Slashdot Mirror

← Back to Stories (view on slashdot.org)

Nielsen Recommends Not Masking Passwords

Posted by timothy on from the *****-****-**-******** dept.

Mark writes "Usability expert and columnist Jakob Nielsen wants to abolish password masking: 'Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn't even increase security, but it does cost you business due to login failures.' I've never been impressed by the argument that 'I can't think why we need this (standard) security measure, so let's drop it.' It usually indicates a lack of imagination of the speaker. But in this case, does usability outweigh security?"

35 of 849 comments (clear)

  1. hunter2 by beaviz · · Score: 5, Funny

    Nielsen is finally getting even for that old prank we pulled on him back in the day ;)

    http://bash.org/?244321

    1. Re:hunter2 by El_Muerte_TDS · · Score: 5, Funny

      Hmm... I always thought the forums I frequent had some censor for bad words, but I guess it's a password filter. That's neat.

      I wonder if /. also has a feature like that, let me try it. Pen1s

    2. Re:hunter2 by suso · · Score: 5, Funny

      Hmm... I always thought the forums I frequent had some censor for bad words, but I guess it's a password filter. That's neat.

      I wonder if /. also has a feature like that, let me try it. *****

      Hey that worked, try some of your other passwords.

    3. Re:hunter2 by El_Muerte_TDS · · Score: 5, Funny

      Neat, let me try a longer one. Erecti0n

    4. Re:hunter2 by Useful+Wheat · · Score: 5, Funny

      System Error:

      Password too short.

    5. Re:hunter2 by CopaceticOpus · · Score: 5, Funny

      Neat, let me try a longer one. ********

      Cool, that worked also. Do you have anything harder?

    6. Re:hunter2 by vidarh · · Score: 5, Insightful

      If Stephen Hawking says something about physics, do you require a citation from him? Nielson is recognized as one of the leading experts in his field.

      No, but if Stephen Hawking made a claim that flew in the face of established conventions in - say - psychology, I would expect a citation. Nielsen is a usability expert, not a security expert, and GP questioned his claim about the security aspect.

    7. Re:hunter2 by adamstew · · Score: 5, Insightful

      If Stephen Hawking says something about physics, do you require a citation from him? Nielson is recognized as one of the leading experts in his field.

      Yes! I would! I would want to see the research that lead him to his conclusion in physics. Or, more specifically, I would want another physicist to look at his research and give his validation to say that it's sound.

    8. Re:hunter2 by ImaLamer · · Score: 5, Funny

      Harder than erecti0n?

      --
      Get your Unix fortune now!
    9. Re:hunter2 by cliveholloway · · Score: 5, Funny

      dild0?

      --
      -- Trinity in high heels carrying a whip: The donimatrix - there is no spoonerism
  2. Two words by RollingThunder · · Score: 5, Insightful

    Shoulder surfing.

    Seriously, is this guy is supposed to be an expert?

    This is like having a fuel efficiency expert tell you to turn the motor off on your car, stick it in neutral, and push it, since it'll get infinite MPG. Passwords are supposed to be secret. Usernames aren't as critical.

    1. Re:Two words by tomhudson · · Score: 5, Insightful

      I'd rather have to retype the occasional password than have it visible to anyone shoulder surfing.

      Think about your bank card, your PIN, etc.

      FTFA:

      It's therefore worth offering them a checkbox to have their passwords masked; for high-risk applications, such as bank accounts, you might even check this box by default. In cases where there's a tension between security and usability, sometimes security should win.

      Retarded doesn't begin to cover this. Offering a default to turn OFF password masking for bank accounts? I'm sure the banks will just LOVE this one. We have enough problems with identity theft already.

    2. Re:Two words by amicusNYCL · · Score: 5, Insightful

      Oh, c'mon.

      So, password masking doesn't even protect fully against snoopers.

      No, it doesn't protect fully, but it does protect from everyone who can't see the keyboard when you type. In other words, it protects against every shoulder-surfing scenario except when the person is looking directly at the keyboard when you type. And even then, if you're typing fast enough or the keys are close enough together you won't be able to guess the password by watching the keyboard. Hell, I'm sitting right in front of the keyboard and I still can't look through my hands to see which keys my fingertips are actually pressing. So, password masking does protect from shoulder-surfing. It might not protect against people looking directly at your keyboard, but that might be because it's designed specifically to protect against people looking at the goddamn monitor.

      More importantly, there's usually nobody looking over your shoulder when you log in to a website. It's just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue.

