Slashdot Mirror
Ask Slashdot: Is Password Masking On Its Way Out?
New submitter thegreatbob writes: Perhaps you've noticed in the last 5 years or so, progressively more entities have been providing the ability to reveal the contents of a password field. While this ability is, in many cases (especially on devices with lousy keyboards), legitimately useful, it does seem to be a reasonable source of concern. Fast forward to today; I was setting up a new router (cheapest dual-band router money can, from Tenda) and I was almost horrified to discover that it does not mask any of its passwords by default. So I ask Slashdot: is password masking really on its way out, and does password masking do anything beyond preventing the casual shoulder-surfer?
"does password masking do anything beyond preventing the casual shoulder-surfer?"
Erm...that is precisely ALL it has ever done?! What else do you think it does?
Frankly, most password boxes should have a 'show' password option because its user friendly -- put the user in charge of whether or not the password is visible -- they can decide the risk of exposure.
Although i do think showing it by default is a bit absurd. On the other hand, with a new router out of the box; the default password is a known quanity or on the labelling anyway... so not a lot of harm exposing it there.
" is password masking really on its way out, and does password masking do anything beyond preventing the casual shoulder-surfer?"
It makes it much more likely to make a typo and have to try again.
"National Security is the chief cause of national insecurity." - Celine's First Law
Why? Was someone shoulder-surfing?
make sure nobody is standing behind you. Password masking makes providing credentials more painful than it already is. (even more so for those with disabilities)
The only interesting thing here is that you discovered a cheapo home device that doesn't mask passwords, fortunately in a situation (i.e. at home) when shoulder surfing is a non-issue anyway.
Come back when you've got more than one data point, eh?
If God forks the Universe every time you roll a die, he'd better have a damned good memory.
My favorite is trying to enter 15 character randomized passwords into a "force mask" field. The algorithm always seems to pick confusing characters like `'|][;: I often have no idea if I'm even attempting to enter the correct password, let alone if all the rando miscreant characters were entered as intended.
Man, you really need that seminar!
No, it is not going away, because it is more than just shoulder surfers that look at your screen. For example when you need to login while projecting the screen in a conference room, or sharing it during an online meeting. Now, get off my lawn. Please.
Sig ?
Praise the lord for the demise of that insane masking habit. I've been rallying against it since I first encountered it, which was still in the DOS era. /the better/ choice.
If anything, it should be optional. If no option is given, not masking it is
This is the most repeated joke ever, -78 creativity points.
I've only known a few IT guys who were great typist.
There's not a decent-quality password today that can be reliably typed by somebody who is not a great typist. If you are not masking, users will use better passwords. That's all.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Are we talking about web sites that use type="text" rather than type="password"? If so, then no, never ever ever is that appropriate for a password of any kind.
If we're talking about the UI of an app (either the browser or otherwise) giving the user an option for whether or not to mask, then that's a different discussion.
Non-masking allows copy-and-paste for that pesky second field!
Lots of app developers here but how many people here are doing OS/Device/Resource human interaction specifications?
Mimetics Inc. Twitter
I don't even get masked passwords in my terminal, you insensitive clod!
Only you can see your password, everyone else sees asterisks. This tech has been around since early irc days, not sure how OP hasn't heard of it?
hunter2 hunter2 hunter2
The above line may look like a bunch of asterisks to you, but I just typed my password three times.
Maybe a better question is, are passwords on their way out with inexpensive and reliable fingerprint scanners being standard on many devices and other ones having the user unlock them with a user-defined zig-zag pattern leading up to iris and facial recognition technologies. Maybe there are brain wave patterns that are unique to a user (let's see the NSA hack that).
If anything, I would expect secure logins to become easier for the responsible person to gain access easier while doing a better job of verifying that the person attempting access is the one that has it.
Mimetics Inc. Twitter
Your mom is the most repeated joke ever. Followed by you.
... on whether the application must present the credential on your behalf or not. If so, it must store the plaintext version. Revealing it at this point is just a feature.
But if there is no need to proxy the credential, then it should NOT be stored in plaintext. Which means it can't be revealed. Revealing a password that isn't proxied requires it to now be stored in plaintext, and this weakens the security of the system (you now need a secure key to encrypt the stored password with. This is fine if done properly, but often isn't, and it's better NOT to do it if it isn't necessary.)
Classic example is Wifi password versus Unix login. Wifi passwd must be presented to the router. Storing only a hash breaks that use case.
