Masked passwords must go Websites should stop masking passwords as users type because it does not improve security and makes websites harder to use, according to two of the technology world's leading thinkers. Usability expert Jakob Nielsen and security expert Bruce Schneier both think websites should stop blanking out passwords as users type them in …
I can maybe see where they were coming from with this ... it would make users think a little more. You could argue that password masking is security through obscurity.
A few years ago, I amazed someone at a clients IT dept by sniffing their password off the wire (html form based authentication) - they thought the masked password was encrypted. This is the part of the puzzle that the users probably don't understand. “I can't read it on the screen, it most be secure.”
That said, I still think removing it would be a really *bad* idea. It would create a few really large problems, rather than the comparably small problems we currently have.
I can imagine people using high powered telescopes through windows etc. Never a good thing.
I wonder how many people use html forms to authenticate over their unencrypted home wireless network? *Most* sites now seem to use SSL/TLS for the authentication process at least, but some probably still exist. For example your password for your register comments doesn't appear to be submitted over a secure connection: action="http://comments.theregister.co.uk/2009/06/30/masked_passwords_usability/"
------
A couple of replies to comments (I've given up reading all of them!)
------
@Anonymous Coward Posted Tuesday 30th June 2009 08:23 GMT
You have described another security issue, using the same password on two accounts. This has nothing to do with password masking. If I sniff your password off the wire, how is masking it on screen going to help?
@ChrisInBelgium
* 40 passwords? More a symptom of your infrastructure than a issue with passwords. Maybe centralising some of the user accounts would help.
* password lock out - stops password brute forcing. 3 is maybe too few attempts, it depends on what you are protecting. Brute forcing is the security threat that this control is trying to protect you from.
* Coding your own encryption algorithms is not a recommended practice.
@Mike Peachey
@By Anonymous Coward Posted Tuesday 30th June 2009 08:48 GMT
@Peter Kay
Good examples guys!
@Gilbert George
I used to have a tool, forget it's name (maybe winspy) that would work on any input box. Really useful! I may check that tool out.
Is shoulder surfing a phantom problem because no one ever did it or (more likely) is it a phantom problem as everyone knows passwords are masked so there's no point? If you removed this valuable default rule shoulder surfing would once again rise as there would be a point to it again
I manage IT support for a large corporation, in our office environment we make extensive use of remote desktop takeover. Frequently users need to input passwords into apps and internet dialogs while my agents are connected to their screens at present they can do so without fear of giving away their passwords (which as others have pointed out many people recycle endlessly). I'd rather they stayed masked out thanks - I'd rather not have the liability of my agents knowing users passwords
OK that's not a huge concern to most but it is an example of where the present setup really helps us
I agree that password masking can sometimes be annoying, especially when you're using someone else’s IT and you're not 100% sure the keyboard is set up correctly and sometimes I do copy and paste my password from a notepad session just to be sure I am getting it right, so perhaps an OPTION to one time disable masking on some sites might be nice (with a warning to check over your shoulder); but seriously? remove it altogether? except for sites where "security needs to win" as teacake above quite rightly points out the discrepancy in the authors statement
Utter balls - I can only assume Bruce was having an off day
On another note other security experts have advocated leaving your keys in the ignition when you leave your car, as otherwise it can be very inconvenient if you forget where you put them and very few car thieves currently use the 'ooh look keys in the ignition' method
I guess if users are willing to part with their passwords for a bar of chocolate, or if they put them on sticky notes next to the PC, you might as well unmask the password. It's not even like most passwords are any good. The most recent offspring's name usually. Then there's the password recovery question that usually has fairly easy to gain information. What's the point of the password then? In fact perhaps we should do away with passwords entirely. You just put in your login and the system just accepts that in all likelihood you're probably really that person. Law of averages and all that.
- not sure if I've remembered my el Reg password now. Perhaps I should simplify it...
He should be addressing his comments to the browser makers not website designers. The password form type exists for a reason, browsers don't automatically remember it's content without asking you. If I change my password fields to text and then use a website on somebody elses computer, my password is going to get flashed up to every subsequent user who manges to type in the first letter of my password. Not good.... If he really wants the option to turn off masking, it should be a browser config option to change the behaviour of the password field type. But then I might be showing my banking login details which are critical.......
