Ask Slashdot: Is Password Masking On Its Way Out?

New submitter thegreatbob writes: Perhaps you've noticed in the last 5 years or so, progressively more entities have been providing the ability to reveal the contents of a password field. While this ability is, in many cases (especially on devices with lousy keyboards), legitimately useful, it does seem to be a reasonable source of concern. Fast forward to today; I was setting up a new router (cheapest dual-band router money can, from Tenda) and I was almost horrified to discover that it does not mask any of its passwords by default. So I ask Slashdot: is password masking really on its way out, and does password masking do anything beyond preventing the casual shoulder-surfer?

what else do you think it does?

[vux984]

"does password masking do anything beyond preventing the casual shoulder-surfer?"

Erm...that is precisely ALL it has ever done?! What else do you think it does?
Frankly, most password boxes should have a 'show' password option because its user friendly -- put the user in charge of whether or not the password is visible -- they can decide the risk of exposure.

Although i do think showing it by default is a bit absurd. On the other hand, with a new router out of the box; the default password is a known quanity or on the labelling anyway... so not a lot of harm exposing it there.

Re:what else do you think it does?

You are correct on all points, and I completely agree with your opinion based points too.

Originally password masking was purely to prevent shoulder surfing.
Today it remains simply because it is expected behavior. And the default should remain masked for this very reason.
But there is little harm with a button or whatever to display it for the times that is acceptable to do.

There are still many situations you would both expect and need password masking on, and defaulting to not masked can only cause accidents that don't need to happen.

Think conference rooms when the display is mirrored to a big screen or projector.
Or remote support sessions where one may need to enter elevated rights credentials to do something for a user you don't want them doing themselves.
Or the times you do not know how high traffic the area behind you is, or you have unfortunately little control over desk/workbench layout and orientation.

Even if the area behind you is 99% of the time traffic free, that would still be three times a year where it is not traffic free.

Not everyone is so lucky to have an office with a desk they can position such that the doorway opens to the front of the desk and you have no windows at ground level behind you.
Long workbench setups are almost always mounted against the walls which would demand your back is to the door and the monitor pretty much facing towards the door as well.

Even intentionally entering a password in front of others can be safer when masked (such as the conference room situation above), and any accidental exposure of part of a password being entered not expecting masking to be missing would dictate changing your password immediately, except now you are on a system you can't even trust to not show your new password while changing it!

But the ability to turn masking off when unneeded or when it's a hindrance is also a good thing IMHO.
My random character passwords tend to become muscle memory after a short time, and a bit more time afterwards I quite literally forget what the password is and only retain the ability to type it.
Move me to a mobile phone onscreen keyboard where all the symbols and even numbers don't match a querty layout, and I have a significant mental whiplash moment while trying to mentally "type" it and watch what keys my imaginary fingers are pressing.
Autocomplete/autocorrect fucking with me in a way I can't even see before submitting the (likely incorrect) password is just additional salt in the wound.
Mix in a decent or overly strict bad-password-attempt lockout policy and you can rightly screw yourself.

So by all means include an unmask feature, but for the sake of cthulhu and all that is holy, leave masking as the default.

Sure.

[msauve]

" is password masking really on its way out, and does password masking do anything beyond preventing the casual shoulder-surfer?"

It makes it much more likely to make a typo and have to try again.

No, it's not.

[newcastlejon]

The only interesting thing here is that you discovered a cheapo home device that doesn't mask passwords, fortunately in a situation (i.e. at home) when shoulder surfing is a non-issue anyway.

Come back when you've got more than one data point, eh?

Kids...

[zm]

No, it is not going away, because it is more than just shoulder surfers that look at your screen. For example when you need to login while projecting the screen in a conference room, or sharing it during an online meeting. Now, get off my lawn. Please.

Re:Kids...

[mykepredko]

This is why I never connect to a projector with the screen duplicated - always extended.

Re:Masquerade

[Vlijmen+Fileer]

Which is why you then resort to first typing it in an editor, defeating the purpose of the masking, to subsequently copy it to the password field.

Except of course when the programmer of the password field was such an intolerable and incompetent turd that she disabled pasting into the field; that unfortunately also happens.

Re:Masquerade

[thegrassyknowl]

My favorite is trying to enter 15 character randomized passwords into a "force mask" field.

My favourite is entering a 24 character randomised password into websites/software where the retarded morons designing it felt they knew better than me and blocked/intercepted paste. Or, almost as bad, websites/software that relies on keypress events to cause their processing to do something with my password. ReviewBoard does this with its comments fields - if I paste from a pre-prepared note it is unaware that I've edited the comment field.

The algorithm always seems to pick confusing characters like `'|][;: I often have no idea if I'm even attempting to enter the correct password, let alone if all the rando miscreant characters were entered as intended.

If you use KeePass you can configure it to not use so many confusing characters. Sometimes you run into places where the moron designer thought that only alphanumeric characters make valid password characters.

Re:Masquerade

[Desler]

And those same idiots also have a "confirm email" field that also disallows pasting. Even moreso than the password field, that one makes no sense.

Re:Are You a Great Typist?

[Strider-]

"correct horse battery staple" would like to disagree with you. The reality is that putting in special characters, mixed case, and numbers doesn't do nearly as much to increase password complexity compared to simply making them longer. For the network I operate, I now just have a policy of a minimum of 12 characters. I tell my users to make up a silly little rhyme or ditty that they can remember, and use that as their password. Easy to remember, hard to crack, and easy to type.

Re:Because of new "Not Secure" browser messages

[skids]

+1 Insightful. There's a nice example of a perverse incentive for you.