Unix login on the other hand just needs to store the hash (with salt!) so that it can be compared/authenticated. But there is no need to store it plaintext, therefore no way to reveal it. This is more secure than the Wifi case.
So reveal is OK if it's done right, but how will you know it's done right?
Who you gonna trust?
... ring a bell with any of you out there?
If so, reply with the name of the supplier.
It little behooves the best of us to comment on the rest of us.
*******
Make it a bunch of asterisks.
Done.
File under 'M' for 'Manic ranting'
If you get a password field on a web page the browser will display various scary looking messages depending of the security of the page.
Generally if its a local network page with an IP address (most router interfaces) having the password field will have the browser alert you the page is "Not Secure" of the address bar. If its a self signed certificate (which ads encryption between you and the browser, the message is even scarier with red fields or strikethroughs as a spoofed certificate COULD be playing a man in the middle confidence scheme. Only ones that get through this is devices that have set up proper certification.
So the easiest way to avoid a lot of the scary "not secure" address bar messages, is just do the login in plain text.
"Enjoy what you're doing! If it becomes drudgery, you're doing it wrong!" - Jim Butterfield
-2-3-4-5? That's the stupidest combination I've ever heard of in my life! That's the kinda thing an idiot would have on his luggage....lol
http://3gpmp4wap.com
Yes it is only for a shoulder surfer. honestly if you want people to use complex passwords you have to show them the freaking string as they type
ASDq3fwtevybtynsR&56@%^25tqer7gRT*Ubt&tferyweF
for their password
Do not look at laser with remaining good eye.
No. Fuck you, bitch tits.
First of all, see "Stop Password Masking" at https://www.nngroup.com/articl.... The author, Jakob Nielsen, is supposedly an expert on human-computer interfaces.
The PGP encryption application likely has the best implementation. When entering a pass-phrase (more complex than a mere password), there is a checkbox to expose what is entered. When starting the application, the default is always to have the checkbox cleared, which means hide the pass-phrase.
the default password is a known quanity or on the labelling anyway... so not a lot of ham exposing it there.
For a second that's what I read, and for some reason it made sense. My bad, I should have putted down my flying pigs fantasy.
... Reference: <Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
Allowing the password to be revealed is an unwanted security risks to some parano- er... cautious folk and corporations. For one, it means that the password could be picked up by a larger portion of malware, e.g. screen grabbers and rogue browser extensions that are allowed to read the DOM.
Second, it means that the password isn't hashed, but either encrypted or stored in plain text somewhere on disk. A hashed password (with a random salt, to thwart rainbow tables) is generally harder to reverse than an encrypted password.
In an enterprise setting, when important passwords can't be revealed it makes more sense to keep them in a safe or a password manager, access to which could be easier to manage.
But when you can't remember your Wi-Fi password for your guests, maybe convenience outweighs security.
Adorable.
Yes! I have thought the same thing for years.
I'm here for the experience, not the Hyperbole.
TFA seems to believe that since they can't think of a purpose for masking, and that a single (in their words "cheapest money can" [I assume they meant] "buy") home router doesn't use masking, that it must be the end of a field that's been in HTML for as long as HTML has had a standard.. Training sessions, remote support sessions, documentation, and yes preventing shoulder surfing are all reasons that the password field type will probably never go away.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Since Chrome already asks you to save your password. Why not ask you to save a randomly generated 20 character password?
Forget this archaic masking tech.
It wouldn't surprise me. Hrm... the number of autocomplete form fields containing passwords in the average desktop browser over time would be an interesting stat chart, were there a way to collect it.
Someone had to do it.
it doesn't matter if you see them or not, it matter if they are stored slated/encrypted, this is part that everyone should take care. i have seen so many times that passwords are not visible [ for user/ admin ], but when you look on storage, they are in plain text, that is more stupid that asterix them while typing
Thats a principle I've worked with for years.
You don't want others to know your passwords, you shouldn't tell people your passwords. (well most classes of passwords I work with).
A simple trick I've used over the years is to make passwords something I would definitely never want anyone to see me type in, something offensive, rude or even (apparently) incriminating ("Yes, it was me who killed your dog" or "I fuck ponies").
This also helps me remember them.
God forbid I run into a situation where my passwords are shown in plain text where others can read them *shudder*
In the free world the media isn't government run; the government is media run.
Password masking goes back to the very early days of interactive terminals. They were either teletypes or IBM terminals. They used paper as the output medium. If an unmasked password were entered it would be visible on paper indefinitely.