      OK, so this is a great usability solution for websites that only get accessed by people sitting alone in their offices without the possibility of a co-worker standing there as they log in. For all other sites that people might access in an internet cafe, or at the airport, or in a coffee shop, or wherever else, I guess it doesn't apply at all.

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
    3. Re:Two words by mwvdlee · · Score: 5, Funny

      Most websites (and many other applications) mask passwords as users type them, and thereby theoretically prevent miscreants from looking over users' shoulders. Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed. So, password masking doesn't even protect fully against snoopers.

      Might as well just put all my expensive electronics on the front lawn, since a truly skilled burglar can simply pick the lock and steal it anyway. So, keeping your valuables behind closed doors doesn't even protect fully against theft. It sure as hell makes it more difficult for casual thieves though, which is probably nearly all of them.

      More importantly, there's usually nobody looking over your shoulder when you log in to a website. It's just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue.

      Not all of us have those nice cushy jobs Mr. Nielsen has, where we have our very own office. Roughly 99.9993% of office workers have colleagues. I guess Mr. Nielsen is just a tad detached from reality here.

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    4. Re:Two words by rtfa-troll · · Score: 5, Interesting

      Sure, being the RTFA troll, I read the article. But that still doesn't convince me. The keyboard press is a brief instant on a device which is easy to place more or less out of line of sight. A visible password on a screen is present for a long time and there are a number of interesting ways to capture this. Whilst keyboards are not perfect I think that some protection is worthwhile. One thing is for sure. Nobody is going to remember to turn this on when they are in public and your password only needs to be captured once.

      One thing that might be a possible compromise is the system the mail client on my Nokia phone uses. The most recent character entered in the password is displayed for a short time. I can see each individual character, but the entire password is not exposed. I worry on the subway, but since it's a personal device it's easier to make this difficult to see.

      --
      =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
    5. Re:Two words by radtea · · Score: 5, Insightful

      Retarded doesn't begin to cover this.

      The best thing about the article, typical of an unfortunately large amount of usability literature, is the complete absence of empirical data. He simply asserts, for example, "users will not be confused by this" without offering a shred of empirical evidence for the claim. I'm not a typical user, but I'd sure as hell be confused if plaintext started to appear in the UI where a decade or two of experience has taught me to expect a line of bullets. I sure as hell wouldn't want to be on a helpdesk for a system that has just made this change.

      Usability is an important area of software design, but it is still in its infancy, and the lack of usability experts chiming in to call this guy a blithering idiot is depressing. All claims about usability of any feature should be considered nonsense until someone comes to you with empirical data from real users that tell you what they find usable. Otherwise you're arguing mythological hypotheticals--how many users can dance on a pinhead.

      --
      Blasphemy is a human right. Blasphemophobia kills.
  3. How about a compromise? by Verteiron · · Score: 5, Insightful

    Personally, I rather like the way many cellphones handle this: show the letter that was typed for a moment and THEN mask it. This allows you to spot typos and correct them without having to blank the field and start over.

    --
    End of lesson. You may press the button.
  4. Re:Um, here's a thought. by Yetihehe · · Score: 5, Insightful

    It's possible, the only problem is with browsers. Almost all of them remember what you put in normal text fields. Next time on page - just press down arrow and voila!

    --
    Extreme Programming - Redundant Array of Inexpensive Developers
  5. One word for Nielsen: Projector by tcsh(1) · · Score: 5, Insightful

    Ever logged in to a computer connected to an LCD projector?

  6. Re:Not to fanboi all over the place... by IANAAC · · Score: 5, Informative

    Around long before the iPhone, but it was a nice try to attribute that to the iPhone.

  7. Indeed lack of imagination by guruevi · · Score: 5, Insightful

    1) If I look outside my office window, I can see about 48 office windows (without standing up) and all of them have the lights on and it's dusk outside. Give me a dSLR and a decent set of long distance lenses and I'll prove you wrong.

    2) How many times have you typed in your password while somebody was looking at your screen eg. to show somebody something on a protected website. This happens a lot to tech people as we have to authenticate to solve an issue while somebody is standing next to me waiting for me to fix it.

    3) How many times have you given a presentation where your screen view (but not your keyboard input) goes worldwide (eg. teleconference) or over a set of wires that you know haven't been tampered with (conference room) - again, logging in to your webmail or so to find a copy of your presentation.

