Ask Slashdot: Is Password Masking On Its Way Out?

New submitter thegreatbob writes: Perhaps you've noticed in the last 5 years or so, progressively more entities have been providing the ability to reveal the contents of a password field. While this ability is, in many cases (especially on devices with lousy keyboards), legitimately useful, it does seem to be a reasonable source of concern. Fast forward to today; I was setting up a new router (cheapest dual-band router money can, from Tenda) and I was almost horrified to discover that it does not mask any of its passwords by default. So I ask Slashdot: is password masking really on its way out, and does password masking do anything beyond preventing the casual shoulder-surfer?

what else do you think it does?

[vux984]

"does password masking do anything beyond preventing the casual shoulder-surfer?"

Erm...that is precisely ALL it has ever done?! What else do you think it does?
Frankly, most password boxes should have a 'show' password option because its user friendly -- put the user in charge of whether or not the password is visible -- they can decide the risk of exposure.

Although i do think showing it by default is a bit absurd. On the other hand, with a new router out of the box; the default password is a known quanity or on the labelling anyway... so not a lot of harm exposing it there.

Re: what else do you think it does?

[Matt.Battey]

Even for those web sites that don't have the feature it's the top three browsers (Chrome, Firefox, and IE) will all let you see any saved passwords by just inspecting the fields DOM properties...

Re:what else do you think it does?

You are correct on all points, and I completely agree with your opinion based points too.

Originally password masking was purely to prevent shoulder surfing.
Today it remains simply because it is expected behavior. And the default should remain masked for this very reason.
But there is little harm with a button or whatever to display it for the times that is acceptable to do.

There are still many situations you would both expect and need password masking on, and defaulting to not masked can only cause accidents that don't need to happen.

Think conference rooms when the display is mirrored to a big screen or projector.
Or remote support sessions where one may need to enter elevated rights credentials to do something for a user you don't want them doing themselves.
Or the times you do not know how high traffic the area behind you is, or you have unfortunately little control over desk/workbench layout and orientation.

Even if the area behind you is 99% of the time traffic free, that would still be three times a year where it is not traffic free.

Not everyone is so lucky to have an office with a desk they can position such that the doorway opens to the front of the desk and you have no windows at ground level behind you.
Long workbench setups are almost always mounted against the walls which would demand your back is to the door and the monitor pretty much facing towards the door as well.

Even intentionally entering a password in front of others can be safer when masked (such as the conference room situation above), and any accidental exposure of part of a password being entered not expecting masking to be missing would dictate changing your password immediately, except now you are on a system you can't even trust to not show your new password while changing it!

But the ability to turn masking off when unneeded or when it's a hindrance is also a good thing IMHO.
My random character passwords tend to become muscle memory after a short time, and a bit more time afterwards I quite literally forget what the password is and only retain the ability to type it.
Move me to a mobile phone onscreen keyboard where all the symbols and even numbers don't match a querty layout, and I have a significant mental whiplash moment while trying to mentally "type" it and watch what keys my imaginary fingers are pressing.
Autocomplete/autocorrect fucking with me in a way I can't even see before submitting the (likely incorrect) password is just additional salt in the wound.
Mix in a decent or overly strict bad-password-attempt lockout policy and you can rightly screw yourself.

So by all means include an unmask feature, but for the sake of cthulhu and all that is holy, leave masking as the default.

Re:what else do you think it does?

[Tony+Isaac]

At least on Windows, password masked text boxes also prevent copying of the contents of the box to the clipboard. This prevents someone from using a Back button to return to a logon screen to find out what password was typed there.

Re: what else do you think it does?

They do... now. Originally the value of fields was not visible in the DOM properties and could not be queried via window managers either. It's almost as if putting advertising companies in charge of browser security was a bad idea.

Re:what else do you think it does?

[Zebai]

I love websites and programs that give me the choice to unmask however I'm seeing more and more masking when its NOT necessary to do even for non password related fields.

At my work they seem to think masking makes things ultra secure for all important data items. Fields that require you to input credit card numbers, cell phone numbers, all sorts of data are now masked on the pretense that it makes things more secure. It does not, over shoulder watching is not even an issue, this is a work application accessible via intranet only the only people who can see it already have permission to do so they don't even need to be sneaky by hiding behind me it is a secure workplace after all. Bit of a rant here I'm just a bit peeved as I now have to type into a very unsecured notepad just to make sure my data is accurate before submitting.

Re:what else do you think it does?

[Highdude702]

I have personally never seen a browser that once you go past the page and go back still has the password in the form box. And on most items like programs they just don't allow copy on right click, you can however ctrl+c and still copy from the masked password box. But as I said not after the submit form button has been pushed

Sure.

[msauve]

" is password masking really on its way out, and does password masking do anything beyond preventing the casual shoulder-surfer?"

It makes it much more likely to make a typo and have to try again.

Kids...

[zm]

No, it is not going away, because it is more than just shoulder surfers that look at your screen. For example when you need to login while projecting the screen in a conference room, or sharing it during an online meeting. Now, get off my lawn. Please.

Re:Kids...