To overcome this, before entering the password, the input field would be blacked out. This would be done by printing - say - 12 x's, 12 backspaces, 12 *'s, 12 backspaces and 12 O's and 12 backspaces. This would put the print head over the preprinted field making the password more-or-less masked.
From there it was adopted into screen based systems.
The rest, as they say, is history.
Unless you also mask the keyboard, an observant, practice person can tell what your password is by looking at your fingers type.
But that is irrelevant. If someone wants to steal your password, the most common techniques are a key-logger and social engineering.
No one shoulder surfs. I
excitingthingstodo.blogspot.com
I pick up the occasional used router and noticed it was pretty easy to recover the SSID, WPA2 password, and the admin password.
I did a presentation on this last month and it was well received. We got used routers from the local thrift store or electronics recycle, opened it up and hooked up to the UART serial console. Most of them boot you to a command prompt with no password. Then you can run "nvram show | grep pass" or wpa or admin and you will get the prior owner's SSID, and passwords.
There is a good chance that this person probably turned in this router after upgrading their router at home. It is probably unlikely they changed the Wifi passwords on all of their IoT, Web Cams, mobile devices, Blueray, laptop whatever at home. So just plug in the SSID to wigle net and you can go see what is on their webcam.
hey, if you type in your pw, it will show as stars
<Cthon98> ********* see!
<AzureDiamond> hunter2
<AzureDiamond> doesnt look like stars to me
<Cthon98> <AzureDiamond> *******
<Cthon98> thats what I see
<AzureDiamond> oh, really?
<Cthon98> Absolutely
<AzureDiamond> you can go hunter2 my hunter2-ing hunter2
<AzureDiamond> haha, does that look funny to you?
<Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
<AzureDiamond> thats neat, I didnt know IRC did that
<Cthon98> yep, no matter how many times you type hunter2, it will show to us as *******
<AzureDiamond> awesome!
<AzureDiamond> wait, how do you know my pw?
<Cthon98> er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
<AzureDiamond> oh, ok.
Obligatory Nuclear Launch Codes: 0-0-0-0-0-0
And yet there's still idiots out there using 12345 for their password. Everywhere.
#DeleteFacebook
Used a Canadian government site, and the password worked, but everytime I came back it didn't work. Had to create a new login. Eventually discovered my passwords were too long. It still accepted it, but when you came back, the full password wouldn't work, but if you cropped the password, it would work.
Yes, they are cheap, but 29.99 is not that far of 49.95 which gets you this: https://routerboard.com/RB952Ui-5ac2nD
Yes, I know it is about twice, but you get consistent quality and really flexible router firmware.
This is the real question. Why do people still run software from router vendors, which is usually insanely out of date and often has poorly designed security models, even disregarding this particular issue?
I agree with you that it's user friendly to be able to see the password, but then again why do people have legible passwords anyway? Why is the router asking for a password? It should really be using public-key encryption and/or shared secrets, which are never seen by the user. And really I think that's where this is going--if you look at the work being done in the IETF on token binding, that's the future. Visible passwords aren't the future, because passwords are on the way out.
The reason not to echo back the password comes from the days of printer terminals and printer log of console output. You didn't want to have a box with pyama-paper with passwords on them sitting next to the terminal. (or in the garbage) We no longer log all output to en external media so the problem is pretty much gone.
On phones, the last typed character is always displayed for a moment. And it has to, because soft keyboards are so error-prone that you absolutely need that feedback. Masking is useless. When you allow anybody to look over your shoulder while you enter a password, you're doing it wrong. They can just watch (or record) your fingers.
Your mom is the most repeated joke ever. Followed by you.
2/10 must try harder
Wanna buy a shirt?
https://www.redbubble.com/people/stealthfinger/shop?asc=u
T-R-M-U-P
I though it was eight 0's...
Unfortunately the vast majority of people that buy consumer routers would t be able to flash a custom firmware on to them if they even knew they existed. As far as power users which is the majority of slashdot(or used to be) that is normally a simple task and done immediately after purchase of a consumer router. Which is why when people ask me what router they should buy I always point them towards buffalo routers as most of their models have a custom dd-wrt firmware and can be easily web flashed with a full dd-wrt version.
First it was passwords
Then came minimum length
Then it was passwords with mandatory caps, numbers, symbols
Now its passwords plus two factor authentication
The usability aspect became horrid for the average user but the benefits are almost nonexistant
If you stream on rabb.it, then password masking prevents your viewers from stealing your password.
