can't look through my hands to see which keys my fingertips are actually pressing. So, password masking does protect from shoulder-surfing. It might not protect against people looking directly at your keyboard, but that might be because it's designed specifically to protect against people looking at the goddamn monitor.

More importantly, there's usually nobody looking over your shoulder when you log in to a website. It's just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue.

OK, so this is a great usability solution for websites that only get accessed by people sitting alone in their offices without the possibility of a co-worker standing there as they log in. For all other sites that people might access in an internet cafe, or at the airport, or in a coffee shop, or wherever else, I guess it doesn't apply at all.

Re:Two words

[mwvdlee]

Most websites (and many other applications) mask passwords as users type them, and thereby theoretically prevent miscreants from looking over users' shoulders. Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed. So, password masking doesn't even protect fully against snoopers.

Might as well just put all my expensive electronics on the front lawn, since a truly skilled burglar can simply pick the lock and steal it anyway. So, keeping your valuables behind closed doors doesn't even protect fully against theft. It sure as hell makes it more difficult for casual thieves though, which is probably nearly all of them.

More importantly, there's usually nobody looking over your shoulder when you log in to a website. It's just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue.

Not all of us have those nice cushy jobs Mr. Nielsen has, where we have our very own office. Roughly 99.9993% of office workers have colleagues. I guess Mr. Nielsen is just a tad detached from reality here.

Re:Two words

[rtfa-troll]

Sure, being the RTFA troll, I read the article. But that still doesn't convince me. The keyboard press is a brief instant on a device which is easy to place more or less out of line of sight. A visible password on a screen is present for a long time and there are a number of interesting ways to capture this. Whilst keyboards are not perfect I think that some protection is worthwhile. One thing is for sure. Nobody is going to remember to turn this on when they are in public and your password only needs to be captured once.

One thing that might be a possible compromise is the system the mail client on my Nokia phone uses. The most recent character entered in the password is displayed for a short time. I can see each individual character, but the entire password is not exposed. I worry on the subway, but since it's a personal device it's easier to make this difficult to see.

Re:Two words

[radtea]

Retarded doesn't begin to cover this.

The best thing about the article, typical of an unfortunately large amount of usability literature, is the complete absence of empirical data. He simply asserts, for example, "users will not be confused by this" without offering a shred of empirical evidence for the claim. I'm not a typical user, but I'd sure as hell be confused if plaintext started to appear in the UI where a decade or two of experience has taught me to expect a line of bullets. I sure as hell wouldn't want to be on a helpdesk for a system that has just made this change.

Usability is an important area of software design, but it is still in its infancy, and the lack of usability experts chiming in to call this guy a blithering idiot is depressing. All claims about usability of any feature should be considered nonsense until someone comes to you with empirical data from real users that tell you what they find usable. Otherwise you're arguing mythological hypotheticals--how many users can dance on a pinhead.

Re:Two words

[Znork]

Offering a default to turn OFF password masking for bank accounts?

As many banks use one time passwords, that might actually be one of the few places where unmasked passwords are acceptable.

Otherwise, no way. For those with very bad keyboard skills there are workarounds like using keyboard patterns and with cellphones you can use longer passwords but without multiple-click use of buttons.

Slightly easier input simply isn't worth it; not only don't I want to reveal my passwords to any furtive glance, I don't want to be exposed to everyone elses passwords either.

Re:Two words

[hey!]

Well, that's the crux isn't it?

To a usability expert, expectations are your friends. You trust them. You believe in them.

To a security expert, expectations are your enemies. You distrust them. You try to figure out what they're hiding from you.

Of course, everyone agrees that what is expected and what happens *should* be the same, but I think here the securities guys have the more legitimate concern. Mr. Nielson doesn't even considers the possibility that his expectations might be violated. He assumes they are benign as long as they are "usually" right.

What does "usually" mean? *You the user* may "usually" type the password where you can't be watched (although how Nielson knows this applies to me I have no idea). But the usual case for the *criminal* is the situation where *some* user is being vulnerable. He doesn't care about the legions of users who are not exposed to a problem. He cares about the sufficient number of users to his purpose that are. He *seeks* what we consider negligible and makes his home there.

