Ask Slashdot: Is Password Masking On Its Way Out?

New submitter thegreatbob writes: Perhaps you've noticed in the last 5 years or so, progressively more entities have been providing the ability to reveal the contents of a password field. While this ability is, in many cases (especially on devices with lousy keyboards), legitimately useful, it does seem to be a reasonable source of concern. Fast forward to today; I was setting up a new router (cheapest dual-band router money can, from Tenda) and I was almost horrified to discover that it does not mask any of its passwords by default. So I ask Slashdot: is password masking really on its way out, and does password masking do anything beyond preventing the casual shoulder-surfer?

what else do you think it does?

[vux984]

"does password masking do anything beyond preventing the casual shoulder-surfer?"

Erm...that is precisely ALL it has ever done?! What else do you think it does?
Frankly, most password boxes should have a 'show' password option because its user friendly -- put the user in charge of whether or not the password is visible -- they can decide the risk of exposure.

Although i do think showing it by default is a bit absurd. On the other hand, with a new router out of the box; the default password is a known quanity or on the labelling anyway... so not a lot of harm exposing it there.

Re: what else do you think it does?

[Matt.Battey]

Even for those web sites that don't have the feature it's the top three browsers (Chrome, Firefox, and IE) will all let you see any saved passwords by just inspecting the fields DOM properties...

Re:what else do you think it does?

You are correct on all points, and I completely agree with your opinion based points too.

Originally password masking was purely to prevent shoulder surfing.
Today it remains simply because it is expected behavior. And the default should remain masked for this very reason.
But there is little harm with a button or whatever to display it for the times that is acceptable to do.

There are still many situations you would both expect and need password masking on, and defaulting to not masked can only cause accidents that don't need to happen.

Think conference rooms when the display is mirrored to a big screen or projector.
Or remote support sessions where one may need to enter elevated rights credentials to do something for a user you don't want them doing themselves.
Or the times you do not know how high traffic the area behind you is, or you have unfortunately little control over desk/workbench layout and orientation.

Even if the area behind you is 99% of the time traffic free, that would still be three times a year where it is not traffic free.

Not everyone is so lucky to have an office with a desk they can position such that the doorway opens to the front of the desk and you have no windows at ground level behind you.
Long workbench setups are almost always mounted against the walls which would demand your back is to the door and the monitor pretty much facing towards the door as well.

Even intentionally entering a password in front of others can be safer when masked (such as the conference room situation above), and any accidental exposure of part of a password being entered not expecting masking to be missing would dictate changing your password immediately, except now you are on a system you can't even trust to not show your new password while changing it!

But the ability to turn masking off when unneeded or when it's a hindrance is also a good thing IMHO.
My random character passwords tend to become muscle memory after a short time, and a bit more time afterwards I quite literally forget what the password is and only retain the ability to type it.
Move me to a mobile phone onscreen keyboard where all the symbols and even numbers don't match a querty layout, and I have a significant mental whiplash moment while trying to mentally "type" it and watch what keys my imaginary fingers are pressing.
Autocomplete/autocorrect fucking with me in a way I can't even see before submitting the (likely incorrect) password is just additional salt in the wound.
Mix in a decent or overly strict bad-password-attempt lockout policy and you can rightly screw yourself.

So by all means include an unmask feature, but for the sake of cthulhu and all that is holy, leave masking as the default.

Re:what else do you think it does?

Actually in the days of the old CRT it was possible to pick up using an antenna and repoduce the display contents from a mile away. (you need a directional antenna aimed at the source well depending on range.) So the casual shoulder-surfer could be the NSA operative a mile away.
Not sure how easy it is for LCDs to do the same.

Re:what else do you think it does?

Back in the day, shoulder surfing was the worst of our worries, and everyone used passwords like "hunter2" which were pretty easy for a shoulder surfer to remember if they caught a glance. Now the biggest threat comes not from what is over your shoulder, but across the other side of the world. Passwords have to be hardened to things like "afnWHE2kW9@B)3" which are basically impossible for a shoulder surfer to remember at a glance, and if you're typing that manually, you are probably copying from a note somewhere, carefully, letter by letter, and could easily lose track of where you are if you could only see stars.

Re:what else do you think it does?

Is the Tempest Attack still a thing these days? I honestly do not know. I'm asking out of curiosity if anyone has experience in that arena.

Re:what else do you think it does?

[crashumbc]

With shear number of electronic devices the interference would be insane in today's world.

  Plus, I don't think LED's give off electronic signals, at least not anywhere near a CRT with 20,000volts running through a coil.

Still I've never even heard of that attack vector... off to google for me.

Re:what else do you think it does?

[unixisc]

Routers have typically behaved like this: only the admin password is masked while logging in, but when one is in the Password page, one gets to type - and see - the password that's set. I've never understood why. What you are describing is if one goes to the preferences page of the browser - where one can check the passwords if one has forgotten (happened w/ me many times)

Re:what else do you think it does?

[skids]

Do note that under some more advanced security models, the box doesn't store your password, but rather cryptographic derivative of it, and as such should not be able to show the password except on the page where it is originally being entered.