What I find interesting is that the majority of posters at the Reg are involved in technology to a greater or lesser degree, everyone from users to sysadmins, programmers to software architects (that's analysts to us old geezers) et al. So how is it that "according to two of the technology world's leading thinkers", 99% of the posts in response to this article are wrong?
I have a feeling we are being fed consultant-bollocks by these 'thinkers'.
For what it's worth I think they are wrong too. But I've only been in IT for 30 years, so what would I know?
10/10 Nielson and Brucey! Bonus points to all the apologists condemning the 'knee-jerk' responses. Consider this - if someone has worked in IT with security or support for even a few years then do they not get to make a swift call on whether or not an idea that fundamentally alters security is good or bad?
If the Lesser Spotted NielBruce suggested, "Tell yer best mate yer passwords for usability so you don't have to get double-penetration-degredation for forgetting it," I would hope an equal amount of experienced IT staff would respond with a similar cramming.
What rubbish, I don't want colleagues reading the admin password when I log on to their boxes to sort stuff out for them.
However - on a related note - can web designers please note that the need to retype the password is because it is not in clear text and can't be checked visually - therefore it is checked by comparison between 2 typings of it.
There is NO such need to make me enter my email adress twice in CLEAR TEXT, when all it does it make the process more irritating, and I don't know about anyone else, but I just cut and paste it from the first anyway - no value gained, some loss of convenience.
Paris, because she understands about entering twice and comparing. (allegedly)
It seems rather strange that this little story came out of OUT-LAW.COM. Is there some legal angle to this which escapes me?
Anyway, the idea is truly daft. By all means introduce a browser option to display passwords, but the default most assuredly needs to be off, not on. Shoulder surfing is not a non-issue. The producers of a web site cannot possibly know all the locations where it might be used, so this most assuredly needs to be a user option defaulting to the "safe" mode. I also don't understand why exposing the them would make users come up with more secure passwords. The real problem is remembering all the damn things, and this doesn't help a jot.
In the case of sites, like banks, these all require rather more than a basic password system.
However, the real need here is for a one-time password generation system on a credit-card sized device you keep in your wallet. It should not be beyond the combined resources of major commercial operators on the Internet to come up with a single device which can be used for strong authentication (not just for web sites of course - anywhere where electronic transactions may be required). Of course you still need a personal password so that somebody who steals the device can't use that alone. Plain passwords are just too prone to replay attacks.
"How often is someone looking over your shoulder as you type?"
As several people have pointed out, the lack of prevalence of this practice is highly likely to have something to do with the fact that password blanking has been used for over thirty years. By your logic, we may as well not bother with highly sophisticated measures against bank thefts, because no-one robs banks any more anyway (...because of the highly sophisticated measures against bank thefts...)
"How often are they malicious?"
According to good security practice; always, potentially. If we magically knew who was 'malicious' and who wasn't, security would get a hell of a lot easier in a hurry.
"How easy is it for them to even read the screen at that distance?"
I can read a normal sized screen pretty well from across the room.
"And will they be able to remember the arcane string of symbols that is your securely chosen password?"
Oh, right, because we all know everyone chooses terribly secure passwords. And besides, every character they remember is an order of magnitude of possibilities they don't have to bother with when brute-forcing.
"And what is to stop them just watching what you type?"
it's much harder (especially with fast typists) and can't be photographed. And for me, the answer is 'the fact that I cut-and-paste my password in from a secure password storage application, of course'.
"There are far easier ways for bad guys to harvest large numbers of passwords rather than wandering round offices looking over peoples shoulders and taking notes."
Right, because all bad guys can be conveniently lumped into a single group who act in the exact same way from the same motives. Presumably they wear black masks with cut-out eye holes and carry bags with SWAG written on them, too.
Above comments have given numerious plausible scenarios for shoulder-surfing 'attacks', many from personal experience.
but I'm going to anyway. It's the browser that should have the option to not obfuscate passwords - they should probably have the option of 3 stars, no stars or a random amount of stars, like it did in KDM (perhaps still does) - it has nothing to do with the website. I can see that there are situations where obfuscating the password offers no extra security (someone at home on their own) and it could detract from usability a little.
I have a better idea, and this is something that websites (rather than browsers) could do - they could do away with all that confusing SSL certificate malarky. It just confuses people, having to look for that little padlock symbol. I better patent that idea, before Nielsen steals it (though chances are he's already published it).