Suppose I design a web site with ten thousand users a day. Suppose a certain situation comes up only 1/10 of one percent. of the time for any given user on any given day. To a usability expert that's negligible. To a security expert, that means I'll be guaranteeing ten exposures to vulnerabilities per day. That's great for attackers. They don't care that *most* users aren't exposed to this problem *most* of the time. They only care that *some* users will be exposed to this problem nearly *all* of the time.

All engineering is about balancing costs and benefits. But you've got to know the probabilities, and to do that right you've got to determine the right population to calculate them with. Once we've established that the "unusual" user case is the "usual" attacker case, we have to recalculate our cost estimates. Where an attack is extremely unlikely, Mr. Nielson is correct in saying that the increment of security that masking gives is small. We're talking about very, very small probabilities, so the only increment we might rationally care about is dropping the probability to zero. Since some criminals can read keystrokes from a keyboard (although by no means many), we don't achieve that. Therefore masking is useless.

However, from the perspective of the attacker and site owner, a situation where some users are exposed to this kind of attack is quite common. It literally happens all the time for a large site. Therefore if masking repulsed, say, 50% of attacks (being very, very conservative), it's still worth doing if you want to keep your site secure, or care about possible violations of user privacy.

Re:Two words

[Americano]

From Dictionary.com:

genius (noun) - an exceptional natural capacity of intellect, especially as shown in creative and original work in science, art, music, etc.

expert (noun) - a person who has special skill or knowledge in some particular field; specialist; authority.

Now here's a list of Mr. Nielsen's publications in the field of usability. Also a short biography of the man on wikipedia, listing some of his educational background & contributions.

Given all this, two points:

• Nobody referred to Mr. Nielsen as a "genius" except you. They did refer to him as an "expert" in the field of usability, which it's quite clear that he is, if you read his biography, list of publications, and other credentials. You may not agree with his opinions on usability, but he certainly qualifies as "someone with special skill and knowledge" in that field.
• If your definition of genius requires some level of renown, then the word you should be using is "celebrity," not "genius." Ability, intellect, and creative capacity need not be well-known to the public to be exceptional.

Um, here's a thought.

[greenguy]

Howzabout we make it optional, so people can decide for themselves?

Re:Um, here's a thought.

[Yetihehe]

It's possible, the only problem is with browsers. Almost all of them remember what you put in normal text fields. Next time on page - just press down arrow and voila!

Re:Um, here's a thought.

[clone53421]

javascript:for(var a=document.getElementsByTagName("input"),i=0;i<a.length;i++)if(a[i].type=="password")void(a[i].type="text");

Bookmark it if you want.

For bonus points, set a timeout that restores all the fields you changed to their original password types after a few seconds.

How about a compromise?

[Verteiron]

Personally, I rather like the way many cellphones handle this: show the letter that was typed for a moment and THEN mask it. This allows you to spot typos and correct them without having to blank the field and start over.

It's time!

[kurtmckee]

I agree, it's time to switch to the Unix password entry scheme. No feedback is good feedback!

Ever looked at your password?

[fandingo]

Does anyone ever think it's weird to actually look at your password? I never write them down, and I remember them mostly by the location of the keys on the keyboard, not by the actual text. To me, it's quite unnatural to look at a password.

Easy solution

[wjousts]

Change your password to **********

Re:Easy solution

[Clovis42]

I can't read what word you wrote. It is filtered or something.

One word for Nielsen: Projector

[tcsh(1)]

Ever logged in to a computer connected to an LCD projector?

Re:One word for Nielsen: Projector

[Archimonde]

I've seen it.

There was this guy wanting to do a presentation in front of around 50 people on a ubuntu laptop and he typed his password in the "User" textedit of login window. Everyone erupted with laughter because his password was "jebenica_l01" (something like fuckery lol in english). I don't blame him too much, that login window has serious flaw with showing only one textedit at the time and both of them in the same place which can lead to situation like this when people are under pressure. Needless to say, the guy was red in the face and stuttering horribly the whole time.

Re:Not to fanboi all over the place...

[IANAAC]

Around long before the iPhone, but it was a nice try to attribute that to the iPhone.