Some specifications actually demand this, like SNMPv3 USM, though a lot of vendors just ignore the spec and store the cleartext password anyway.

Anyway as to the OP I think you nailed it on the head: masking is on the way out due to consumers choosing devices with crummier and crummier input devices over time, since apparently coherency is passe. Given this I can hardy say that they have the wrong idea here: the rise of careless and hasty behavior may mean that masking frustrates the 30-second attention spans of the modern era to the point where less people will bother to change default passwords, and might at this point have become counterproductive.

Re:what else do you think it does?

If malware has a privilege level capable of capturing your screen, it would just be easier to capture your key strokes.

Re:what else do you think it does?

[skids]

My random character passwords tend to become muscle memory after a short time, and a bit more time afterwards I quite literally forget what the password is and only retain the ability to type it.

On man I've been there for sure. Even had one time when I was really tired and absolutely could not log into a box from a 19" rackmount KVM console... had to switch to a real keyboard.

Re:what else do you think it does?

[Tony+Isaac]

At least on Windows, password masked text boxes also prevent copying of the contents of the box to the clipboard. This prevents someone from using a Back button to return to a logon screen to find out what password was typed there.

Re:what else do you think it does?

Tempest would pick up RF from wherever it was leaking: the CRT, the cable (particularly if not properly shielded), even the video card. So in principle it won't matter if you're using CRT, LCD, or even if you physically switch off and/or detach* the monitor - so long as the signal is being generated it may be radiated. What I suspect will make a big difference is whether you're using VGA or HDMI. VGA has a distinct "signature" - waveforms repeat predictably, sync signals are regular, blanking etc very analog and easy to decode - whereas HDMI is just another stream of compressed binary data. So I'd guess** that HDMI is not susceptible to this sort of attack.

*Actually if you unplugged the VGA cable from the monitor you just remove the terminating resistance, so my guess would be the resultant ringing would make the stray RF signal stronger.
**Caveat: I've seen tempest in action precisely once in my life, ymmv, ianae.

Re: what else do you think it does?

They do... now. Originally the value of fields was not visible in the DOM properties and could not be queried via window managers either. It's almost as if putting advertising companies in charge of browser security was a bad idea.

Re:what else do you think it does?

[arth1]

could easily lose track of where you are if you could only see stars.

Good password fields do not echo stars (or blobs), because that allows someone looking to know exactly how long the password is, which significantly reduces brute force time.

And good password rules don't limit the password by requiring X upper case letters, Y digits, Z symbols and no repeatable characters, for exactly the same reason: it greatly reduces the number of brute force attempts needed.
(Plus the reason that then a client can't submit a hash. On a couple of my sites, I have a web form that takes a user's password, appends a fixed string, sha256'es it, and sends the hash as the password. Even if the user re-uses passwords, he'll be safer.)

Re:what else do you think it does?

[fisted]

Back in the day, [...] everyone used passwords like "*******" which were pretty easy for a shoulder surfer to remember if they caught a glance.

I like that password, nice and deceptive.

Re:what else do you think it does?

[Zebai]

I love websites and programs that give me the choice to unmask however I'm seeing more and more masking when its NOT necessary to do even for non password related fields.

At my work they seem to think masking makes things ultra secure for all important data items. Fields that require you to input credit card numbers, cell phone numbers, all sorts of data are now masked on the pretense that it makes things more secure. It does not, over shoulder watching is not even an issue, this is a work application accessible via intranet only the only people who can see it already have permission to do so they don't even need to be sneaky by hiding behind me it is a secure workplace after all. Bit of a rant here I'm just a bit peeved as I now have to type into a very unsecured notepad just to make sure my data is accurate before submitting.

Re: what else do you think it does?

Anything else would be misleading. The DOM inspector simply accesses the page via Javascript, just as the Javascript that will post the username and password to the login web service.

If you remove the ability for Javascript to access password fields, you'll be right back to old-fashioned HTML forms.

Or web developer will stop using password fields entirely.

Re:what else do you think it does?

[TheRaven64]

Tempest attacks are still feasible with modern displays. One of my colleagues does a demo of them at open days. They're also far from the only side channel available. There's a lot of recent work on acoustic side channels. With a modern Android device, any background process that can access the microphones can pick up what you're typing with high accuracy (the iPhone microphones are good enough, but Apple doesn't expose APIs that permit this). Vibration provides similar info and combining the two gives very good accuracy. Anyone who can record what you're typing on an on-screen keyboard can typically see anyway because it shows the characters as they're typed. For physical keyboards, the keys typically make different sounds and it's possible to train models to give quite high accuracy reconstructing from audio. There are also a number of components in a computer that make different ultrasonic sounds that can be used to reconstruct the sound.

Basically, password authentication done anywhere other than a Faraday cage with no windows and no third-party software should not be regarded as protection against an adversary that actually cares.

Re:what else do you think it does?

[Highdude702]

I have personally never seen a browser that once you go past the page and go back still has the password in the form box. And on most items like programs they just don't allow copy on right click, you can however ctrl+c and still copy from the masked password box. But as I said not after the submit form button has been pushed

Re:what else do you think it does?

