Security expert Bruce Schneier has said that he probably made a mistake when he backed a usability expert's plea to website operators to stop masking passwords as users type because it does not improve security and makes sites harder to use. Usability guru Jakob Nielsen said last month that sites should show most passwords in …
Blackberries and iPhones
yadda yadda, Nokia phones have had this for how long now?
Dropping a clanger
"So was I wrong?" wrote Schneier. "Maybe. Okay, probably."
Anybody else think, definitely ?
It's a testament to Bruce
that he is professional enough to admit a mistake. A lesser man would try to bullshit his way out of it...
...have a tick-box (default unticked) to display the password.
Another heroic retraction!
Or alternatively something revolutionary...
Can't browsers just have a button that toggles between clear text in password boxes and masked passwords?
If you're at home on your own then turn it off, if you're demoing to a crowded room of thieving pikeys then turn it on...
Could be turned on by default in porn/privacy modes...
Character masking in iPhone
There's no need to be all-or-nothing with password masking. I like Apple's choices in a recent iPhone update to show the last character while typing your password, and masking it after 2 seconds.
Also, nice idea in Mac OS X to have a check box to "show password" during or after you've typed a password to double-check (when you're using fat fingers). ;)
What a foolish cock
What happens if your keyboard is unreliable?
For instance, some of the chip-and-pin terminals are pretty cruddy.
Showing the character temporarily is a risk, yes, but I'd be a lot more confident the keyboard was working if I were seeing more than the ****. If feels almost hostile, sometimes.
courage of convictions
it is a point of debate and Schneier is not alone on debating the value, it is just the problem is quite intricate.
Levels of importance.
I don't want my banking password viewable by anyone looking over my shoulder.
My ElReg password, on the other hand, I really don't care. Likewise the password I use to connect to Usenet. Or facebook, hotmail, twitter, myspace, youtube and the rest of the Web2.0 space (if I actually had any accounts that I used more than once or twice in those spaces). I'm not going to give 'em away on purpose, mind, but if anyone managed to get 'em I wouldn't exactly cry about it.
Was an idiot, still an idiot
Bruce Schneier's biggest problem will probably be that he has now lost the respect of anyone with a brain, and he will likely not get it back. To make such purely anti-security statements while claiming to be a security expert is unbelievably stupid, and anyone who truly believes what he said is no security expert at all.
"Schneier now backs an approach taken by BlackBerry devices and iPhones, which display each character briefly before masking it. 'That seems like an excellent compromise,' he said."
And with his latest quote, he once again proves that he is no security expert, and that he still believes shoulder surfing is not a problem (despite his quote to the contrary). The only thing this approach will prevent is someone from seeing your password as they are walking by. Anyone standing over your shoulder will STILL see your complete password (unless they have an attention span of only two seconds). And since most passwords are made from words (as they should be*), it would be relatively easy for them to remember. This BlackBerry/iPhone approach is only reasonable for handheld devices where you can ensure that nobody else can see the screen.
* Yes, that's right, I said it. Passwords SHOULD be made from words, though not ONLY from words. My password-generation advice is to take two words, a punctuation character or symbol, and a four-digit number (such as "second-nightmare-3617" or "Dwight$Fry$1971". That makes it much easier to remember while still making it very difficult to guess or brute-force. The only problem with this approach is retarded passwords systems which limit you to an unreasonably low character limit (such as a max of 12 characters).
iPhone style password fields?
Nope, still wrong.
Point of note - what if you're making a presentation using an iphone on a big screen, showing lesser types how to access their email accounts? By doing so, you will have inadvertantly revealed your own password to all and sundry, possibly without realising it.
Sure shoulder-surfing for pwds on iphones isn't likely to be prevalent, but putting that same method on a full desktop is likely to be just as bad as totally unmasked pwds.
You can't win, plain and simple, I would argue that the situ as it stands right now isn't good enough - even revealing your pwd by typing it on a keyboard is sufficient for some people to snatch your pwd. Especially if its done professionally as part of a police/private investigation, using cameras.
You're not even close to a perfect solution even if you have computers with a direct-to-brain interface!
Now get the beers in and forgedaboudid.
"Schneier now backs an approach taken by BlackBerry devices and iPhones, which display each character briefly before masking it. "That seems like an excellent compromise," he said."
Translates roughly as "Schneier still misses the point spectacularly and thinks that briefly displaying each character of your password on a screen in front of your colleagues, students, children or general shoulder watchers is a great idea!"
Plenty comments calling him a moron on the other article. Seems he's still a moron now.
Shoulder surfers read the fingers, not the screen. Phone card PINs are stolen every day by this technique, and payphones don't have screens.
Even when he's wrong
Go to http://www.schneierfacts.com for the truth about Bruce Schneier.
So make it optional?
What's wrong with the solution used by programs like TrueCrypt, where the password is masked by default but you can uncheck a box to display it?
Only real authority would learn and admit he was wrong. Kudos to Schneier!
All definate rules are wrong
Like the rule for not writing down your password.