Like hell I'm going to write the simple JS for offering a choice. (Okay, maybe if this catches on...)
But jeeze, if you fail with your password, write it down or use your browser's remember password feature, or memorize it already.
What would be a more welcome change would be an end to retarded password policies. If you want me to have upper and lower case and digits and funky chars, let me use my 34 character password, don't force me in the 6-8 character range where I have to do something like &i1eLmH& (if I ever Lose my Hands, song-generated style). In my own code I don't care; if they want to 'protect' themselves with a 1-char password, go for it. Same with a 100 char one.
"Schneier, a renowned IT security expert, echoed Nielsen's concerns, and supported Nielsen's assertion that password masking does nothing to improve security."
Schneier, a renowned media whore saw an opportunity to vent yet more bulls**t to disingenuous media, desperate to fill copy space.
But it's still idiotic.
The iPod Touch (and iPhone) do the same as described for the
AC gets it right. The problem is that there are many varieties of invalid passwords. People want to use the same password or use an easy to remember password system that they can apply to all systems. Too many sites can break this - forcing mixed case, forcing the use of numbers, not allowing numbers etc.
By all means warn people that their password is shit, but let 'em use whatever they can remember rather than engineering a more secure password that makes them write it down somewhere, which then becomes less secure.
Just can't get my head round the idea that someone with the reputation that Bruce Schneier has established for himself would endorse this laughable concept of stripping out a layer of security for the sake of convenience. Schneier has been advocating a multi-layer approach to security for years, so why is he suddenly giving his approval to an idea whose only justification, according to Jakob Nielsen, is that "it does cost you business due to login failures"
What next Bruce - leave your house keys under the doormat when you go on vacation?
They want to read all the passwords from PCs that are not TEMPEST - compliant. It even made appearance on a NUMB3RS episode for chrissakes.
The spy-guy could read and reproduce the output of a CRT monitor due the electromagnetic field emitted by it.
You don´t even need to go that far, remote desktop applications (your Windows XP has it too) running WITHOUT user authorization can output the monitor screen to the network. Reading a password from it would too easy without masking.
Think defensively, in depth, all the time.
LOL.
PS I don´t want to let my boss see my typing "BossisaTosser2009" as password.
While people looking over your shoulder to get a password may be a phantom thing. There are probably security cameras looking at a lot of screens 24/7. While admittedly they can possibly see what you're typing, that is harder as your key presses are usually obscured at least in part by the movement of your hands to press the other keys, or by low framerate of cameras. I don't like the idea of someone being able to just track back through security tapes to acquire my password.
Then again I admit I don't know how clearly a camera recording of a monitor can actually be read. Really it's just a quick comment for people to flame.
The asterisks stop shoulder-surfing from people reading your screen... but not watching your fingers on your keyboard. If passwords were displayed as typed, it wouldn't take long before people started looking around a little more carefully at who's watching before typing their password, instead of being lulled into a false sense of security by the fact that their password can't be seen on screen, and ignoring the fact that watching fingers is pretty easy (see AC's 70WPM comment).
However, as in many things, there is no 'one size fits all' answer. In some cases, I can see this improving security (and, as seems to have been somewhat forgotten as one of the original points of the article, usability), although in many cases it will of course not do so.
WRONG! WRONG! WRONG!
"The more uncertain users feel about typing passwords, the more likely they are to (a) employ overly simple passwords and/or (b) copy-paste passwords from a file on their computer. Both behaviors lead to a true loss of security,"
NO!
The uncertainty comes from the complexity of the password and the users ability to memorise it, not whether they can see the characters as they type them.
Removal of the obscuring mechanism will simply tell you average web punter that actually passwords aren't that sensitive after all. BAD.
http://www.theregister.co.uk/Design/graphics/icons/comment/flame_32.png Yes, sometimes I mistype my password. So what? I retype it more carefully.
Yes, sometimes I'm not sure if a key got pressed properly. So What? I delete all and start over, or count the characters and see how far it registered.
Users need better understanding of security and best practice. They certainly don't need to be looking over their shoulders every time they're typing in a password. If you really want to be a usability freak, at most have a button that can toggle the visibility, but leave teh default as bullets / stars.
