Slashdot Mirror
Ask Slashdot: Is Password Masking On Its Way Out?
New submitter thegreatbob writes: Perhaps you've noticed in the last 5 years or so, progressively more entities have been providing the ability to reveal the contents of a password field. While this ability is, in many cases (especially on devices with lousy keyboards), legitimately useful, it does seem to be a reasonable source of concern. Fast forward to today; I was setting up a new router (cheapest dual-band router money can, from Tenda) and I was almost horrified to discover that it does not mask any of its passwords by default. So I ask Slashdot: is password masking really on its way out, and does password masking do anything beyond preventing the casual shoulder-surfer?
If you use KeePass you can configure it to not use so many confusing characters. Sometimes you run into places where the moron designer thought that only alphanumeric characters make valid password characters.
If you go outside ASCII and depend on the keyboard mapping there's been an annoyingly high number of bugs perpetrated by developers who only use the US/English keyboard. Particularly if you rely on this early in the boot process, like you want to unlock your BitLocker/TrueCrypt/LUKS partition with a password or make some kind of single-sign on solution that won't fail when one of the applications has been made by 'tards. And I say that as a Norwegian where our alphabet has 29 letters but for any technical purpose æøå doesn't exist in my book. It's not worth the pain of crappy US-centric software.
Live today, because you never know what tomorrow brings
TFA seems to believe that since they can't think of a purpose for masking, and that a single (in their words "cheapest money can" [I assume they meant] "buy") home router doesn't use masking, that it must be the end of a field that's been in HTML for as long as HTML has had a standard.. Training sessions, remote support sessions, documentation, and yes preventing shoulder surfing are all reasons that the password field type will probably never go away.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
At least on Windows, password masked text boxes also prevent copying of the contents of the box to the clipboard. This prevents someone from using a Back button to return to a logon screen to find out what password was typed there.
I ran into a worse problem recently.
The website runs some javascript on the entered email address, which prompts a server somewhere to attempt to validate the email address. The attempt is achieved by beginning an smtp transaction to the MX host for the domain name.
Now, combine this with postgrey: the mail server sends back a temporary failure, which the server stupidly interprets as the email address not being valid.
The stupidity of this whole setup is monumental. Not least because exchange servers will accept emails for non-existent addresses in its default configuration.
The real "Libtards" are the Libertarians!
Obligatory Nuclear Launch Codes: 0-0-0-0-0-0
I have personally never seen a browser that once you go past the page and go back still has the password in the form box. And on most items like programs they just don't allow copy on right click, you can however ctrl+c and still copy from the masked password box. But as I said not after the submit form button has been pushed