[Lord+Crc]

Is the Tempest Attack still a thing these days?

In short, yes. Here[1] they extract AES-256 keys in minutes or seconds (depending on distance) with inexpensive equipment.

From the paper:

Using improved antenna and signal processing, Fox-IT and Riscure show how to covertly recover the encryption key from two realistic AES-256 implementations while:
1. Attacking at a distance of up to 1 m (30 cm in realistic conditions; "TEMPEST"),
2. Using minimal equipment (fits in a jacket pocket, costs less than [EUR] 200) and
3. Needing only a few minutes (5 minutes for 1 m and 50 seconds for 30 cm).

The specific target is a Cortex-M3 processor.

[1]: https://www.fox-it.com/nl/wp-content/uploads/sites/12/Tempest_attacks_against_AES.pdf

Re:what else do you think it does?

[AmiMoJo]

In Chrome if you set it to remember passwords it will fill in the password field for you. Okay, someone accessing your machine can log in as you, but they can't actually find out what your password was because to reveal it they also need your OS account password. The "view password" feature in Chrome prompts for it.

I'll admit that this is a fairly weak layer of security, but it's still worth having in place.

Re:what else do you think it does?

[sabbede]

What about saved passwords in your browser?

Re:what else do you think it does?

[jafiwam]

"does password masking do anything beyond preventing the casual shoulder-surfer?"

Erm...that is precisely ALL it has ever done?! What else do you think it does?

Back in the good ol days of Back Orifice and fast and wild rootkits and viruses there were a bunch of them that would take screen shots.

Most also did keylogging. So there were probably a few cases where unmasking a password put the user at worse risk, but throughout 99% of use over time, the casual shoulder surfer is the only real threat. (Hey, if you get infected, you got all sorts of problems and that little dot over your password isn't significant.)

Re:what else do you think it does?

[Tony+Isaac]

Jenkins is an example of a Web application that pre-fills your saved password in a masked box. That "feature" annoys me every time I go to the login page. But no, Ctrl+C does not work on a masked password field, whether in a Web page or in a desktop application, at least not in Windows. The browser doesn't have to implement this, this is an OS-level feature.

Re: what else do you think it does?

[locketine]

I think most JavaScript frameworks still use html forms for submission. I know Angular does. Preventing JavaScript from accessing a password field may have little ill effect and if the JavaScript framework has some legit reason to need to access a password field it could simply implement its own password masking, such as via these css properties: https://stackoverflow.com/a/58...

Re:what else do you think it does?

[JohnFen]

Do note that under some more advanced security models, the box doesn't store your password, but rather cryptographic derivative of it, and as such should not be able to show the password except on the page where it is originally being entered.

It is insane that there are any devices (or other systems) that don't behave this way.

I recently even did a "lost password recovery" for a website I visit, and they actually sent me my password. In any reasonably secure system, whether it's your local router hardware or website or whatever, this should not be possible.

Re:what else do you think it does?

[KrispiCritter]

A worthy and intelligent comment. I applaud you on the lack of cursing, trolling, or commenting on the personal characteristics of the originator of this thread.

Re:what else do you think it does?

[coofercat]

...or worse... asking for you to enter a password twice in order to authenticate!!

(Microsoft did this on Windows NT when connecting to a wifi network - and despite numerous Service Packs, never fixed it)

For things like credit card numbers, masking isn't necessary, as you're most likely copying the numbers off the card right in front of you. However, I guess it can mask when you move on to the next field - not great UX, but a reasonable compromise IMHO.

Re: what else do you think it does?

[dave420]

You can also run the following snippet:

javascript:document.querySelectorAll('input[type="password"]').forEach(el => el.type = 'text')

which will convert all password inputs to text inputs.

Re:what else do you think it does?

[arth1]

It's not an "or", it's an "and".

Sure.

[msauve]

" is password masking really on its way out, and does password masking do anything beyond preventing the casual shoulder-surfer?"

It makes it much more likely to make a typo and have to try again.

If you are worried...

make sure nobody is standing behind you. Password masking makes providing credentials more painful than it already is. (even more so for those with disabilities)

No, it's not.

[newcastlejon]

The only interesting thing here is that you discovered a cheapo home device that doesn't mask passwords, fortunately in a situation (i.e. at home) when shoulder surfing is a non-issue anyway.

Come back when you've got more than one data point, eh?

Re:No, it's not.

[freeze128]

Tenda is the cheapest network equipment provider on the market. Even sales employees at MicroCenter say "You don't want that one".

Re:No, it's not.

[chipschap]

ASUS routers don't hide passwords.

My ASUS router certainly does hide passwords.

Re:No, it's not.

[93+Escort+Wagon]

I'm really tricky. My password actually is *****************.

Re:No, it's not.

[sexconker]

That's not how that joke works.

Re:No, it's not.

[pnutjam]

Yeah, not everybody knows slashdot will mask passwords automatically, see it detects me typing my password, ***************, and masked it.

Re:No, it's not.

[thegreatbob]

I may do just that; only one extreme example was included because it was the only one I had directly experienced in modern hardware, and I wanted to keep the submission away from TL;DR territory.