I am logging in from home, on my own in a locked house - which is better, to have a different "juvbqr7yc^$" password for each site, change them regularly and have them written down, or just use "martin" and remember it.
No he wasn't
I said it there, so I'll say it here. The debate so far has gone roughly like this:
Nielsen: "Here is a suggestion based on actual data from studies my colleagues I have been performing on actual users and software."
Dissenters: "I disagree based on my subjective personal experience." Or "I disagree based on what feels like common sense."
Ironically, Nielsen's column this week is on how to explain to people that usability is a real subject on which trained professionals can have expertise.
How about a button that says "unmask"
If you had a button next to the field that would "unmask" the password, the user could click it at their discretion when they felt no risk of shoulder surfing.
"Schneier now backs an approach taken by BlackBerry devices and iPhones, which display each character briefly before masking it. "That seems like an excellent compromise," he said."
And a fairly obvious compromise given that they are the devices on which the keystrokes are hardest to judge. They've always been the most likely to have thought about this issue before.
I can normally tell on a "proper" keyboard when I've made a tpyo <sic>. So I need some other way on a "non-proper" keyboard...
What they should be saying is that you should never have to enter visible text twice - i.e. email addresses should only be entered once - the reason for entering passwords twice is that you can't read them back.
Shoulder surfing is not a problem BECAUSE of masked passwords. If you want to shoulder surf a masked PW then you need to get right up close and personal. If passwords were not masked everyone and their dog could do it at distance.
Rock hard security is not comfortable
Dare I suggest that there is a huge difference between logging on to your online banking account and signing onto facebook or your local newspaper's flame-wall?
My local paper sends me a password by SMS... Yes... As if I care if some five-year old gets hold of my password there and starts posting nazi-propaganda or links to pictures of naked women. (I do the latter already -- 'cause I've always been a weak one for the naked women...)
Some sites simply take themselves way too seriously. Besides... Typing blind forces many to type slower. Thus their passwords are almost easier to shoulder-peek.
"Schneier now backs an approach taken by BlackBerry devices and iPhones, which display each character briefly before masking it. "
Err, Nokia high-end phones don't do this for a long time?
The word you're looking for...
>> "So was I wrong?" wrote Schneier. "Maybe. Okay, probably."
"Yes." The word you're looking for is "yes."
Showing each character for a second before converting it to a star is not a compromise, it's just a sensible way to implement obscured passwords on mobile device with multiple letters on each key.
It's been the de facto standard for years, certainly pre-dating the iPhone, and possibly the Blackberry!
@El Reg, Please stop that
"Schneier now backs an approach taken by BlackBerry devices and iPhones" Please stop referring to specific brands unless you are actually talking them. Doing this makes you sound like a marketing shill. Just use 'smartphone' since there are numerous devices out their that do this that aren't crack berries or Jesus phones.
not a panacea...
... and in fact, a false sense of security. I wonder how many net-newbies think the asterisks or blobs are protecting the password transmission too? Sure, it doesn't take much technical knowledge to understand they don't, but the days of the geeks inheriting the networked earth are over.
Browsers could potentially implement a checkbox as part of the password form control (or have a global / site-specific config option), and allow the choice. 99% of use is perfectly safe unmasked, but the "internet cafe" option could be there for the 1% (though the risks of packet interception would be higher than that of shoulder-surfing there anyway)
Summary: you weren't wrong, just speaking uncomfortable truth.
Wow, an expert who admits to being wrong?
What has the world come to?
And more importantly, can we please have more of this?
Provide show-password option as a checkbox
Some websites offer a checkbox to control showing or hiding user ID input. An example is ingdirect.com. Hiding input by default, but having a checkbox to allow showing it, basically solves the problem.
Good on him
It takes a big man to admit he was wrong.
It takes a bigger man to mock him mercilessly for being wrong in the first place.
That's only because they're not displayed on the screen though. No doubt that they would read the screen, given the opportunity.
But seriously, Schneier; duh?
To Bruce for admitting is initial reaction was way off base, I'll give him credit for that. Bear in mind that unlike some of the mouth breathers in the comments above me I don't harbor some baseless hatred to Bruce or think that it's some how cool or hip to hate someone simply because others like that person or because he's popular. However I've read Bruce's blog and he proves that even with the retraction of his initial statement, he still doesn't get it. He is still not grasping the realities of day to day computing or how password masking really does help enhance security.
For what ever reason he still doesn't get it. A fact which is driven home by the whole "password masking is not a panacea" line. Well no shit Sherlock, you're supposed to be a computer security expert. So you of all people should know there is no such thing as a panacea for computer or internet security, it simply doesn't exist aside from going to birth to death without ever using a computer to do anything that could potentially be tied back to you individually. /facepalm. Wake up Bruce and stop pushing password safe long enough to think beyond the limited world you live in now.
My hat's off to him.
It's rare to find anyone with such intellectual honesty to admit a mistake this way.
If he ever decided to pursue a career in politics, he's got my vote all right.