Re:But then you might see that their password is

[wjousts]

Hey, that's the same as the combination on my luggage!

Security

[ucblockhead]

One of the most irritating things is the way many websites, especially financial websites, are designed with no thought to the difference between use in a public setting and use in a private setting. For instance, I only ever use my banking website from one place, my den, which is physically secure, yet I have to suffer through all sorts of crap designed to make sure my account doesn't get compromised in a public setting. (The most annoying being automatic log outs for non-use.)

Masking passwords, logging off the user on non-use after ten minutes, and other such security methods do not actually decrease the chance of compromise significantly when the user has physical security. Websites should allow for this.

Re:Security

[PitaBred]

See, now you're asking people to make critical decisions affecting their own security, with the vast majority of them having no way to realistically evaluate the actual security. You're intentionally calling forth the demons of being Unskilled and Unaware of It. People will overestimate their security on their shitware ridden Windows machines, or check their bank accounts from home and work and the library... if the preferences are per-user, that's horribly insecure. If it's per user+IP, it will confuse normal users and anger them. It's better to leave it as secure as possible from any possible login point. You shouldn't ever underestimate the stupidity of the average person, especially when it's a subject they don't care about.

Indeed lack of imagination

[guruevi]

1) If I look outside my office window, I can see about 48 office windows (without standing up) and all of them have the lights on and it's dusk outside. Give me a dSLR and a decent set of long distance lenses and I'll prove you wrong.

2) How many times have you typed in your password while somebody was looking at your screen eg. to show somebody something on a protected website. This happens a lot to tech people as we have to authenticate to solve an issue while somebody is standing next to me waiting for me to fix it.

3) How many times have you given a presentation where your screen view (but not your keyboard input) goes worldwide (eg. teleconference) or over a set of wires that you know haven't been tampered with (conference room) - again, logging in to your webmail or so to find a copy of your presentation.

4) How difficult is it to create a script that takes screenshots - how difficult is it to create a script that captures keyboard entry as well. Answer: the first can be done in userspace (and in the hands of an experienced script kiddie would be unnoticed), the latter usually has to go as a request to a driver, kernel or other layer that requires admin rights. This is true for Windows, Mac and (depending on your GUI) Linux

Re:Indeed lack of imagination

[BitZtream]

I can do it for linux and Windows pretty quickly, not sure about OS X, but I can do it on FreeBSD or any X server really.

All I need is to get you running a process that does my dirty work in Windows, certainly not difficult. With an X server involved all I need to do is get an app that can connect to your X server and sniffing becomes easy. Failing that, in both Windows and most unix flavors I can always just futz with your user profile and use LD_PRELOAD to make sure I see all your stdio. Don't think its possible? Have you used screen? It doesn't preload or anything because its not trying to go unnoticed.

Its only slightly more difficult to get keyboard characters than it is to get screenshots after you've got to the point where you can do the screeenshots. Once you get the screenshots, the machine is already compromised to the point that it doesn't matter.

And on that note, once you compromise the machine to take screenshots, there are far more effective malware packages out there to install than just a screenshot snagger.

Re:Indeed lack of imagination

[SloppyElvis]

4) How difficult is it to create a script that takes screenshots - how difficult is it to create a script that captures keyboard entry as well. Answer: the first can be done in userspace (and in the hands of an experienced script kiddie would be unnoticed), the latter usually has to go as a request to a driver, kernel or other layer that requires admin rights. This is true for Windows, Mac and (depending on your GUI) Linux

hmm...

SetWindowsHookEx()

...I don't believe this requires admin rights. Windows is designed for usability! I could write an Internet Explorer browser add-on that superimposes over password editboxes and displays your password so you (and I) can see it!

That's a brilliant idea!

[Estanislao+Mart�nez]

And, surprise, that's exactly what TFA recommends! Quote:

Yes, users are sometimes truly at risk of having bystanders spy on their passwords, such as when they're using an Internet cafe. It's therefore worth offering them a checkbox to have their passwords masked; for high-risk applications, such as bank accounts, you might even check this box by default. In cases where there's a tension between security and usability, sometimes security should win.

Hidden department revealed!