Re:No, it's not.

[desdinova+216]

speaking of TL;DR, has anyone heard from Bennett lately?

Masquerade

[LunaticTippy]

My favorite is trying to enter 15 character randomized passwords into a "force mask" field. The algorithm always seems to pick confusing characters like `'|][;: I often have no idea if I'm even attempting to enter the correct password, let alone if all the rando miscreant characters were entered as intended.

Re:Masquerade

[Vlijmen+Fileer]

Which is why you then resort to first typing it in an editor, defeating the purpose of the masking, to subsequently copy it to the password field.

Except of course when the programmer of the password field was such an intolerable and incompetent turd that she disabled pasting into the field; that unfortunately also happens.

Re:Masquerade

[El+Cubano]

Assuming the site/application/whatever supports it, you could go with a longer password and restrict it to the Base32 character set. For me, the best reason to use it is:

The alphabet can be selected to avoid similar-looking pairs of different symbols, so the strings can be accurately transcribed by hand. (For example, the RFC 4648 symbol set omits the digits for one, eight and zero, since they could be confused with the letters 'I', 'B', and 'O'.)

It makes it very nice when dealing storing passwords in such a way that the presentation font makes some of the characters confusing or when having to tell someone the password over the phone.

Re:Masquerade

[thegrassyknowl]

My favorite is trying to enter 15 character randomized passwords into a "force mask" field.

My favourite is entering a 24 character randomised password into websites/software where the retarded morons designing it felt they knew better than me and blocked/intercepted paste. Or, almost as bad, websites/software that relies on keypress events to cause their processing to do something with my password. ReviewBoard does this with its comments fields - if I paste from a pre-prepared note it is unaware that I've edited the comment field.

The algorithm always seems to pick confusing characters like `'|][;: I often have no idea if I'm even attempting to enter the correct password, let alone if all the rando miscreant characters were entered as intended.

If you use KeePass you can configure it to not use so many confusing characters. Sometimes you run into places where the moron designer thought that only alphanumeric characters make valid password characters.

Re:Masquerade

[Desler]

And those same idiots also have a "confirm email" field that also disallows pasting. Even moreso than the password field, that one makes no sense.

Re:Masquerade

[msauve]

"subsequently copy it to the password field."

I use control-v as a special character in my passwords, you insensitive clod.

Re:Masquerade

[Kjella]

If you use KeePass you can configure it to not use so many confusing characters. Sometimes you run into places where the moron designer thought that only alphanumeric characters make valid password characters.

If you go outside ASCII and depend on the keyboard mapping there's been an annoyingly high number of bugs perpetrated by developers who only use the US/English keyboard. Particularly if you rely on this early in the boot process, like you want to unlock your BitLocker/TrueCrypt/LUKS partition with a password or make some kind of single-sign on solution that won't fail when one of the applications has been made by 'tards. And I say that as a Norwegian where our alphabet has 29 letters but for any technical purpose æøå doesn't exist in my book. It's not worth the pain of crappy US-centric software.

Re:Masquerade

[zippthorne]

IIRC keepassX on Linux even bypasses the clipboard buffer, putting the password directly into the fields. Does it still do that?

Re:Masquerade

[Mal-2]

So you're the one who wrote that ÆØÅ "Size Matters" song. Sorry, you deserve it just for that. /s

Re:Masquerade

[dwywit]

My password consists of eight asterisks, so there!

Re:Masquerade

[whoever57]

I ran into a worse problem recently.

The website runs some javascript on the entered email address, which prompts a server somewhere to attempt to validate the email address. The attempt is achieved by beginning an smtp transaction to the MX host for the domain name.

Now, combine this with postgrey: the mail server sends back a temporary failure, which the server stupidly interprets as the email address not being valid.

The stupidity of this whole setup is monumental. Not least because exchange servers will accept emails for non-existent addresses in its default configuration.

Re:Masquerade

[arth1]

One April 1, I changed a web form at work so it would echo back SWORDFISH one letter at a time as the user typed in the password. Not a single one spotted the reference, and one lady complained that she couldn't log in.

Re:Masquerade

Not a single one spotted the reference

I had no idea wtf you were talking about, so I googled it, and it's from a 1930s Marx brothers movie.
Of course nobody got the reference. I would guess 1% of people actually saw that at some point in their life, and maybe 1% of them would remember it.

It also looks like Terry Pratchett referenced it once in some book I've never heard of, and neither has anyone in your office.

Re:Masquerade

Use a local password manager.

How do you log in from home or from out in the data center?

Re:Masquerade

[Pieroxy]

My favorite is trying to enter 15 character randomized passwords into a "force mask" field.

My favourite is entering a 24 character randomised password into websites/software where the retarded morons designing it felt they knew better than me and blocked/intercepted paste.

Drag and Drop is one sure way to defeat poorly-coded-paste-prevention input fields. It's as easy to make it inoperable but nobody thought of that one in the afflicted websites I've tried so far.

