back to article Masked passwords must go

Websites should stop masking passwords as users type because it does not improve security and makes websites harder to use, according to two of the technology world's leading thinkers. Usability expert Jakob Nielsen and security expert Bruce Schneier both think websites should stop blanking out passwords as users type them in …

COMMENTS

This topic is closed for new posts.

Page:

FAIL

yes!

unmask passwords! that way when I use the screen tracking software here I can see their logins for the game sites and steal all their game money! This idea has no drawbacks whatsoever!

0
0
Anonymous Coward

Splendid idea

In only all sites would enable "remember my password" aswell so as to increese there uasbility.

0
0

Usability

That shoulder surfing isn't an issue may be true but a big feature of usability is familiarity. I used to read Nielsen's column before he ran out of ideas and started coming out with daftness like this.

There are several usability areas that Nielsen himself would say aren't ideal but are familiar enough to be classed as a standard (e.g. using HTML select boxes for navigation and having a window's scollbar on the right, away from most websites' main naivagation menu).

Even if I believed that plain text was easier, there's no way I'd waste time arguing that my company's websites should use it. Our credibility would take a nosedive and we'd be fielding far too many support calls on it.

It may or may not be a good idea but it'll never float!

0
0

We were talking about this the other day

And came to the conclusion that it's yet more proof that Nielsen is a nonsense-spouting self-gratifying prick.

On the slides we use at work to educate l-users on password security, the example phrase used when mangling is "Jakob Nielsen makes me so angry I could punch a kitten!" Nuff said.

0
0

Utter crap

Shoulder surfing is highly prevalent when doing IT support. I don't want users to see the admin password, and neither do I want to see their passwords.

Additionally, due to the joys of less safety critical passwords and browser password caching they definitely shouldn't be displayed.Of course, there is a difference between what's displayed when initially entered, and when it's recalled.

0
0
Flame

3rd comment, as I'm so enraged by this stupidity

What about people who work in pairs at computers? Pair programming is a very common methodology among software developers. I don't want to have to cover my eyes every time the other guy types his password for source control, SSH, FTP...

0
0
Unhappy

The guy above me beat me to it

It's just a <input type-"password"> in the HTML, so any changes to how it looks should really come from the browser end.

My phone does something pretty cool, where it shows you the character as you type it, and it disappears as soon as you move on.

Overall, it is a bad idea. We're in an open plan office, and I'm typing my password in front of people quite a bit.

0
0
Paris Hilton

Gaaaa - He does sound mad.

So he says don't mask it except in certain sensitive cases -

internet cafes - aka any public computer

banking applications

people with children

I'd have thought office environments - salary file anyone?

schools and universities.

So basically if you are at home on your own you might be safe!

Commenters: I quite like the idea of the show one character although that's no defense from someone right behind you - or a cafe ghosting your login screen.

I remember at University it the early 1980s the great Russell Winder used to be able to type the root password while holding the keyboard upside down so students couldn't see it at all. Yeah echo the password - hacked in microseconds.

Paris - cos even she has learned when to reveal and when to keep things private! Something this guru clearly has not.

0
0
FAIL

Sorry, but

I didn't read the whole article. When i saw the words "Neilson" and "Jacob" in close proximity, i knew it was a waste of my time. The guy has not been relevant since about 2001.

0
0
FAIL

Yeah I know it's an <AOL> but....

ME TOO... what the HELL have these people been smoking and/or drinking to come up with such a pile of excrement?

The prevelance of mobile devices with cameras means that even a couple of seconds of having your password displayed in public areas (think libraries, internet cafés, etc.) could be fatal.

Ditto what Mike Peachey said, administrators with *extremely* sensitive passwords do not need those passwords displayed to the users who are almost guaranteed to be shoulder surfing.

Plus it would ruin all the "I know daddy's password, it's ********* " jokes.

</aol>

0
0
Flame

OMG wow.

Usability expert Jakob Nielsen and security expert Bruce Schneier both think websites should stop blanking out passwords as users type them in. They say the practice inconveniences users and delivers no security benefits.

Inconviences users? What happens when the account is comprimised?

Also what if you have a strange password like "Ilovehorsesinaweirdsexualway"

You wouldnt want tom dick and harry who walked past your computer seeing it. For multiple reasons.

What about when your in the library. The person next to you can glance over and see your password.

