Ask Slashdot: Is Password Masking On Its Way Out?

New submitter thegreatbob writes: Perhaps you've noticed in the last 5 years or so, progressively more entities have been providing the ability to reveal the contents of a password field. While this ability is, in many cases (especially on devices with lousy keyboards), legitimately useful, it does seem to be a reasonable source of concern. Fast forward to today; I was setting up a new router (cheapest dual-band router money can, from Tenda) and I was almost horrified to discover that it does not mask any of its passwords by default. So I ask Slashdot: is password masking really on its way out, and does password masking do anything beyond preventing the casual shoulder-surfer?

what else do you think it does?

[vux984]

"does password masking do anything beyond preventing the casual shoulder-surfer?"

Erm...that is precisely ALL it has ever done?! What else do you think it does?
Frankly, most password boxes should have a 'show' password option because its user friendly -- put the user in charge of whether or not the password is visible -- they can decide the risk of exposure.

Although i do think showing it by default is a bit absurd. On the other hand, with a new router out of the box; the default password is a known quanity or on the labelling anyway... so not a lot of harm exposing it there.

Re:what else do you think it does?

You are correct on all points, and I completely agree with your opinion based points too.

Originally password masking was purely to prevent shoulder surfing.
Today it remains simply because it is expected behavior. And the default should remain masked for this very reason.
But there is little harm with a button or whatever to display it for the times that is acceptable to do.

There are still many situations you would both expect and need password masking on, and defaulting to not masked can only cause accidents that don't need to happen.

Think conference rooms when the display is mirrored to a big screen or projector.
Or remote support sessions where one may need to enter elevated rights credentials to do something for a user you don't want them doing themselves.
Or the times you do not know how high traffic the area behind you is, or you have unfortunately little control over desk/workbench layout and orientation.

Even if the area behind you is 99% of the time traffic free, that would still be three times a year where it is not traffic free.

Not everyone is so lucky to have an office with a desk they can position such that the doorway opens to the front of the desk and you have no windows at ground level behind you.
Long workbench setups are almost always mounted against the walls which would demand your back is to the door and the monitor pretty much facing towards the door as well.

Even intentionally entering a password in front of others can be safer when masked (such as the conference room situation above), and any accidental exposure of part of a password being entered not expecting masking to be missing would dictate changing your password immediately, except now you are on a system you can't even trust to not show your new password while changing it!

But the ability to turn masking off when unneeded or when it's a hindrance is also a good thing IMHO.
My random character passwords tend to become muscle memory after a short time, and a bit more time afterwards I quite literally forget what the password is and only retain the ability to type it.
Move me to a mobile phone onscreen keyboard where all the symbols and even numbers don't match a querty layout, and I have a significant mental whiplash moment while trying to mentally "type" it and watch what keys my imaginary fingers are pressing.
Autocomplete/autocorrect fucking with me in a way I can't even see before submitting the (likely incorrect) password is just additional salt in the wound.
Mix in a decent or overly strict bad-password-attempt lockout policy and you can rightly screw yourself.

So by all means include an unmask feature, but for the sake of cthulhu and all that is holy, leave masking as the default.