Re:Masquerade

[AmiMoJo]

By default Bitlocker only allows you to use a PIN number for pre-boot authentication. Reason being that the only keys on a keyboard that are guaranteed to be the same on every layout are the special function keys (F1...F10). You can disable that restriction via group policy.

Re:Masquerade

[LazyBoot]

Not a single one spotted the reference

I had no idea wtf you were talking about, so I googled it, and it's from a 1930s Marx brothers movie.
Of course nobody got the reference. I would guess 1% of people actually saw that at some point in their life, and maybe 1% of them would remember it.

It also looks like Terry Pratchett referenced it once in some book I've never heard of, and neither has anyone in your office.

Are you choosing to ignore the 2001 movie named "Swordfish" then?

Re:Masquerade

[wildstoo]

Sometimes you run into places where the moron designer thought that only alphanumeric characters make valid password characters.

...and its cousin, the "I don't know what characters are actually valid in email addresses, so let's just restrict that to alphanumeric too."

Several websites don't allow special characters in the local part of email addresses, despite them being perfectly valid, which prevents me from using the myname+yourshittywebsite@gmail.com method of filtering.

Re:Masquerade

[arth1]

You should stop googling things.

https://en.wikipedia.org/wiki/...
Check out the "Uses in other works" section, which is rather long. It seems strange if nobody have encountered enough of these uses of swordfish as a password to make a connection. It's a running gag up there with Acme Corporation and the Wilhelm scream.

Re:Masquerade

[tepples]

By putting the password file in a repository, adding your home computer's SSH key and your data center netbook's SSH key to the repository's server, and merging newly added passwords daily.

Re:Masquerade

[desdinova+216]

maybe IMDB is blocked where he is, you insensitive clod!

Kids...

[zm]

No, it is not going away, because it is more than just shoulder surfers that look at your screen. For example when you need to login while projecting the screen in a conference room, or sharing it during an online meeting. Now, get off my lawn. Please.

Re: Kids...

These aren't shoulder surfers how?

Re:Kids...

[mykepredko]

This is why I never connect to a projector with the screen duplicated - always extended.

Re:Kids...

[TeknoHog]

This is why I never connect to a projector with the screen duplicated - always extended.

Slightly OT, but there are other good reasons not to clone the display:

• * Using different native resolutions on both displays. Or at least if you clone it, make sure the projector uses its best/native resolution.
• * Things you should see but the audience should not, such as
  • - Time code in a video (for pausing at given times, etc.)
  • - Name of image file shown. I often use GQview with the fullscreen window on the projector, so I can keep using the file browser on the laptop.

Re:Kids...

[UberVegeta]

Agreed. Even the password change dialogue can be incriminating. Two true stories from school:

Maths teacher is observed entering five character password.

"Sir, is your password 'maths'?"

"No."

Ten minutes later, maths teacher is observed changing password. Similarly:

Football-fan teacher with prominent Aston Villa FC wallpaper is observed entering four character password.

"Sir, is your password 'avfc'?"

"No."

Later, teacher is observed changing password.

Re:Kids...

[mykepredko]

Nah, I have that on a sticker on the back of the laptop's display.

Makes it easier to lie in presentations.

Re:Kids...

[mykepredko]

Good points.

Thanx.

Praise

[Vlijmen+Fileer]

Praise the lord for the demise of that insane masking habit. I've been rallying against it since I first encountered it, which was still in the DOS era.
If anything, it should be optional. If no option is given, not masking it is /the better/ choice.

Re: Praise

[Matt.Battey]

They could be worse. They could just give no discernable response like a tty shell login...

Re: Praise

[fisted]

How is that worse? Do you tend to wander away from your computer, in the middle of typing your password, only to return later and wonder "gee, have I or have not I entered a password here?".

Are You a Great Typist?

[bill_mcgonigle]

I've only known a few IT guys who were great typist.

There's not a decent-quality password today that can be reliably typed by somebody who is not a great typist. If you are not masking, users will use better passwords. That's all.

Re:Are You a Great Typist?

[Strider-]

"correct horse battery staple" would like to disagree with you. The reality is that putting in special characters, mixed case, and numbers doesn't do nearly as much to increase password complexity compared to simply making them longer. For the network I operate, I now just have a policy of a minimum of 12 characters. I tell my users to make up a silly little rhyme or ditty that they can remember, and use that as their password. Easy to remember, hard to crack, and easy to type.

<input type="password">

[XanC]

Are we talking about web sites that use type="text" rather than type="password"? If so, then no, never ever ever is that appropriate for a password of any kind.

If we're talking about the UI of an app (either the browser or otherwise) giving the user an option for whether or not to mask, then that's a different discussion.

Is this the right forum for the question?

[mykepredko]

Lots of app developers here but how many people here are doing OS/Device/Resource human interaction specifications?

Are Passwords on their way out?

[mykepredko]

Maybe a better question is, are passwords on their way out with inexpensive and reliable fingerprint scanners being standard on many devices and other ones having the user unlock them with a user-defined zig-zag pattern leading up to iris and facial recognition technologies. Maybe there are brain wave patterns that are unique to a user (let's see the NSA hack that).

If anything, I would expect secure logins to become easier for the responsible person to gain access easier while doing a better job of verifying that the person attempting access is the one that has it.