[mykepredko]

This is why I never connect to a projector with the screen duplicated - always extended.

Re:Masquerade

[Vlijmen+Fileer]

Which is why you then resort to first typing it in an editor, defeating the purpose of the masking, to subsequently copy it to the password field.

Except of course when the programmer of the password field was such an intolerable and incompetent turd that she disabled pasting into the field; that unfortunately also happens.

Re:Masquerade

[thegrassyknowl]

My favorite is trying to enter 15 character randomized passwords into a "force mask" field.

My favourite is entering a 24 character randomised password into websites/software where the retarded morons designing it felt they knew better than me and blocked/intercepted paste. Or, almost as bad, websites/software that relies on keypress events to cause their processing to do something with my password. ReviewBoard does this with its comments fields - if I paste from a pre-prepared note it is unaware that I've edited the comment field.

The algorithm always seems to pick confusing characters like `'|][;: I often have no idea if I'm even attempting to enter the correct password, let alone if all the rando miscreant characters were entered as intended.

If you use KeePass you can configure it to not use so many confusing characters. Sometimes you run into places where the moron designer thought that only alphanumeric characters make valid password characters.

Re:Masquerade

[Desler]

And those same idiots also have a "confirm email" field that also disallows pasting. Even moreso than the password field, that one makes no sense.

Re:Are You a Great Typist?

[Strider-]

"correct horse battery staple" would like to disagree with you. The reality is that putting in special characters, mixed case, and numbers doesn't do nearly as much to increase password complexity compared to simply making them longer. For the network I operate, I now just have a policy of a minimum of 12 characters. I tell my users to make up a silly little rhyme or ditty that they can remember, and use that as their password. Easy to remember, hard to crack, and easy to type.

You want your password unmasked?

[mark-t]

Make it a bunch of asterisks.

Done.

Re:Masquerade

[msauve]

"subsequently copy it to the password field."

I use control-v as a special character in my passwords, you insensitive clod.

Because of new "Not Secure" browser messages

[JoeCommodore]

If you get a password field on a web page the browser will display various scary looking messages depending of the security of the page.

Generally if its a local network page with an IP address (most router interfaces) having the password field will have the browser alert you the page is "Not Secure" of the address bar. If its a self signed certificate (which ads encryption between you and the browser, the message is even scarier with red fields or strikethroughs as a spoofed certificate COULD be playing a man in the middle confidence scheme. Only ones that get through this is devices that have set up proper certification.

So the easiest way to avoid a lot of the scary "not secure" address bar messages, is just do the login in plain text.

Re:Because of new "Not Secure" browser messages

[skids]

+1 Insightful. There's a nice example of a perverse incentive for you.

Re:Masquerade

[Kjella]

If you use KeePass you can configure it to not use so many confusing characters. Sometimes you run into places where the moron designer thought that only alphanumeric characters make valid password characters.

If you go outside ASCII and depend on the keyboard mapping there's been an annoyingly high number of bugs perpetrated by developers who only use the US/English keyboard. Particularly if you rely on this early in the boot process, like you want to unlock your BitLocker/TrueCrypt/LUKS partition with a password or make some kind of single-sign on solution that won't fail when one of the applications has been made by 'tards. And I say that as a Norwegian where our alphabet has 29 letters but for any technical purpose æøå doesn't exist in my book. It's not worth the pain of crappy US-centric software.

Exactly this point!

[s.petry]

TFA seems to believe that since they can't think of a purpose for masking, and that a single (in their words "cheapest money can" [I assume they meant] "buy") home router doesn't use masking, that it must be the end of a field that's been in HTML for as long as HTML has had a standard.. Training sessions, remote support sessions, documentation, and yes preventing shoulder surfing are all reasons that the password field type will probably never go away.

Re:Masquerade

[whoever57]

I ran into a worse problem recently.

The website runs some javascript on the entered email address, which prompts a server somewhere to attempt to validate the email address. The attempt is achieved by beginning an smtp transaction to the MX host for the domain name.

Now, combine this with postgrey: the mail server sends back a temporary failure, which the server stupidly interprets as the email address not being valid.

The stupidity of this whole setup is monumental. Not least because exchange servers will accept emails for non-existent addresses in its default configuration.

hunter2

[Frankie70]

hey, if you type in your pw, it will show as stars
<Cthon98> ********* see!
<AzureDiamond> hunter2
<AzureDiamond> doesnt look like stars to me
<Cthon98> <AzureDiamond> *******
<Cthon98> thats what I see
<AzureDiamond> oh, really?
<Cthon98> Absolutely
<AzureDiamond> you can go hunter2 my hunter2-ing hunter2
<AzureDiamond> haha, does that look funny to you?
<Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
<AzureDiamond> thats neat, I didnt know IRC did that
<Cthon98> yep, no matter how many times you type hunter2, it will show to us as *******
<AzureDiamond> awesome!
<AzureDiamond> wait, how do you know my pw?
<Cthon98> er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
<AzureDiamond> oh, ok.

Re:Obligatory Spaceballs

[darkain]

Obligatory Nuclear Launch Codes: 0-0-0-0-0-0