    4) How difficult is it to create a script that takes screenshots - how difficult is it to create a script that captures keyboard entry as well. Answer: the first can be done in userspace (and in the hands of an experienced script kiddie would be unnoticed), the latter usually has to go as a request to a driver, kernel or other layer that requires admin rights. This is true for Windows, Mac and (depending on your GUI) Linux

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
  8. Ever typed a long WPA key into an iPhone? by Anonymous Coward · · Score: 5, Insightful

    The cellphone method works great and has never bothered me until I had to enter a 63-character WPA key into an iPhone. This is something you can't do from memory, so you're moving your eyes back and forth between a plaintext copy, and trying to remember just where you left off. Agony.

    Basically, in a few situations like this, it would be really handy to turn off masking one-time-only.

  9. Two more words for Nielsen: Security Cameras by hoosbane · · Score: 5, Insightful

    Just because you don't think someone is watching over your shoulder, doesn't mean someone isn't watching over your shoulder.

  10. Re:As they say... by nebaz · · Score: 5, Funny

    I say "good morning" to people in the morning. You know who else said that? Mussolini. Therefore...

    --
    Rhymes that keep their secrets will unfold behind the clouds.There upon the rainbow is the answer to a neverending story
  11. Re:Making my point with humor by Profane+MuthaFucka · · Score: 5, Funny

    That comment is 99.99999% funny. It's 0.00001% true in the case of an all asterix passwd.

    --
    Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
  12. its not a problem for me by circletimessquare · · Score: 5, Funny

    i can type my password without even looking

    watch, i'll enter my bank account password without looking

    fluffybunnies

    see? i didn't even need to...

    oh crap...

    unsubmit

    where's the damn unsubmit!

    --
    intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
  13. Re:Making my point with humor by doti · · Score: 5, Insightful

    That's because knowing the number of characters in a password greatly eases the password guessing.

    The masking is indeed a bad idea. Your unix login prompt does the right thing.

    --
    factor 966971: 966971
  14. You could always let the user choose by marcus · · Score: 5, Insightful

    In a secure environment, with no one looking over my shoulder why not leave the chars in the clear?

    Give 'em a checkbox: "Echo password []" which defaults to "unchecked" of course.

    --
    Good judgement comes from experience, and experience comes from bad judgement.
    - W. Wriston, former Citibank CEO
    1. Re:You could always let the user choose by Rei · · Score: 5, Interesting

      For what it's worth, I've had a password compromised before by someone looking over my shoulder at what *keys* I typed. I'd rather not make it even easier for people by letting them just look at the screen, thanks. As you note, you never know whether your environment is secure. In my case, back in TAMS, I had a "friend" who was chatting with me as an excuse to stand close enough / above me to see the keyboard; he then set up a porn site on my university account as a prank.

      Strangely enough, the last I heard from him, he was becoming a Mormon missionary...

      --
      I tore these out of your symbol, and they turned into paper.
    2. Re:You could always let the user choose by speculatrix · · Score: 5, Informative

      S60 has been doing this before the iPhone/iPodTouch was even a rumour within apple.

  15. Why you have to type our WiFi password twice: by tlambert · · Score: 5, Funny

    Why you have to type our WiFi password twice:

    The first time sends the password to my botnet.

    The second time actually logs you in.

    -- Terry

  16. Re:Making my point with humor by transporter_ii · · Score: 5, Funny

    I think passwords should spin, and any right characters you try should make that digit stop spinning, to let you know that character was right. That would put things more in line with the movies and make hacking a lot more fun.
    .

    --
    Doctors destroy health, lawyers destroy justice, universities destroy knowledge, religion destroys spirituality
  17. Re:Making my point with humor by gdshaw · · Score: 5, Interesting

    Actually, the comment is (perhaps unintentionally) insightful. According to the current (25th June 2009) draft of the HTML 5 spec:

    "The user agent should obscure the value so that people other than the user cannot see it."

  18. Re:Microsoft wep key by iPhr0stByt3 · · Score: 5, Informative

    If you mis-type the password to a wireless network, the AP won't even tell you it's wrong. That is because the AP will hopefully act as if it was correct in order to significantly slow down brute force password attempts. Windows will try to get a DHCP address and eventually come up with "limited or no connectivity". Therefore, using a double-check might save a few minutes if you can correct your typo immediately. I'm not saying that I prefer this. I'd personally rather have just one box and type it carefully, but that is a valid and good reason for this behavior.

  19. Re:Making my point with humor by lindseyp · · Score: 5, Insightful

    What's even better than that is when the password input window *does* have focus, and the IM window steals it just as you start to type it in.

    focus-stealing windows should be banned.

    --
    j'ai découvert une démonstration vraiment admirable (de ce théorème général) que cette si