Re:Are Passwords on their way out?

Biometrics are things you can't change at all. So when somebody cracks yours you are fucked.

Re:Are Passwords on their way out?

[GuB-42]

Fingerprints are not passwords. They are a what-you-are authentication factor. Passwords are a what-you-know.

It means that fingerprints can only be used to tell that the one operating the device with the scanner is you. They can't be used directly for remote authentication, because they are not secret.

Re:Are Passwords on their way out?

[DutchUncle]

No fingerprint scanner has ever worked reliably on my fingers. That includes the police scanners for my teacher's license and the immigration scanners for my Global Entry. And I would rather use a password anyway.

Re:Are Passwords on their way out?

[skids]

If your computer can scan it to let you in, someone else's computer can scan it to let them take a copy.

Re:Are Passwords on their way out?

[fisted]

Clearly we need fingerprint DRM.

Re:Are Passwords on their way out?

[jafiwam]

Biometrics are things you can't change at all. So when somebody cracks yours you are fucked.

And they don't provide 5th Amendment protection. Biometrics is "who" you are. Not "what you know". You can be forced to put your finger on something by a court and a couple of goons, but the court will be violating constitutional rights by forcing you to testify against yourself.

Re:Are Passwords on their way out?

[Mike+Van+Pelt]

So, you unlock with your "rude gesture" finger. Thumb or forefinger irretrievably wipes the device. "Hey, you forced me to put my finger there."

Re: Obligatory Spaceballs

Your mom is the most repeated joke ever. Followed by you.

Revelation ...

[CaptainDork]

... ring a bell with any of you out there?

If so, reply with the name of the supplier.

You want your password unmasked?

[mark-t]

Make it a bunch of asterisks.

Done.

Re:You want your password unmasked?

ObBash: http://bash.org/?244321

Re:You want your password unmasked?

[TeknoHog]

But if you do that, won't it show up as "hunter2"?

Re:You want your password unmasked?

[mark-t]

Only if you are *really* gullible.

Because of new "Not Secure" browser messages

[JoeCommodore]

If you get a password field on a web page the browser will display various scary looking messages depending of the security of the page.

Generally if its a local network page with an IP address (most router interfaces) having the password field will have the browser alert you the page is "Not Secure" of the address bar. If its a self signed certificate (which ads encryption between you and the browser, the message is even scarier with red fields or strikethroughs as a spoofed certificate COULD be playing a man in the middle confidence scheme. Only ones that get through this is devices that have set up proper certification.

So the easiest way to avoid a lot of the scary "not secure" address bar messages, is just do the login in plain text.

Re:Because of new "Not Secure" browser messages

[skids]

+1 Insightful. There's a nice example of a perverse incentive for you.

Re:Because of new "Not Secure" browser messages

[tepples]

There should be a first-use activation code that can be used only to set a password and optionally enable SSH. If the device is in a non-default configuration, the first-use code should not be accepted.

How would the owner of a router who has forgotten its password or lost its SSH key regain the use of his property under this scheme?

And what domain would appear in the SAN field of the HTTPS certificate used by its administrative interface?

100% useless.

[Lumpy]

Yes it is only for a shoulder surfer. honestly if you want people to use complex passwords you have to show them the freaking string as they type
ASDq3fwtevybtynsR&56@%^25tqer7gRT*Ubt&tferyweF
for their password

Re:100% useless.

[93+Escort+Wagon]

honestly if you want people to use complex passwords you have to show them the freaking string as they type
ASDq3fwtevybtynsR&56@%^25tqer7gRT*Ubt&tferyweF
for their password

Dammit, how did you get my password?

Make It an Option

[DERoss]

First of all, see "Stop Password Masking" at https://www.nngroup.com/articl.... The author, Jakob Nielsen, is supposedly an expert on human-computer interfaces.

The PGP encryption application likely has the best implementation. When entering a pass-phrase (more complex than a mere password), there is a checkbox to expose what is entered. When starting the application, the default is always to have the checkbox cleared, which means hide the pass-phrase.

Re:Make It an Option

[yurikhan]

You’ve never used a --force option? That’s the command line equivalent of a checkbox.

It's always a trade-off

[skoskav]

Allowing the password to be revealed is an unwanted security risks to some parano- er... cautious folk and corporations. For one, it means that the password could be picked up by a larger portion of malware, e.g. screen grabbers and rogue browser extensions that are allowed to read the DOM.

Second, it means that the password isn't hashed, but either encrypted or stored in plain text somewhere on disk. A hashed password (with a random salt, to thwart rainbow tables) is generally harder to reverse than an encrypted password.

In an enterprise setting, when important passwords can't be revealed it makes more sense to keep them in a safe or a password manager, access to which could be easier to manage.

But when you can't remember your Wi-Fi password for your guests, maybe convenience outweighs security.

Re: Obligatory Spaceballs

Adorable.

Yes!

[cyberzephyr]

Yes! I have thought the same thing for years.

Exactly this point!

