Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Is Password Masking On Its Way Out?

Posted by BeauHD on from the unmasked-department-name dept.

New submitter thegreatbob writes: Perhaps you've noticed in the last 5 years or so, progressively more entities have been providing the ability to reveal the contents of a password field. While this ability is, in many cases (especially on devices with lousy keyboards), legitimately useful, it does seem to be a reasonable source of concern. Fast forward to today; I was setting up a new router (cheapest dual-band router money can, from Tenda) and I was almost horrified to discover that it does not mask any of its passwords by default. So I ask Slashdot: is password masking really on its way out, and does password masking do anything beyond preventing the casual shoulder-surfer?

9 of 234 comments (clear)

  1. Re:what else do you think it does? by Anonymous Coward · · Score: 2, Informative

    Actually in the days of the old CRT it was possible to pick up using an antenna and repoduce the display contents from a mile away. (you need a directional antenna aimed at the source well depending on range.) So the casual shoulder-surfer could be the NSA operative a mile away.
    Not sure how easy it is for LCDs to do the same.

  2. Re:Masquerade by Kjella · · Score: 3, Informative

    If you use KeePass you can configure it to not use so many confusing characters. Sometimes you run into places where the moron designer thought that only alphanumeric characters make valid password characters.

    If you go outside ASCII and depend on the keyboard mapping there's been an annoyingly high number of bugs perpetrated by developers who only use the US/English keyboard. Particularly if you rely on this early in the boot process, like you want to unlock your BitLocker/TrueCrypt/LUKS partition with a password or make some kind of single-sign on solution that won't fail when one of the applications has been made by 'tards. And I say that as a Norwegian where our alphabet has 29 letters but for any technical purpose æøå doesn't exist in my book. It's not worth the pain of crappy US-centric software.

    --
    Live today, because you never know what tomorrow brings
  3. Exactly this point! by s.petry · · Score: 3, Informative

    TFA seems to believe that since they can't think of a purpose for masking, and that a single (in their words "cheapest money can" [I assume they meant] "buy") home router doesn't use masking, that it must be the end of a field that's been in HTML for as long as HTML has had a standard.. Training sessions, remote support sessions, documentation, and yes preventing shoulder surfing are all reasons that the password field type will probably never go away.

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

  4. Re:what else do you think it does? by Tony+Isaac · · Score: 5, Informative

    At least on Windows, password masked text boxes also prevent copying of the contents of the box to the clipboard. This prevents someone from using a Back button to return to a logon screen to find out what password was typed there.

  5. Re:what else do you think it does? by Anonymous Coward · · Score: 2, Informative

    Tempest would pick up RF from wherever it was leaking: the CRT, the cable (particularly if not properly shielded), even the video card. So in principle it won't matter if you're using CRT, LCD, or even if you physically switch off and/or detach* the monitor - so long as the signal is being generated it may be radiated. What I suspect will make a big difference is whether you're using VGA or HDMI. VGA has a distinct "signature" - waveforms repeat predictably, sync signals are regular, blanking etc very analog and easy to decode - whereas HDMI is just another stream of compressed binary data. So I'd guess** that HDMI is not susceptible to this sort of attack.

    *Actually if you unplugged the VGA cable from the monitor you just remove the terminating resistance, so my guess would be the resultant ringing would make the stray RF signal stronger.
    **Caveat: I've seen tempest in action precisely once in my life, ymmv, ianae.

  6. Re:Masquerade by whoever57 · · Score: 5, Informative

    I ran into a worse problem recently.

    The website runs some javascript on the entered email address, which prompts a server somewhere to attempt to validate the email address. The attempt is achieved by beginning an smtp transaction to the MX host for the domain name.

    Now, combine this with postgrey: the mail server sends back a temporary failure, which the server stupidly interprets as the email address not being valid.

    The stupidity of this whole setup is monumental. Not least because exchange servers will accept emails for non-existent addresses in its default configuration.

    --
    The real "Libtards" are the Libertarians!
  7. Re:Obligatory Spaceballs by darkain · · Score: 4, Informative

    Obligatory Nuclear Launch Codes: 0-0-0-0-0-0

  8. Re:Masquerade by Anonymous Coward · · Score: 2, Informative

    Not a single one spotted the reference

    I had no idea wtf you were talking about, so I googled it, and it's from a 1930s Marx brothers movie.
    Of course nobody got the reference. I would guess 1% of people actually saw that at some point in their life, and maybe 1% of them would remember it.

    It also looks like Terry Pratchett referenced it once in some book I've never heard of, and neither has anyone in your office.

  9. Re:what else do you think it does? by Highdude702 · · Score: 3, Informative

    I have personally never seen a browser that once you go past the page and go back still has the password in the form box. And on most items like programs they just don't allow copy on right click, you can however ctrl+c and still copy from the masked password box. But as I said not after the submit form button has been pushed