Ask Slashdot: Is Password Masking On Its Way Out?

New submitter thegreatbob writes: Perhaps you've noticed in the last 5 years or so, progressively more entities have been providing the ability to reveal the contents of a password field. While this ability is, in many cases (especially on devices with lousy keyboards), legitimately useful, it does seem to be a reasonable source of concern. Fast forward to today; I was setting up a new router (cheapest dual-band router money can, from Tenda) and I was almost horrified to discover that it does not mask any of its passwords by default. So I ask Slashdot: is password masking really on its way out, and does password masking do anything beyond preventing the casual shoulder-surfer?

what else do you think it does?

[vux984]

"does password masking do anything beyond preventing the casual shoulder-surfer?"

Erm...that is precisely ALL it has ever done?! What else do you think it does?
Frankly, most password boxes should have a 'show' password option because its user friendly -- put the user in charge of whether or not the password is visible -- they can decide the risk of exposure.

Although i do think showing it by default is a bit absurd. On the other hand, with a new router out of the box; the default password is a known quanity or on the labelling anyway... so not a lot of harm exposing it there.

Re:what else do you think it does?

You are correct on all points, and I completely agree with your opinion based points too.

Originally password masking was purely to prevent shoulder surfing.
Today it remains simply because it is expected behavior. And the default should remain masked for this very reason.
But there is little harm with a button or whatever to display it for the times that is acceptable to do.

There are still many situations you would both expect and need password masking on, and defaulting to not masked can only cause accidents that don't need to happen.

Think conference rooms when the display is mirrored to a big screen or projector.
Or remote support sessions where one may need to enter elevated rights credentials to do something for a user you don't want them doing themselves.
Or the times you do not know how high traffic the area behind you is, or you have unfortunately little control over desk/workbench layout and orientation.

Even if the area behind you is 99% of the time traffic free, that would still be three times a year where it is not traffic free.

Not everyone is so lucky to have an office with a desk they can position such that the doorway opens to the front of the desk and you have no windows at ground level behind you.
Long workbench setups are almost always mounted against the walls which would demand your back is to the door and the monitor pretty much facing towards the door as well.

Even intentionally entering a password in front of others can be safer when masked (such as the conference room situation above), and any accidental exposure of part of a password being entered not expecting masking to be missing would dictate changing your password immediately, except now you are on a system you can't even trust to not show your new password while changing it!

But the ability to turn masking off when unneeded or when it's a hindrance is also a good thing IMHO.
My random character passwords tend to become muscle memory after a short time, and a bit more time afterwards I quite literally forget what the password is and only retain the ability to type it.
Move me to a mobile phone onscreen keyboard where all the symbols and even numbers don't match a querty layout, and I have a significant mental whiplash moment while trying to mentally "type" it and watch what keys my imaginary fingers are pressing.
Autocomplete/autocorrect fucking with me in a way I can't even see before submitting the (likely incorrect) password is just additional salt in the wound.
Mix in a decent or overly strict bad-password-attempt lockout policy and you can rightly screw yourself.

So by all means include an unmask feature, but for the sake of cthulhu and all that is holy, leave masking as the default.

Re:what else do you think it does?

[Tony+Isaac]

At least on Windows, password masked text boxes also prevent copying of the contents of the box to the clipboard. This prevents someone from using a Back button to return to a logon screen to find out what password was typed there.

You want your password unmasked?

[mark-t]

Make it a bunch of asterisks.

Done.

Re:Masquerade

[whoever57]

I ran into a worse problem recently.

The website runs some javascript on the entered email address, which prompts a server somewhere to attempt to validate the email address. The attempt is achieved by beginning an smtp transaction to the MX host for the domain name.

Now, combine this with postgrey: the mail server sends back a temporary failure, which the server stupidly interprets as the email address not being valid.

The stupidity of this whole setup is monumental. Not least because exchange servers will accept emails for non-existent addresses in its default configuration.

hunter2

[Frankie70]

hey, if you type in your pw, it will show as stars
<Cthon98> ********* see!
<AzureDiamond> hunter2
<AzureDiamond> doesnt look like stars to me
<Cthon98> <AzureDiamond> *******
<Cthon98> thats what I see
<AzureDiamond> oh, really?
<Cthon98> Absolutely
<AzureDiamond> you can go hunter2 my hunter2-ing hunter2
<AzureDiamond> haha, does that look funny to you?
<Cthon98> lol, yes. See, when YOU type hunter2, it shows to us as *******
<AzureDiamond> thats neat, I didnt know IRC did that
<Cthon98> yep, no matter how many times you type hunter2, it will show to us as *******
<AzureDiamond> awesome!
<AzureDiamond> wait, how do you know my pw?
<Cthon98> er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw
<AzureDiamond> oh, ok.