The password hiding is by the browser when a type="password" field is written.

Sometimes websites use javascript to do it. But not usually.

Also like people have said. Just show the last answer entered for phones. Im sure the PSP used this.

Why dont we just publish our passwords online?

0
0
Thumb Down

This has to be....

...about the most stupid thing I've heard in ages!

But, while we’re at it, as it can be terribly confusing all those password policies, why not standardize on 4 digit numeric passwords? After all it’s fine for securing our banking transactions!

0
0

Jakob Nielsen is a joke

Among UI designers and usability professionals (at least, the ones I know) Jakob Nielsen is something of a joke. Once a pioneer of much needed usability on the web, he is now long past his sell-by-date. Take a look at his website (useit.com) and you'll see what I mean. Large blocks of hideous, clashing primary colours laid out in a not very readable style, circa 1992. Ughh.

0
0
FAIL

Shoulder surfing not common because of masked passwords

Maybe shoulder surfing has become a 'phantom problem' *because of* masked passwords?

Not a big fan of Mr. Nielson here.

0
0
FAIL

Common sense

They're missing the obvious. Surely it would make more sense for most websites to simply not use passwords? Exposing passwords for everyone to see completely defeats the point in having them. Unmasking passwords is one of THE most ridiculous ideas I've ever heard. I frequently have to type in passwords when there are other people in the room and find it bad enough that they can overlook my keyboard, let alone if they were able to see my password on screen.

Anyway, if websites supported secure biometrics it would save time, reduce user confusion (you know, the "which password or username did I use?") and improve security. Screw all this typing nonsense. I shouldn't have to remember which username, password or email address I used, which is especially problematic when restrictions are imposed ("username is too long", "password must contain a capital letter and a non-alphanumeric character", etc). I've had to resort to a passworded Excel document to keep track of website details even though I use the same details for most sites.

0
0
Thumb Down

What's the big deal

@Configurable - the iPod Touch does something similar, although I'm pretty sure that it just leaves that character unbulleted for a period of time - certainly long enough to double check that you'd typed it right.

Personally I think these guys are just so wrong - heck even El Reg password blanks! I can't comment on whether blanking makes a site incompatible with screen readers and hence not usable for the partially sighted (but aren't there tactile feedback keyboards).

If they're that worried about it, why not either (a) allow the user to set a preference via the browser to blank or not; or (b) scrap passwords and move to challenge-answer type security.

While I'm bitching about passwords, how about ditching websites and especially apps that _force_ you to type the darned things in. If, as many posting here do, you've got a encrypted password store then it means you can use longer passwords (more secure?) and it's not a total pain in the ass. I dread changing my WPA password on my iPod because I'm using max length phrases (63 characters) and typing those in a character at a time (and I've got numbers, case switches, and special characters - so that's lots of keyboard type switches needed) on the iPods in the house is a major hassle. On the other hand the laptops, and my Nokia N95 I can use a file with the new passphrase and just paste it into the appropriate field - easy, (and I think it's masked even then in most cases).

I realise that the last paragraph kinda implies that I'm anti-password - quite the opposite - I'm just against the 'we know better than you do' attitude in some quarters.

0
0
Stop

ATM

So why do banks keep telling us to cover up the keypad when we use ATM machines?

0
0
Happy

On phones no masking please!

The iPhone (and Android also I believe) displays the last character you type before turning it into a bullet but even that isn't very easy to use. Why not display the full password until I submit the form? On my computer keyboard it's much less of an issue because I touch type my password and don't need to see it.

In the same article the authors also make a point about Reset buttons on web forms having no place in a modern web interface. Just because web browsers have a particular feature doesn't mean it's a good idea to use it.

Reminds me of the story about the guy who reported a strange problem to IT support - he could only log on to the system when he was standing up! Sure enough, if he was sitting down the system wouldn't let him on, if he stood up it worked! Much scratching of heads and checking whether there was a cable caught under his chair or something. Turns out they'd recently changed his keyboard for one with a slightly different layout, so if he was sitting he'd touch type his password using the old layout, but when standing up he had to carefully choose each letter and got it right!

0
0
Alert

Is there no humility any more?

Perhaps I'm getting old, but when two seriously top notch experts (and not just talking heads, but people who really make a difference) dare to suggest that the default method for entering passwords is not all it's cracked up to be, I'd have to give the matter considerable thought before calling them "retards".