[s.petry]

TFA seems to believe that since they can't think of a purpose for masking, and that a single (in their words "cheapest money can" [I assume they meant] "buy") home router doesn't use masking, that it must be the end of a field that's been in HTML for as long as HTML has had a standard.. Training sessions, remote support sessions, documentation, and yes preventing shoulder surfing are all reasons that the password field type will probably never go away.

Re:Exactly this point!

[thegreatbob]

These were (limited) datapoints meant to suggest that there is indeed a trend, in the interest of keeping the submission within the attention spam of the average fellow. Just an example to show the extreme end of the scale. I can think of a fair number of purposes for masking, but have always assumed that prevention of casual shoulder surfing is indeed the primary goal. Good catch on "buy", I even proof-read that several times.

Re:

[skids]

It wouldn't surprise me. Hrm... the number of autocomplete form fields containing passwords in the average desktop browser over time would be an interesting stat chart, were there a way to collect it.

Some passwords should never be seen

[myowntrueself]

Thats a principle I've worked with for years.

You don't want others to know your passwords, you shouldn't tell people your passwords. (well most classes of passwords I work with).

A simple trick I've used over the years is to make passwords something I would definitely never want anyone to see me type in, something offensive, rude or even (apparently) incriminating ("Yes, it was me who killed your dog" or "I fuck ponies").

This also helps me remember them.

God forbid I run into a situation where my passwords are shown in plain text where others can read them *shudder*

Re:Some passwords should never be seen

[Cro+Magnon]

Once, I was working on a system that had restrictive password rules, and didn't state what those rules were. I kept getting "invalid password" when I tried to change it. The one it finally accepted was not anything I'd want to state in polite company, or even impolite company.

Password masking is a bad idea for most things.

[gurps_npc]

Unless you also mask the keyboard, an observant, practice person can tell what your password is by looking at your fingers type.

But that is irrelevant. If someone wants to steal your password, the most common techniques are a key-logger and social engineering.

No one shoulder surfs. I

Used Routers a goldmine for passwords

[kamaaina]

I pick up the occasional used router and noticed it was pretty easy to recover the SSID, WPA2 password, and the admin password.

I did a presentation on this last month and it was well received. We got used routers from the local thrift store or electronics recycle, opened it up and hooked up to the UART serial console. Most of them boot you to a command prompt with no password. Then you can run "nvram show | grep pass" or wpa or admin and you will get the prior owner's SSID, and passwords.

There is a good chance that this person probably turned in this router after upgrading their router at home. It is probably unlikely they changed the Wifi passwords on all of their IoT, Web Cams, mobile devices, Blueray, laptop whatever at home. So just plug in the SSID to wigle net and you can go see what is on their webcam.

hunter2

[Frankie70]

hey, if you type in your pw, it will show as stars
<Cthon98> ********* see!
<AzureDiamond> hunter2
<AzureDiamond> doesnt look like stars to me
<Cthon98> <AzureDiamond> *******
<Cthon98> thats what I see
<AzureDiamond> oh, really?
<Cthon98> Absolutely
<AzureDiamond> you can go hunter2 my hunter2-ing hunter2
<AzureDiamond> haha, does that look funny to you?
<Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
<AzureDiamond> thats neat, I didnt know IRC did that
<Cthon98> yep, no matter how many times you type hunter2, it will show to us as *******
<AzureDiamond> awesome!
<AzureDiamond> wait, how do you know my pw?
<Cthon98> er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
<AzureDiamond> oh, ok.

Re:Obligatory Spaceballs

[darkain]

Obligatory Nuclear Launch Codes: 0-0-0-0-0-0

Re:Obligatory Spaceballs

[DontBeAMoran]

And yet there's still idiots out there using 12345 for their password. Everywhere.

Re:hunter2

[AbrasiveCat]

Thanks, I was looking for this comment. :)

Why are you running stock firmware on your router?

[mellon]

This is the real question. Why do people still run software from router vendors, which is usually insanely out of date and often has poorly designed security models, even disregarding this particular issue?

I agree with you that it's user friendly to be able to see the password, but then again why do people have legible passwords anyway? Why is the router asking for a password? It should really be using public-key encryption and/or shared secrets, which are never seen by the user. And really I think that's where this is going--if you look at the work being done in the IETF on token binding, that's the future. Visible passwords aren't the future, because passwords are on the way out.

Re: Obligatory Spaceballs

[stealth_finger]

Your mom is the most repeated joke ever. Followed by you.

2/10 must try harder

Re:Obligatory Spaceballs

[Mats+Svensson]

T-R-M-U-P

Re:hunter2

[geekymachoman]

http://bash.org/?top

Ah, the good times.

Re:Why are you running stock firmware on your rout

[Highdude702]

Unfortunately the vast majority of people that buy consumer routers would t be able to flash a custom firmware on to them if they even knew they existed. As far as power users which is the majority of slashdot(or used to be) that is normally a simple task and done immediately after purchase of a consumer router. Which is why when people ask me what router they should buy I always point them towards buffalo routers as most of their models have a custom dd-wrt firmware and can be easily web flashed with a full dd-wrt version.

Passwords saved by your browser.

