Security expert Bruce Schneier has said that he probably made a mistake when he backed a usability expert's plea to website operators to stop masking passwords as users type because it does not improve security and makes sites harder to use. Usability guru Jakob Nielsen said last month that sites should show most passwords in …
One of the few people I agree with,
People here are using examples that do not tally with common sense and are being deliberately awkward (actually the phrase deliberately thick comes to mind)
What is wrong in discussing such things, possibly Bruce isn't thick enough to recommend using unmasked on-line banking passwords in a cybercafe somewhere in Russia. But then somehow I don't think that was his original intent.
I also do not think he was referring to typing in real passwords during a public demo (but then he is probably smart enough to use a demo account).
It is something worth discussing, and if your security relies on blobbed passwords then as far as I am concerned you are already well on your way to making a mistake.
There are situations such as cash machines et al where you are forced into that situation, but surely you do not continue if somebody is a little too inquisitive?
I can understand the dilemma. There are 3 kinds of typists in the world. The hunt and peck types, who never look away from the keyboard to see what they're typing, and touch typists who can look anywhere they like and KNOW they're typing correctly.
However, there is a middle ground on the ascent to touch-typing. Typing, not looking at the keyboard, but having to look at the screen to know what you're typing. This is the crowd that suffers from password entry. I know, I was there. I could type with a blindfold these days though so don't really care...
A big man?
>> "So was I wrong?" wrote Schneier. "Maybe. Okay, probably."
That sounds more like weaseling out of fault. He has not really accepted to being wrong; in fact, he continued arguing that shoulder surfing was "overrated", even though in the same sentence he seems to agree with his commenters that shoulder surfing is not a large problem anymore because of such masking.
If saying something like "Well, I'm still right, even though you have a point, and my new argument is orthogonal to my previous one. Oh, and by the way, I *may* be wrong. Probably." is accepting fault, then I guess Schneier is a "Big Man" indeed!
Password masking is incredibly useful in concealing passwords from remote monitoring sessions. i.e. IT department with remote access to view company desktops. A corrupt and nosey tech could easily simply remotely watch someone log into their bank for example. The person would not be aware anyone was watching.
Do Away with Passwords
Passwords are a pain in the nether regions and frequently made too much of. I have a 4 digit PIN on my ATM card, but a more complex password for this site!
All a long complex password does is makes sure the user writes it down as they won't remember it. Changing passwords once a month as on many corporate sites doesn't help, it always prompts when the user is busy and they will think of something easy just to get the thing to work again.
I think Handle's idea of the tick box will help, at least we can see if we typed the thing properly but what is really needed is to replace the whole idea, maybe a standardied fingerprint interface so we carry our biometric ID with us is an answer, one that chacks blood is flowing to avoid amatuer amputations!
Whatever the solution eventually adopted there should be a better way than having to try and remember complex alphanumeric strings that often seem in inverse size to the importance of what they protect.
I feel a Killer app coming on here
I can't be bothered to scroll back to see who it was that said that Scheier's credibility has now gone because he made a mistake and admitted to it. Anyone with half a brain knows that admitting you're wrong is a step forward and admitted you're wrong in public takes a fair amount of courage.
One has to ask though, why is shoulder surfing not considered a risk? Well, take the bank account. Do you deal with your bank account in a public place where everyone can not only see your password as you type it but read the details of your finances? I don't think so, so shoulder surfing isn't like to be a problem there. What about typing this comment? Well, I don't want people claiming to be me (even anonymously) so I'm not likely to type with an audience. And my various I-don't-care accounts? Well, chances are the potential shoulder surfer knows the password anyway. There, damn, I've just given it away again.
So if someone standing behind you is a problem, how much of a problem. If they're close enough to read the screen what else can they see? Well, actually, password masking doesn't help at all if you can see the keyboard and watch my fingers. Hell, with a phone you can film the keyboard and read the password in slow motion as it's played back. Password masking doesn't really add any security there either.
I know, I know, there are problems with that line of reasoning. But if one starts from the premise that passwords are visible does that make security better or worse? Don't jump and say "worse". Think about the implications -- what design changes does it mandate that make it better?
In the old, old days, when you used to log into a CRT and there was a 30s delay between hitting the return key and getting a shell prompt you'd be dead embarrassed if your password was there for all to see. That became the de-facto password masking standard until, basically, web forms where you needed some feedback to make sure that keyboard focus was where you thought it was. Now the problem with iPhones, Blackberries, whatever, is that lack of typing precision is an issue and, especially if your password is reasonably complex, getting it right without feedback is difficult.
So think; don't jump to emotive conclusions.
Mask Password Option
I would prefer a Mask/Unmask tickbox
then if I'm in private I can unmask and if im in public I can Mask.. (mask should always be the default)
I do not want a character preview, shoulder surfers have memories/video cameras also. This is not a solution except in the mobile market where a key is for multiple characters, and the screen is so small shoulder surfing is not feasible.
On most keyboards every key makes a slightly different sound - so it's not too difficult if you have a good ear, to simply listen to the password and then sit down at the keyboard later and work it out.
I've always liked the fingerprint readers - easy to use and reasonably difficult to compromise - let's face it - nothing is impossible to compromise if you're willing to make the effort.
And yes - password marking is a pain in the butt about 90% of the time.