You can't take it back!
optional .. ok ?
another *vote* for option to show password text ..
to mask passwords for me, as nearly 100% of the time there is no one around to shoulder surf anyway .. is just ... LESS FUNCTIONALITY
most of the reason for typing in a password twice, say when you are changing a password, is BECAUSE it's masked and likelyhood of mistakes are high .. so again ..
twice the time + higher mistake potential = less functionality
now .. when will some sites stop asking for my email address twice when the entry is not masked ? .. doesn't everyone just highlight > copy > paste the first entry anyway ?
Depends on the screen size
The risks of shoulder surfing are small for phones with tiny screens. Perhaps password masking should be turned off on them.
But shoulder surfing is a real problem for full size computer screens in offices and multi-person homes.
Nielsen? Explains a lot
Who listens to Nielsen these days? The guy's on another planet, one where commercial concerns don't exist and everything is fluffy. Total ostrich.
I'd venture that the point on Blackberries and iPhone having it "right" is partly the case. Lots of handsets have worked that way on passwords (triple-tap entering passwords is rather harder than discrete keys - and predictive text is of course really hazardous - made worse if you then decide to "learn" your password - security, schmekurity!).
BUT I think that misses the point. Shoulder surfing a large piece of glass is one thing, but shoulder surfing a hand held device is another. I'd venture that Blackberry and iPhone have got it WRONG - and have said so at developers' gatherings for mobile in the past. The phone is a very personal device and while you are doing data entry hiding the screen is not tricky. Remember these devices are not "wide-angle" visible typically so a user is going to need to have their personal space pretty badly invaded for that to be a problem.
Glass screens - I certainly sympathise with Neilsen, but that's not my expertise.
Tell us what you think of Phorm.
What is this all about???
Honestly folks what are we all going on about?
Ignore the emotional terms we've assocaited with the authentication process - username & password. Now just think of them as two pieces of information.
It would be logical to either hide them both or neither. It is of little benefit to hide one and not the other. In fact having the user name in cleartext allows others to 'grab' half your credentials in any case - so whether it's the username or password really makes no difference at all.
The problem here is that it is a study on USABILITY not SECURITY. Of course it's more usable to display the password back to the user as they type. So whilst the data is accurate with regards to usability Nielsen is actually himself using subjective opinion as to whether this solution is equally secure as having passwords masked. There would need to be another study comparing the security of masked passwords to that of unmasked passwords.
If your password is composed entirely of *'s then it doesn't matter one way or the other.
@jake re. Levelsof importance
"..but if anyone managed to get 'em I wouldn't exactly cry about it."
I can understand your thinking here but I have the opposite situation.... Many years of important e-mails, documents, photos and lots of work is stored in Googledocs and Hotmail accounts so I NEED a secure pasword. Fortunately I have a good memory and have made up a strong password, because I need to care about my security, especially when I'm away from home and using an internet cafe.
Oh FFS, everyone knows that if you want someone's password, you merely phone them and tell them you're from IT and need to reset their password. Then you phone IT, pretend to be them and reset their password. Simple. Shoulder surfing doesn't come into it.
Another commenter wrote that shoulder surfing still takes place even with blanked out passwords. It's rare though. There are other means that are far more common (looking at the post-it notes stuck to their monitor for example...)
People ARE stupid. We all know that. Asterisks or not, people's passwords will be discovered from time to time.
how about keep it masked, but when you bring the mouse over the text box, it goes clear text?
Well, that's good
A retraction is a sign of an open mind. Schneier appearss to be saying he's listened, he's reconsidered and he's learned. A person only becomes an expert by learning, and once they stop learning, they become yesterday's expert.
I said in the original comment torrent, that websites don't hide the password: they use the password type input. The browser hides the input. The place to tackle this, is with the browser, not the website. The website is simply describing what is being asked for, and we do not need a plethora of home-grown approaches to password management, implemented on a site-by-site basis, across the web to handle an input type that is clearly defined within the HTML spec (HTML 5 actually defines more of these specialist input types, not less of them, but browsers continue to apply the same approach to input fields first implemented in Netscape Navigator 2.0; there's been zero progress or develpment on the useability in just about any browser, since).
The use of <input type="password"> is important to people like my mate Bob, who is now nearly completely blind, as a result of an inherited illness. He uses the <input type="password"> all the time, when browsing the web, to help him locate the login form on a page. The useability experts appear to argue that password masquerading is a bad thing because the user cannot see what they are typing. Well, guess what? Bob can't see what he's typing, either. I'd like to suggest that removing semantic markup from a page, and thereby making the web even less accessible to people like Bob, is not justifiable if the basis of the argument for doing so, is that you're all sloppier typists than Bob.
Jakob Nielsen's credibility level has been approximately zero for approximately a decade.
If you're daft enough to use your own email account during a presentation, and not a test one you don't care about, then you deserve to have your password compromised.
- Vid Antarctic ice THICKER than first feared – penguin-bot boffins
- Antique Code Show World of Warcraft then and now: From Orcs and Humans to Warlords of Draenor
- Hi-torque tank engines: EXTREME car hacking with The Register
- Review What's MISSING on Amazon Fire Phone... and why it WON'T set the world alight
- Regin: The super-spyware the security industry has been silent about