[gcnaddict]

*****-****-**-********
Don't_mask_my_password

(I used my stealthy password exposer to find that out.)

Ever typed a long WPA key into an iPhone?

The cellphone method works great and has never bothered me until I had to enter a 63-character WPA key into an iPhone. This is something you can't do from memory, so you're moving your eyes back and forth between a plaintext copy, and trying to remember just where you left off. Agony.

Basically, in a few situations like this, it would be really handy to turn off masking one-time-only.

Re:Ever typed a long WPA key into an iPhone?

[AndrewNeo]

And now that you bring that up, it made me curious. I just checked, and the iPhone OS 3.0 does support pasting into password fields, including the WPA passphrase field! You could now type it up in the Notes program (or any other text field, but whatever), copy and paste it, then delete the note. (Well, now you can, anyway)

Re:Only when registering

[i'm+lost]

This means we no longer need to confirm passwords twice when registering.

Yeah, just like we don't have to confirm email addresses right now.

Another two words

[El+Gigante+de+Justic]

Saved Passwords.

I typically have my web browser save my passwords for things I consider lower risk, but if masking is removed and the browser automatically loads the password into the form, then it's available to anyone. Considering that many users use the same or similar passwords for almost every application, and having it unmasked on one site could give up your info on any number of other sites.

Re:Another two words

[clone53421]

Oh really? Even if your browser won't just show them to me I can still get them easily if I have physical access to your browser and I am able to successfully guess which sites you frequent:

javascript:for(var a=document.getElementsByTagName("input"),i=0;i<a.length;i++)if(a[i].type=="password")void(a[i].type="text");

I'm not flaming Firefox for showing the passwords. What I am saying is simple... if your browser does save passwords, secure either the browser (Firefox has a master password) or the computer (via an account password, and don't leave the desktop logged in). The asterisks are a secure enough method of obscuring your password from someone looking over your shoulder, but they are not a secure method of obscuring your password from someone who's actually sitting at the computer keyboard.

Re:Another two words

[Gnom3]

You still need to be ware of the saved password features in some browser (Firefox & Chrome at least.) There are ways that your saved password could potentially be viewed in plain text by anyone that has a few seconds of access to your browser.

You can read more about it HERE and HERE

Two more words for Nielsen: Security Cameras

[hoosbane]

Just because you don't think someone is watching over your shoulder, doesn't mean someone isn't watching over your shoulder.

Re:As they say...

[nebaz]

I say "good morning" to people in the morning. You know who else said that? Mussolini. Therefore...

Add smarts to browsers, not pages!

[jonaskoelker]

[browsers] remember what you put in normal text fields.

Well, here's an easy fix: browsers add a checkbox-ish context menu item to password fields saying "don't hide text behind dots". Pages don't have to do anything, and browsers don't need to change caching behavior.

On the other hand, we only post passwords over HTTPS which browsers don't cache anyways. Right, slashdot? Right? Harumph :(

Re:Add smarts to browsers, not pages!

[Nixoloco]

On the other hand, we only post passwords over HTTPS which browsers don't cache anyways.

Most all browsers will save form data entered on a page served over SSL just as they do over non-SSL.. ?

Re:Not to fanboi all over the place...

[Duradin]

I think you confused an example of something with the attribution of something.

He said "the iPhone has this feature".

He didn't say "the iPhone innovated this feature".

Do you feel better now after your minute of Apple-hate?

I quite like the feature in OS X

[NorthDude]

In many places in OS X, there is a "display password" checkbox under password entry fields. So, by default the password is hidden, but if needed, you can click the checkbox and it will be displayed. best of both world I think.

its not a problem for me

[circletimessquare]

i can type my password without even looking

watch, i'll enter my bank account password without looking

fluffybunnies

see? i didn't even need to...

oh crap...

unsubmit

where's the damn unsubmit!

People are a problem

[bky1701]

On my old website, I had for a while password fields with no bullets. I had assumed, that given the low-importance nature of the site and all, no one would really care, and it did make it easier.

A few weeks after opening, I had found out that a few people had not created accounts, because they had the strange idea that not having bullets somehow made the site less secure. That somehow, *I* would be able to see their password, more than if there were bullets.