Mind you, most of the users who would use this will have the password post-it-ed to their monitors anyway
http://www.theregister.co.uk/Design/graphics/icons/comment/pint_32.png because I feel like
These guys must live in another world.
How about defining a default password for everyone, so no one would ever again forget his password, because there is only one?
Or even better: drop the password alltogether. User would just have to enter their username. Well, security would go down the drain, but usability would be TOP.
<\sarcasm>
Wow, for experts, these guys sure don't seem to know anything about computers.
First, websites don't mask the passwords, BROWSERS do. Yeah the web developer chooses the 'password' type of input, but hey, that's what the HTML spec says you should use for passwords. Any other way of developing it would arguably be a hack.
Second, there have been so many cases where I haven't been sure if I was typing a password correctly, so I typed the password in a DIFFERENT place, read it, and then copy/pasted it to the actual password location. In other words, masked passwords "must" do nothing. They might be annoying when you need to see what you've typed, but there are VERY easy ways around their pitfalls. And, as has already been mentioned, mobile devices handle masking differently BECAUSE you can't copy/paste cleartext passwords into the masked input fields.
This is hardly a problem at all.
I think having a clear text field would cause additional problems, as setting the password type field for both desktop apps and websites has additional things going on behind the scenes so the password can not be read in memory by snooping programs running on the local machine and browser cross site scripting attacks etc, so this would not only need a system change but also browser software updates etc so you could have a clear text password field, but I think this would allow alot of old style of site attacks to become active again. That is before you get into the realms of what would happen with saved passwords and cookies this is all a very bad idea. I do not think they have thought this one through very clearing, would it not be better to promote maybe using other forms of authentication to help his problem of remembering passwords maybe single sign on such as openid and liveid
Sorry guys, but the security pros have it right. To be compliant with HIPAA monitors can not be placed inn a position that will allow unauthorized 3rd parties to view your screen. In that case password blanking is not necessary. And in the case of the moron above who "can't tell who is looking at their screen"....well, lets just say you would never be able to work in my department with that level of ignorance.
Passwords themselves should be retired as a means of authentication. I have a hardware token for TFA & OTP, go ahead and shoulder surf for all the good it will do. That's where we all should be headed, not whining about passwords.
I'm happy to keep my obscured passwords, but only because I can actually type the buggers in the 1st place
It sounds like there are too many Visual programmers, web developers, DBAs, solution architects and windows support people around here (should cause a fight in itself)
To make it obvious, they are making a point that obscured passwords cause problems and are a bit shit and is used as a security blanket (pardon the pun) because the majority of people cannot be trusted to take proper care of their passwords in the 1st place.
Question : You would really use a public terminal or internet cafe machine for to internet banking (or any other important system) !
If so then You deserve to be robbed, you are stupid and should have no involvement in the IT industry. If you are not in control of a machine you do not use it for anything that involves the concept of privacy.
Question: What is this install a trojan and capture the screen?
CRAP ! Why would you do that? If you have written a trojan, that can you can trigger remotely (at the right time), then you can log the fucking key presses too, rendering the screen capture pretty pointless.
Why obscure the screen output when you can watch them type on the keyboard (as several more sensible commenter's have said) blanking the password only stops the most inept shoulder surfer.
TEMPEST screen reading, where shall I start ?
I attended a demo by some spooks (real ones) who specced all the equipment to make it work, it was pretty shit (unless you where reading a 40 column display).
If a working TEMPEST has been rolled out against you by the big boys then it's already too late for obscured passwords
Anyway similar techniques can be used for reading keyboards remotely so obscuring the field is once again pointless.
But then it was on Numb3rs so it must be true (the Scott brothers renowned science fact documentary makers)
Somebody standing too close while you are typing, tell them to Fuck Off !
As was said the passwords are all too often carried in plaintext, (BTW you do realise that clustered firewalls often end up with user entered data echoing around switched networks) looking for the virtual MAC.
To Adam Williamson, you can read password text fields from across the room this leads me to the following thoughts:
1: Tiny room
2: Giant fonts
3: New eyes (donated by a bird of prey?)