Most of the comments are unnecessarily abusive - and most of the others appear to be written without having read Nielson's article.

I'd list what I see as the positive points in the suggestion - but I doubt anyone would read it. After all, we've always masked passwords. So it must be a great idea.

0
0
Boffin

mea contra mundo et canus

To all you ravers saying "no way!" and "what are these guys smoking?" may I ask how often you mask your personal signature?

;-)

0
0
jsp
Go

Security theatre II

What an incredibly sensible suggestion. For a readership that normally likes to challenge the status quo and preconceived opinions, I am amazed by the number of vitriolic, conservative "me too" comments.

I agree that masking passwords (usually) only provides a bogus sense of security. How often is someone looking over your shoulder as you type? How often are they malicious? How easy is it for them to even read the screen at that distance? (OK, maybe I need new glasses) And will they be able to remember the arcane string of symbols that is your securely chosen password? And what is to stop them just watching what you type?

For that last reason, when helping a colleague at work and you get to the bit where you say "and now type your password" it is normally considered polite to turn you head away from the keyboard.

There are far easier ways for bad guys to harvest large numbers of passwords rather than wandering round offices looking over peoples shoulders and taking notes.

And for all those morons who say "Websites do not mask passwords, browsers do". This is about as intelligent as saying "people don't kill people, guns do"[*]. The ONLY reason the website uses the password input type is because it will be masked. It doesn't provide any other functionality beyond a text box.

Yes, it should be optional. And the default should be partly under the control of the application (e.g. for banking) but ultimately decided by the user.

[*] obviously, it is the bullets that are the villains in this scenario but never mind.

0
0
Megaphone

Of course

I fully agree!

And not only on web sites, but also for all these security management applications (typically wi-fi) where it is often the case the user is copying a hard password from a piece of paper!. How many of us felt stupid missing it again and again!

Moreover, this may have a secondary benefit as users will interiorize better the fact that passwords are not secret to the computer where they are typing it, and they may pay higher attention to the need to protect themselves from key-loggers et al.

To THE REGISTER: Please start by unmasking the password for posting comments!!!!

0
0

Rubbish

How can they say that password masking does nothing for security, and then in the next breath recommend keeping it on by default for high-risk applications, because "sometimes security should win"?

It either helps or it doesn't, and if it does help then it's a matter of weighing up the advantages against the disadvantages of password masking.

Advantages: if every password box is always masked, it provides consistency for the user. It reminds them that the password is something they should be keeping to themselves. It largely deals with shoulder-surfing which, judging by the comments here, is still regarded as a problem by a lot of people. It's a lot harder to read keypresses on the keyboard than characters on the screen.

Disadvantages: easier to mistype the password.

I don't think unmasking the password makes it any more likely that the user will write it down or store it in a file. The sort of people who do this are the sort who have difficulty in remembering the password anyway. They'll still write it down.

0
0
Alert

WTF

But I don't type in a PIN number if anybody is hovering too close, are you telling me that you depend on the masked characters for your security?

While I accept that masked characters have their place on devices in public view but if you are relying upon it for security

However in an office environment if you are relying on those masked characters then you are paying very little attention to your password security.

I do not have have never (& never had) any problems telling people to bugger off when typing in a password (masked or not).

I work in a secure environment and you simply DO NOT look in the direction the screen or keyboard when somebody is logging in, if you think somebody is watching then you don't type anything and you tell the offender (customer, co-worker, boss or director it doesn't matter) to look/go away. Funny thing is customers are usually happy as it shows you are paying attention to your security (therefore they believe you are concerned about their security.) In the case if users it's just nice to tell them to piss off.

As for AC who said that he didn't want to see his bosses password, ever heard of looking away. If nothing else it's common politeness. Or are you the person who reads newspapers over other peoples shoulders?

The comments here smell of "we have always done it this way and I don't care if it works or not."

Think about your behaviour in the first place before criticizing because it sounds wrong.

0
0
Anonymous Coward

hardware tokens

Give them all hardware tokens that generate nice simple 6 digit codes, integrate them with a smart card that does your access control / windows login too.

The banks can give us all credit cards with OTP generators on them too, so there will be no more online or mail order fraud.