[sabbede]

Somebody sits down at your computer and wants to find your login for something. They go to the site, your password gets filled in by the browser and.... Nothing, because it's masked.

Re:Obligatory Spaceballs

[Entropius]

Mine's "password" instead since it's required to be at least eight characters.

Jokes on you!

[91degrees]

My password is ************.

Re:

[jafiwam]

Are we talking about web sites that use type="text" rather than type="password"? If so, then no, never ever ever is that appropriate for a password of any kind.

If we're talking about the UI of an app (either the browser or otherwise) giving the user an option for whether or not to mask, then that's a different discussion.

Now this makes me wonder if I could change the style properties of HTML locally in my browser to turn off the masking on type="password".

It's all about what you are securing against

[mysidia]

Shoulder surfers can watch the keyboard, so masking often provides a false sense of security.

It is best for the user to feel "exposed" and take other precautions to prevent people seeing them type, especially for rare operations like setting the password where needing to see potential typos is an issue.

Home Theater devices are the worst!

[OSULugan]

My favorite design flaw is a home theater device which requires you to login to your account. All of the old apps were egregious in this by presenting an on-screen keyboard for you to use, but helpfully masking the input as you type. What kind of genius thought up that paradigm?

Thankfully, many of these devices have gone away from this mechanism, by presenting a URL and code to use for activating from a device to which you've already logged in.

I sure hope so...

[PortHaven]

Especially for mobile. It serves very little purpose.

Re:Why are you running stock firmware on your rout

[tepples]

Why do people still run software from router vendors

To save the cost of buying a majority of shares in the router vendor in order to acquire its cryptographic code signing key and access to a relinkable version of the binary blob drivers required by its chipset. And that's assuming the router vendor's stock is even publicly traded. Or, less flippantly, to save the cost of replacing the router whose cryptographic code signing key and chipset driver source code are not available to end users with one whose are.

In addition, to save the cost of having to register and continue to renew the domain corresponding to the HTTPS certificate that the router's administration interface uses. The router vendor issues each router's stock firmware a certificate on a subdomain of the router vendor's domain. A user of custom firmware would have to bring his own fully qualified domain name (FQDN) in order to use Let's Encrypt.

Why is the router asking for a password? It should really be using public-key encryption and/or shared secrets, which are never seen by the user.

A password is a user-visible shared secret. Without a password, how does the owner of a router authenticate himself to the router as having the right to authorize the user authenticated by a particular public key to configure the router?

doesn't bother me

[swschrad]

my password is 8 big dots.

Re:Not Encrypted

[thegreatbob]

Offtopic, yes.. but still very important to consider.

Re:Why Tenda?

[thegreatbob]

I do like the routerboards, but when someone asks for 'cheap', they get cheap. One thing the Tenda brings to the table is beam-forming (has 4 external antennas; I don't know how they're configured). Oh, and it looks like a space ship. All in all, seems to be totally acceptable for the money.

Re:yes..

[thegreatbob]

Same goes for basically any other streaming site. Also, pay attention to where your webcam is pointing.

Re:Shoulder surfers

[thegreatbob]

Those are clearly the competitive shoulder-surfers; takes a little additional skill...

Re:Obligatory Spaceballs

[Major_Disorder]

Obligatory Nuclear Launch Codes: 0-0-0-0-0-0

I heard they changed the launch codes to be 141 characters long, so trump couldn't tweet them.

Use a Spoken Password

[Pauldow]

The password should be spoken very softly. That's the most secure method I've seen.
It was used securely for years, and the celebrity, contestant and Allen Ludden never heard it when the announcer said the Password.

Re:Why are you running stock firmware on your rout

[mellon]

Heh.

The thing is, you can get a nano-pi for $29 that has the same performance as your fancy router, and doesn't even have proprietary firmware.

Unneseccary but they should keep it anyway

[electron826]

I feel that password masking is solving a problem that doesn't really exist, however that doesn't mean that it should be removed. I still find it to be quite a neat feature though...

Re:Why are you running stock firmware on your rout

[tepples]

Things that the ISP-provided router has and a Raspberry Pi lacks include the following:
1. A nice case
2. A fiber, cable, or DSL modem
3. More than one network port, to use one upstream and four downstream
4. A wireless access point

Re:Better Idea

[dave420]

Enable this option: chrome://flags/#enable-password-generation and you have your wish.

Seeing your password means choosing a better one

[FeelGood314]

People who actually examined passwords finally prevailed. I want you to chose a good password with lots of entropy. The password rules that you learned before actually made you less safe. correcthorsebatterystaple is a very good password but it is long and hard to correctly type if I can't see it.
If I can't see the password I will keep it short.
If I have to change it I will regularly I will make it something easy to remember and use a suffix that is likely a number that is incremented
If I have to have a capital it will be the first character
If I have to have a special symbol it will be the last or second last digit
If I have to have lots of passwords for different systems, I will use the same one on all of them

My last company, a very well know security company, 3/4 of passwords were a common 6 letter English word, first letter capitalized, then a number, then !@ or #. The number increased every 3 months.

Re: Obligatory Spaceballs

[NumenMaster]

1/5 You forgot to reduce.