Needless to say, I changed over my password fields to bulleted, because I didn't want to lose any possible members to such a stupid problem. I still think that plain text is better, but it has become mandatory security theater. Much like an SSL cert makes even the most questionable site legitimate, lacking bulleted passwords makes people think you're being sneaky somehow. It is sad, but it's reality.

Lotus Notes

[camperdave]

I like the way Lotus Notes used to do it. As you typed you'd get a random heiroglyphic. As long as your glyph matched what you remembered, you knew that you'd typed the password correctly. Nobody could guess by watching the monitor even how long your password was.

Re:Lotus Notes

[lgw]

As long as your glyph matched what you remembered, you knew that you'd typed the password correctly.

So anyone could just remember your heiroglyphs and then try passwords until they got a match? Nice. I don't think it actually worked that way.

Re:Lotus Notes

[fluffernutter]

There are a very limited number of symbols. Something in the order of 24 or 32 I think. So sure, out of the millions of possible passwords it divides the possibilities by 32 I guess, but in the grand scheme of things it doesn't really help anyone guess your password. In fact, the last two passwords I've had generated to the same symbols. Lotus notes still does this and I use it every day. I've often wondered why no one else does it because it seems brilliant.

Re:Masking passwords doesn't do much

[grumbel]

than they can see your fingers type they characters of your password on the keyboard

Have you ever tried that? Unless you practice it a good bit you are quite unlikely to succeed, you also have to have a good stare at the keyboard which could be easily noticed by the user. Having the password clearly readable on the screen is a whole different matter. People are trained to recognize words quite literally in the blink of an eye. So any non-trivial password is very easy to spot when its written to the screen, even from a distance when you are not actually trying to read it you could spot it just by accident, as you can't stop your brain from recognizing words.

The argument with the keyboard logger really isn't a good one. Sure, obscuring the password won't stop all attacks, but it will stop a lot of attacks and raise the bar for attack much higher, as you have to actually plan the attack and not just look at the screen at the right moment by accident.

That said, an option on the entry-box to de-obscure the password would be welcome, since some are just a chore to type without visual confirmation (long WLAN keys and such).

Re:Utterly absurd!

[bennomatic]

I would hope that most eight-year-olds haven't been exposed to the kind of language I use in my passwords.

Re:Four words

[__aagmrb7289]

Good for you. Have you ever considered that you aren't in the majority? If not, I'd suggest that you start considering that question EVERY SINGLE TIME you start thinking to yourself something that starts with "But I..."

You could always let the user choose

[marcus]

In a secure environment, with no one looking over my shoulder why not leave the chars in the clear?

Give 'em a checkbox: "Echo password []" which defaults to "unchecked" of course.

Re:You could always let the user choose

[fooslacker]

Because a developer can't be sure you're in a secure environment when coding the app and he doesn't want to be held responsible for problems caused by your inattention or laziness especially when he expects you to be a danger to yourself. Assuming the royal "you" as in a user.

Re:You could always let the user choose

[Hurricane78]

Do you really expect users, to know if their environment is secure?

On the other hand, it's a great idea. More cracked accounts, more retards hurt, less retards being successful, less retards reproducing, and the global IQ rises.

Seriously, I miss the intelligence boost that harsh times give humanity. :/

Re:You could always let the user choose

[Rei]

For what it's worth, I've had a password compromised before by someone looking over my shoulder at what *keys* I typed. I'd rather not make it even easier for people by letting them just look at the screen, thanks. As you note, you never know whether your environment is secure. In my case, back in TAMS, I had a "friend" who was chatting with me as an excuse to stand close enough / above me to see the keyboard; he then set up a porn site on my university account as a prank.

Strangely enough, the last I heard from him, he was becoming a Mormon missionary...

Re:You could always let the user choose

[speculatrix]

S60 has been doing this before the iPhone/iPodTouch was even a rumour within apple.

Re:You could always let the user choose

[PReDiToR]

Password Hasher has that facility.

With this extension built into every web browser security would improve in leaps and bounds.
For lazy people you can mix it with Secure Login or the Opera Wand.

After all, once an attacker has local access to your machine all bets are off right? Password Hasher makes guesses/brute forcing passwords as close to impossible as it needs to be. 26 characters should be enough for anyone, surely?