Oh but they cost a few quid don't they - never mind, we'll just un-star the password for you to make life easier.

Security isn't difficult, getting it past the bean counters is.

0
0
FAIL

This still has me laughing.

"And yes, I DO keep all my passwords in a file on the shared fileserver here. But it is encrypted with a piece of self-written encryption software."

0
0
Boffin

Its the browser, stupid!

If you want to not mask your passwords, use Firefox and the "Show Password" extension.

How do idiots like this become consultants?

0
0
FAIL

autocomplete becomes a hacker tool...

yes! do it!, then i can go to anyone's computer put the cursor in the password field (assuming its been changed to a text input), then starting with 'a' enter every letter of the alphabet until the browser decides to autocomplete! yay, all your base belong etc...

on a more sensible note, i have had the misfortune of not having the tab key register and to my horror revealed a password to someone as my hands speedily run through a habitual keystroke combo. I then immediately go and change the pass - not because i don't trust the person, but because the responsibility lies with me, and therefore I must be the only person who knows it. However i was so glad to find that the t9 input on my phone had a cleartext option, else that would have been very annoying!

0
0
FAIL

@Tim O'Tay

"Type your comment here — plain text only, no HTML"

Surely that should read..."Type your password here - plain text only" ?

0
0
Paris Hilton

Shoulder surfing?

Why bother? Lift keyboard, read password from Post-It note. Job jobbed.

Paris, as she displays the same lvel of concern about security as most of my user population.

0
0

And another thing...

There's websites where you have to type in your email address *twice*, and it complains if they're not identical, just like the standard way of changing passwords. For obscured passwords, it makes perfect sense, because you can't see what you're typing. By typing it in twice, you have some degree of certainty that the password you just put in its the one you think you typed. But for *email addresses*?

0
0
FAIL

Title-Here

The real world called. That is all.

0
0

@ AC 08:23

"bearing in mind, most people reuse the same password for pretty much everything"

Are people really that dumb?

At least choose different log in details for different groups of sites (e.g. financial, social networking, forums etc) jeez

0
0
FAIL

I was going to say

what a completely stupid idea this was, but everyone else has got there first.

0
0

lal

Fools.

That is all.

0
0
FAIL

All aboard the failboat!

This is a remarkably stupid idea. But everyone is acting like the idiots in question want it to to apply to all password inputs everywhere, not just websites. Either that or they use the same password as their admin password, online banking password and at the russian donkey pron website.

0
0
WTF?

The other reason for input type=password...

If a form field is set as type=password, the web browser won't remember the contents of that field if you navigate back to the page via the browser history/back button. You also can't copy text out of these fields (you get a string of **** characters).

If websites started using input type=text in place of password then it'd introduce more issues than shoulder-surfing...

0
0
Anonymous Coward

Not mutually exclusive...

For the home user at least, this is a non-issue.

I have several medical problems, including slight aphasia, after a small stroke some years ago. I find the typing of passwords a real problem. In Firefox I run an add-on called Unhide Passwords, which allows me to edit passwords as I go - a real bonus for me. There's no-one to look over my shoulder, so security in that respect isn't an issue. If I was sitting in a crowded office, then it might be another matter.

So - horses for courses.

Though I do take issue with those people who think that anyone who can't type in a password is too stupid to use a computer. Thanks for the sympathy bozos!! I can hardly wait for life to teach you a hard lesson, as it did me!

0
0
Jobs Horns

RTFA

People here should RTFA.

0
0
Troll

Muppets...

Honestly, if they're trying to get a reaction out of a large body of people they should just make a Michael Jackson joke in public. Not pretend to be some kind of techie expert.

Only a couple of months ago a UK MP had to resign when a photographer managed to photograph and read a top secret document he decided to carry under his arm in the open as he walked the 5 paces from his car into #10 Downing street.

Given the quality of photographic equipment available even to amateurs, you just don't know who is looking over your shoulder, they could be doing it from 50 feet away easily.

The reason shoulder surfing is not a problem is precisely *because* passwords are replaced with stars.

0
0
Happy

One Man and His Blog

Before you can say "publicity" two experts are making the same suggestion. Now that's magic. Do they share the same agent?