Somebody sits down at your computer and wants to find your login for something. They go to the site, your password gets filled in by the browser and.... Nothing, because it's masked.
Mine's "password" instead since it's required to be at least eight characters.
My password is ************.
The most 'shoulder surfers' I have personally come across, were quite capable of looking at the keyboard as I type the password, and reading it correctly; even though I type with ten fingers.
Are we talking about web sites that use type="text" rather than type="password"? If so, then no, never ever ever is that appropriate for a password of any kind.
If we're talking about the UI of an app (either the browser or otherwise) giving the user an option for whether or not to mask, then that's a different discussion.
Now this makes me wonder if I could change the style properties of HTML locally in my browser to turn off the masking on type="password".
Shoulder surfers can watch the keyboard, so masking often provides a false sense of security.
It is best for the user to feel "exposed" and take other precautions to prevent people seeing them type, especially for rare operations like setting the password where needing to see potential typos is an issue.
Because the stock firmware is usually faster than the non-stock due to binary blobs that are required for some of the chips.
My favorite design flaw is a home theater device which requires you to login to your account. All of the old apps were egregious in this by presenting an on-screen keyboard for you to use, but helpfully masking the input as you type. What kind of genius thought up that paradigm?
Thankfully, many of these devices have gone away from this mechanism, by presenting a URL and code to use for activating from a device to which you've already logged in.
Especially for mobile. It serves very little purpose.
Why do people still run software from router vendors
To save the cost of buying a majority of shares in the router vendor in order to acquire its cryptographic code signing key and access to a relinkable version of the binary blob drivers required by its chipset. And that's assuming the router vendor's stock is even publicly traded. Or, less flippantly, to save the cost of replacing the router whose cryptographic code signing key and chipset driver source code are not available to end users with one whose are.
In addition, to save the cost of having to register and continue to renew the domain corresponding to the HTTPS certificate that the router's administration interface uses. The router vendor issues each router's stock firmware a certificate on a subdomain of the router vendor's domain. A user of custom firmware would have to bring his own fully qualified domain name (FQDN) in order to use Let's Encrypt.
Why is the router asking for a password? It should really be using public-key encryption and/or shared secrets, which are never seen by the user.
A password is a user-visible shared secret. Without a password, how does the owner of a router authenticate himself to the router as having the right to authorize the user authenticated by a particular public key to configure the router?
Only if you have multiple personalities and are afraid of one . . .
my password is 8 big dots.
if this is supposed to be a new economy, how come they still want my old fashioned money?
Offtopic, yes.. but still very important to consider.
There is no XUL, only WebExtensions...
Obligatory Nuclear Launch Codes: 0-0-0-0-0-0
I heard they changed the launch codes to be 141 characters long, so trump couldn't tweet them.
First law of people: People are generally stupid.
Perhaps I am preaching to the choir but force-feedbackless input is terrible and this is another reason why.
Password masking has been replaced by the more relevant sport called Password-on-PostIt, Then- Ghost-It
You buy the cheapest router you can find and your only security concern is that it doesn't mask passwords?
The password should be spoken very softly. That's the most secure method I've seen.
It was used securely for years, and the celebrity, contestant and Allen Ludden never heard it when the announcer said the Password.
Heh.
The thing is, you can get a nano-pi for $29 that has the same performance as your fancy router, and doesn't even have proprietary firmware.
I feel that password masking is solving a problem that doesn't really exist, however that doesn't mean that it should be removed. I still find it to be quite a neat feature though...
Things that the ISP-provided router has and a Raspberry Pi lacks include the following:
1. A nice case
2. A fiber, cable, or DSL modem
3. More than one network port, to use one upstream and four downstream
4. A wireless access point
People who actually examined passwords finally prevailed. I want you to chose a good password with lots of entropy. The password rules that you learned before actually made you less safe. correcthorsebatterystaple is a very good password but it is long and hard to correctly type if I can't see it.
If I can't see the password I will keep it short.
If I have to change it I will regularly I will make it something easy to remember and use a suffix that is likely a number that is incremented
If I have to have a capital it will be the first character
If I have to have a special symbol it will be the last or second last digit
If I have to have lots of passwords for different systems, I will use the same one on all of them
My last company, a very well know security company, 3/4 of passwords were a common 6 letter English word, first letter capitalized, then a number, then !@ or #. The number increased every 3 months.
1/5 You forgot to reduce.
Where's my sock? There it is...