Re:You could always let the user choose

[jaden]

How about just having the mouse over the password field causing plain text to be shown (maybe with a delay) ... mouse outside = dots.

It's only annoying when X login failures results in your account being locked & you're stuck wondering if you had a typo in your dots. Would';t mind a countdown on that too ( you have # more chances before you;re locked out for 24hrs ).

-J

Re:You could always let the user choose

[MichaelSmith]

Lets say my boss is hanging around, waiting for something important to him to get done. My password is a very rude word...

Re:You could always let the user choose

[Narcocide]

Your sig should be "Don't shoulder surf my password bro!" This is a situation where compromise is not appropriate. The unix login prompt has proper behavior. The story post is correct; obscured characters are dumb. The assumption that therefore they should be shown in plain text is incorrect. Your password should not be shown at all as you are typing it or at any time in any representation.

Re:You could always let the user choose

[noidentity]

Instead of bullets, the password could appear in one of those CAPTCHA fonts; anybody shoulder-surfing would have to stare at it for 10 minutes to decipher it.

Re:You could always let the user choose

[Andr0id_flaH]

The problem with that is you might not "see" someone looking over your shoulder; however, TEMPEST, although old, is still used and people can see anything echoed to your screen from a distance or even through windows and walls. Also, by seeing your password, a users is more inclined to make it easier because they can visually see it with their eyes and not in their Mind's eye.

Microsoft wep key

[blueskies]

The microsoft wireless access passwords are done like that because they are complete idiots. Why do you have to type it in twice?? If it works on the first try, why use the second field at all?

Re:Microsoft wep key

[iPhr0stByt3]

If you mis-type the password to a wireless network, the AP won't even tell you it's wrong. That is because the AP will hopefully act as if it was correct in order to significantly slow down brute force password attempts. Windows will try to get a DHCP address and eventually come up with "limited or no connectivity". Therefore, using a double-check might save a few minutes if you can correct your typo immediately. I'm not saying that I prefer this. I'd personally rather have just one box and type it carefully, but that is a valid and good reason for this behavior.

Why you have to type our WiFi password twice:

[tlambert]

Why you have to type our WiFi password twice:

The first time sends the password to my botnet.

The second time actually logs you in.

-- Terry

Re:Runaway security

[jwietelmann]

Don't direct your ire toward information security just because your particular sysadmin happens to be an idiot.

Re:Not to fanboi all over the place...

[xlotlu]

I first saw it on Nokias S60 3rd edition, some 4 years ago; never had the occasion to try it on earlier S60s. It really is an extraordinary usability improvement, especially for keypads.

Note however, the Nokias don't enable the feature when you enter a numeric password (e.g. the PIN), so I don't think they meant it as a usability feature in the sense Nielsen wants, but simply to overcome the frustration of entering masked letters on a numeric keypad.

And it's quite obvious Apple didn't come up with the idea: they didn't patent it. Call it cynicism or my minute of Apple hate, but i prefer to call it pragmatism.

Re:Runaway security

[bwcbwc]

That FTP IS stupid. They should switch to SFTP and require digital certificates to connect, so they can authenticate connections without compromising login credentials.

Nielsen is being an idiot

[TheLink]

The developer can usually rely on the users being in an environment that's not secure enough for password to be displayed in the clear, though secure enough to assume nobody is video recording keypresses.

With unmasked passwords, you'd have to change important passwords whenever someone walks past you just as you're typing them in. This scenario can be so common - office, starbucks, etc.

Nielsen talks about usability, so how usable is that?

In contrast if someone was _standing_ close by and you suspect him of trying to see what keys you were pressing, you can usually turn to him and say "Hey, do you mind?" or take appropriate countermeasures.

Most people aren't allowed to kill random strangers who just happened to see unmasked passwords. So if someone just walks past, it's password change time. Whoopee for usability.

So I recommend not relying on Nielsen for advice on security at all. And if this is typical of the level of thinking he does, I recommend that people not waste time reading his stuff.

After all if users are in such secure environments as he claims, why bother having passwords at all? Why not just let the website recognize their cookie and log them in right away?