I've got the blog. I've got the media contacts. Now all I need is a job title. Expert, yes. But what? x86 assembler. hmm...too specific and I'd have to know details. Got it! World Expert. The World's Greatest World Expert. Catchy. And I need know bugger all; just spout a few platitudes now and then. Sorted. Hello Gravy Train.

Rather than argue for fewer asterisks I'd argue for more. By replacing every blog writer's postings with asterisks the user's experience will be improved immeasurably. A more lenient me would suggest a checkbox to allow the user to mask the blogger's tedious warblings. hmm...I feel a Firefox add-on in the making.

Personally I don't type my passwords visually. I just let my fingers do the work. We're not on speaking terms so I'm not even sure what my passwords are. As such there's no advantage in being able to see the characters. I hardly think I'm unique.

0
0
Happy

hmm

Can't say i agree with he password masking, what i disagree with is the undue complexity some site owners go to restrict access

username, johnsmith nice and easy start

password, 10 characters mixture of cases with at least 2 numbers & 2 symbols

kaptcha, refresh, refresh, is that lik kats?

no

username, johnsmith is now taken, johnsmith2

password

kaptcha

wait for email verification

finally i've got in to harry potter fans forums, now i can write the 'meto' post

could understand it for online banking etc but for a trashy web forum, get realistic

0
0
Happy

Kerberos and/or smartcards are better

There is something rather bazaar about having to enter a password for a plethora of sites where the only real benefit is that it remembers your home address.. but will send your password in plain-text to your email account if you can’t remember it. The password protection is illusory because the site then goes and “protects” your credit-card number with the password in their database.. the net-risk is higher.

Within an organisation Kerberos can eliminate the need for signon (using IKE & PC signon cridentials), but for the wider world we are well overdue for a move to the token (e.g. smartcard) based identity/security that could make SET viable.

0
0
FAIL

Another so called expert

Passwords have to be masked, you never know when someone can see your screen. Would you go to an ATM and speak out your pin number to the machine?

0
0
FAIL

A somewhat less than brilliant idea

OK, so we all know that obscurity is not security but it does at least help a touch. Unmasking passwords would, in general, make my life a hell of a lot harder as it's much easier to unlock an account or reset a password than it is to repair the damage that can be done by unauthorised access.

I think that these alleged experts must be taking something that reduces their IQs to something more in line with their shoe sizes.

0
0
Pie

what stops people looking at the keyboard

having a tick box that allowed the password to be masked or not, or to have as others have suggested just the last letter showing could help usability, and stop people having to write passwords down, or keep them in files to copy and paste...

When I am putting password in front of my children I make them turn away as I know there curisosity would enable them to 'work it out' after a while and I cba to keep changing my passwords.

But thinking that having a password masked out is the worlds best security when you are typing the password in front of someone is plainly mistaken.

0
0
Thumb Up

Simple solution

Just change your password to 8 asterisks.

0
0
Thumb Down

Jacob drops another clanger

I hate Jacob Nielson - all the statements he ever seems to make are either blatently obvious or just wrong. The anoying thing is that he doesn't seem to have any competition so whenever a news agency needs a usability 'expert' they roll this clown out!

Yes, it's hard to type in passwords on mobile phones but frankly, it's hard to type ANYTHING on mobile phones! Personally I find the iphone easy to type on (especially compared to a normal handset) and their system of handling masked passwords is very elegant (you can briefly see the last character you entered). I know some people find the iPhone hard to type on however so maybe that's just me. The problem there then is the usability of the phones - not the masked passwords.

Personally I wouldn't want my password on show if I was entering it in a public place. It's true that in our current society it's not entirely necessary because nobody is waiting around to spy on your password; but why is that? Is it possibly because they wouldn't be able to see it anyway? If all passwords were 'unmasked' suddenly it might be worth hanging around internet cafe's with a video camera if you were criminally inclined.

0
0
FAIL

Epic Fail

Idiots.

0
0

@'is there no humility'

No, there isn't when people are spouting mostly unhelpful crap.

Yes, they have some good points. Obscured password entry is awkward and will lead to errors or more insecure passwords.

Pointing out the flaws with no readily available solution is pointless posturing, though. It's not even presented in a suitable forum for discussion - instead it's on two different blog posts aka 'look how wonderful I am. I write and you get to comment with no response from me'.

0
0

Page:

This topic is closed for new posts.

Forums

Biting the hand that feeds IT © 1998–2017