4: 52 inch display
5: You can't really but thought you would say you could
Hmmm which would I choose
Think of us poor unix & cisco people who don't use web front ends and don't even get those nice bullet points on screen.
is to make this user configurable. Most of the time when I'm at work, there is no way for someone to shoulder surf my screen, so I could use non-obfuscated passwords. I'd probably stick with obfuscated ones because it is what I am accustomed to. When using a laptop in a public space or a kiosk I obviously prefer the password be obscured. On the other hand, on my last phone I couldn't set the password because the *&^%*#!@!@!!! touchpad kept putting in the wrong character or too many characters or something. And I couldn't tell because I couldn't see the password to confirm what I thought I put in was what the computer thought I put in. I might find the I-phone solution acceptable. But on phones obfuscation should ALWAYS be optional.
And personally, I still worry more about those thrice damned sticky notes with passwords. Doesn't even have the short duration of entering a clear text password.
"And in the case of the moron above who "can't tell who is looking at their screen"....well, lets just say you would never be able to work in my department with that level of ignorance."
In an ideal world that' may be true.
However, in the real world, which is where most of us live, with our monitors easily visible by others and cameras (think "leaving" a mobile phone on the desk, recording video), if you are concentrating on what you are doing, you may not notice a person having sidled up behind you.
Masking passwords is not of itself the be all and end all, however, it does cover off a casual unnoticed observer, which does happen (except in Mike's office clearly!) :-)
I shiver every time I have to use an unmasked password entry field. Maybe users feel less competent because they ARE ACTUALLY not very competent - the solution should be to MAKE THEM more competent not REDUCE SECURITY to make them 'feel' better.
Shoulder snooping isn't the problem anyway, the problem is when I have to enter my root password at a users terminal at their desk while they are sat there: firstly that's not safe and secondly, many of my passwords contain unutterable obscenity or phrases that I might also use in other, personal, passwords.
Bruce is very often right about security, this however is one of the times where he's dead wrong.
yes, hardware tokes can be lost or stolen, but they are useless to anyone but me, that's where the T in TFA comes from. Something you have, the token, and something you know, my personal pin code. Each of these things alone are useless, only together do they function. Geez, why am I explaining this, isn't this supposed to be a group of IT people.
Also, if you have my token, you also have my car keys, I think I may notice that. First I call the police to report the stolen vehicle, then I call the access guys to have them burn me a new token to pick up. Old token dies as soon as I make the call.
Granted it is a PITA to login everytime with a 32 digit numeric string, 16 from the token and 16 from my mind, but I no longer worry about passwords.
"How long it takes the Spelling and Grammar Nazi's to spew!"
you mean "...Spelling and Grammar Nazis". The term "Nazi's" would apply to a singular Nazi owning something. "Nazis" on the other hand is the plural of the word "Nazi".
Or was that a double in-joke referencing Goodwin's Law (by planting both the grammatical error and a Nazi reference)?
Sorry Bruce I respect you and most of the time agree but you're off the mark on this one. Shoulder surfing today is largely a non issue due to the fact that most passwords are masked by default and have been for a long time and it should stay this way. This assumption that users will some how know to protect their passwords in certain environments is complete B.S. and show's how little either of these researchers are dealing with the general computing populace on a daily basis. People wont know to protect their passwords and the slight inconvenience that comes with masked passwords are a fair trade off to give that user more security. Masked passwords plus minimum password standards are and will continue to be a fair usability/security trade off.
The mobile phone argument I can buy as I've had phones which either display the individual characters in a password and mask that character when the next one is typed or totally mask the password. I have to admit in that circumstance a masked password is a pain since typing the password on a phone is considerably different operation than it is on my normal keyboard. I will also agree to making it optional to users to have their passwords masked or not. Making sure they are informed of the potential risks by not having the password masked. My view is that so long as the users are informed of what might happen if they choose a less secure option, then if something happens they are SOL as they knew the risks and chose to accept them.
Usability expert, maybe, but certainly no security expert. Shoulder surfing is absolutely a problem, but is far less common than it would be if say, passwords were left unmasked and easily readable.
Security is always a compromise between usability and effectiveness,, regardless of its application. You could keep your door wide open, making the accessibility to your home far better, but killing a layer of security in the process. By adding security, a lack of accessibility is inevitable, but the entire system is wide open for exploitation without it.
What's needed is a new compromise, or an alternative, more accessible security solution, but making passwords viewable to casual viewers is not it.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