Firefox Web Developer is your friend
The FireFox "Web Developer" plugin has a "Forms / Show Passwords" option. I use it all the time, particularly to remember a password that the browser 'knows' but I have forgotten!
"Shoulder surfers read the fingers, not the screen. Phone card PINs are stolen every day by this technique, and payphones don't have screens."
That may work for payphone pins, but you tend to type them with one finger.
I can touch type. My current decryption password is 25 characters long and consists of letters, numbers and symbols.
I don't fancy your chances of reading my fingers as I type it on the keyboard.
But you'd have a decent chance if you can read it off a screen.
@Was an idiot, still an idiot
>" Bruce Schneier's biggest problem will probably be that he has now lost the respect of anyone with a brain "
How the hell would you know what anyone with a brain thinks? Try not to speak on behalf of any group you're not a member of in future, please.
4 Richard Hodgson
Well, not for nuthin' but here your average stolen phone card PIN has been read from several yards away in a very busy New York station during rush hour.
Not apocryphal, not even new. Documented cases spotted and filmed by clandestine News cameramen over ten years ago.
Password masking comes from the same place paswword aging does: the "inconvenience the legitimate user but slow down the hacker not one jot" school of thought.
You can't be secure when you base your security model on the assumption that a string of digits identifies a person, and your defense is to lock the stable door after the horse has bolted.
If you *must* use a password-based security system, you should be tracking the usage pattern and reacting to *that* in real time rather than figuring out what happened after the fact. Works for credit cards. My bank tracked me down in a different country to inform me that the spending on my Access Card looked "odd" less than three days after it happened, and by Jove it was too. If I'd been where they thought I was I'd have known that day. They shut down the card the moment they got worried anyway, knowing I'd get in touch if I was the one spending my money. Amex used to be particularly good a spotting possible fraud too.
If someone can crack your password once, changing it out, either manually or by aging, is a minor inconvenience to the cracker (after all, the reality is that you're going to use the same method to construct any new password that you used to build the old one) while at the same time being a major pain in the arse for the person authorised to use the bloody thing.
And don't get me started on the dumber-than-dogshirt MS "Your password will need changing in two weeks. Shall we do it now (and by doing so use up one extra password per year than if I just assumed the effing system administrator knew what he or she was doing)?"
...( . ) ( . )...tit...le
I agree that I have far more respect for someone who admits to a mistake than someone who tries to blag their way out of it.
But let me be the first to say even Microsoft have used the 'tick here to unmask' password on Vista (when entering a WPA key, since you didn't ask).
And possibly the most secure option is that used by my bank: it asks for three random digits from within the password. It doesn't matter how many shoulder-surfers watch me, all they'd get is, say, the third, seventh and twelfth digits. Maybe, just maybe, if someone watched me logon twenty times, then perhaps they'd collect all the digits... But I reckon I could get most people's passwords watching them type them three times, asterisks or not. Most people pointedly look away when a colleague is entering a password to show that they're not doing this.
@Character masking in iPhone
Steve (or RIM) didn't invent the 'mask after a brief period'. Every mobile that I've ever had does this (from WAP days onwards), and with good reason - they had phone keypads and it was handy to know which letter you'd typed before starring it out.
On a device with a qwerty keyboard it really shouldn't be necessary... perhaps says more about the quality of screen keyboards.
"Many years of important e-mails, documents, photos and lots of work is stored in Googledocs and Hotmail accounts so I NEED a secure pasword."
If they are THAT important, surely you store them on automatically synchronized encrypted file systems accessible via ssh (or similar) at home in Istanbul, and at your Mum's in Duluth, and at your Great Aunt Bessie's in Argentina?
"Fortunately I have a good memory and have made up a strong password,"
A strong password? Only one? The key to the kingdom, as it were?
"because I need to care about my security, especially when I'm away from home and using an internet cafe."
You do "important work" out of internet cafes that requires security, utilizing googledocs & hotmail? Your definition of "important" and "security" appears to differ from mine.
Ever Heard of BioPassword
Where I work we recently took a product called BioPassword for a test drive. This works by analysing the speed and 'pattern' that you type your password. For example, there maybe a tenth of a second delay between you pressing the keys Q and W, because they're next to each other and you use the same finger, but a half second delay between Q and 5, due to changing fingers.
Despite being very sceptical about its effectiveness we were all surprised at how well it worked. While the application learned how you type your password, which took about 10 entries, it became more and more restrictive about how close to the pattern you had to be. We ended up putting the username and password on a Post It note and inviting people to successfully sign-on to the machine... nobody was able to defeat it.
A/C because otherwise I'll get harassed by their sales department yet again.
Kudos to him for admiting he was wrong. Even if it wasn't a 100% confession, it's far more then we can expect of any bloody politician or business man that would try to bullshit their way out of it even though we know they are lying and that they are complete morons (i.e. Gordon Brown)
- Xmas Round-up Ghosts of Christmas Past: Ten tech treats from yesteryear
- Analysis Microsoft's licence riddles give Linux and pals a free ride to virtual domination
- Review Hey Linux newbie: If you've never had a taste, try perfect Petra ... mmm, smells like Mint 16
- Special Report How Britain could have invented the iPhone: And how the Quangocracy cocked it up
- I KNOW how to SAVE Microsoft. Give Windows 8 away for FREE – analyst