Password Masking – a Necessary Evil

I was reading an article on the The Register this morning which presented the views of usability expert Jakob Nielsen and security expert Bruce Schneier when it comes to the routine masking of passwords when logging in to services. They both call for an end to this practice.

 

Both Jakob and Bruce agreed that there was a net lowering of security caused by masking passwords. Jakob argues that masking passwords runs counter to basic usability principles on the one hand, and on the other:

“Users make more errors when they can’t see what they’re typing while filling in a form. They therefore feel less confident. This double degradation of the user experience means that people are more likely to give up and never log in to your site at all, leading to lost business. (Or, in the case of intranets, increased support calls.)

The more uncertain users feel about typing passwords, the more likely they are to (a) employ overly simple passwords and/or (b) copy-paste passwords from a file on their computer. Both behaviors lead to a true loss of security.”

 

On his blog, Bruce Schneier added a short post to say that he agreed with Nielsen’s point of view, adding

“Shoulder surfing isn’t very common, and cleartext passwords greatly reduces errors. It has long annoyed me when I can’t see what I type: in Windows logins, in PGP, and so on.”

 

I have a couple of issues with this, firstly “Shoulder surfing isn’t very common”? I really want to know what empirical evidence Bruce is basing that sweeping statement on. Nielsen added “More importantly, there’s usually nobody looking over your shoulder when you log in to a website. It’s just you, sitting all alone in your office”.

 

The vast majority of the global office population are definitely not fortunate enough to be sitting secure in their own private office. If I think back through the many office environments I have worked in, and how many screens were directly in my line of site and readable without even moving from my seat, the opportunities for (even accidentally) reading unmasked passwords seem clear. Even if it were true that shoulder-surfing is not common, isn’t that partly because it serves little purpose when passwords are masked? Chicken or egg Mr. Schneier, Mr Nielsen?

 egglegs

 

Password masking has always been the default because, given the choice between masked and unmasked, it is the most secure, and “secure by default” is a long established goal of system and infrastructure design. I fact in a blog post earlier this year Schneier himself said

“The solution is to better design security systems that assume uneducated users: to prevent them from changing security settings that would leave them exposed to undue risk, or—even better—to take security out of their hands entirely.”

It’s difficult to reconcile that point of view with allowing users to disable password masking…

 

Secondly, password masking is also an effective method of defeating malware which is designed to take snapshots of the users screen, which has long been a way that banking Trojans have overcome virtual or on-screen keyboards. Should we make it even easier by just letting the password sit there in plain text.

 

If it is simply because masking passwords makes a system less “usable”; then maybe I should remove the lock from the front door of my house? After all it is awfully inconvenient to have to fish my door-key out of my pocket when I have my hands full of shopping.

 

Maybe I could replace it with a PIN entry system, that reads the numbers back to me as I punch them in, because “Providing feedback and visualizing the system’s status have always been among the most basic usability principles” according to Nielsen.

 

After all, no-one’s listening, right?

 

UPDATE:

Bruce Schneier posted a second blog on this topic in response to the large amount of feedback he received, he has reconcsidered his initial “snap reaction” and written a much lengthier and more considered view on the subject. here: http://www.schneier.com/blog/archives/2009/07/the_pros_and_co.html

9 thoughts on “Password Masking – a Necessary Evil

  1. unbound

    Not surprised at the claims made by security resources. At this point, it is far more art than science, so most security resources make up claims based on their own experiences…not a lot of research into real world context.

    Reply
  2. Jon

    The number of times I’ve seen a text box fill up with asterix’s (asterii, asterix?) when someone else was filling in a password proves to me that it’s necessary.

    If all of those passwords were plaintext, then even assuming that it would become the norm to look away entirely (a’la PIN numbers) it wouldn’t be hard to find passwords.

    When it’s my bank PIN I actually feel better knowing that they’d have to physically mug me for my card – a step I’d say few would take – rather than the “safer” stealing of a password to, for example, my bank.

    Sorry Nielsen, you’ve got it wrong this time – a little too long spent in a posh office, I suspect.

    Reply
  3. Jeff Jncula

    I hate it most when I forget my password. So, why not also add a “Show me my password” check box. That way I can still type it in when I’ve forgotten it.

    This actually improves security because I’d NEVER have to write my password on a sticky-note!

    Now, THAT would be really user-friendly.

    On a more serious note, are the masses (users) clamoring for an end to password masking? I think its something we’ve all learned to live with, and usually don’t give a second thought.

    Reply
  4. Steve Parker

    I have been following this discussion with interest.

    I would prefer a compromise where I can select, via a checkbox, whether the password I am about to type, should be visible or obfuscated.

    If on trivial sites I choose a password of “becauseisayso” or “justdoit” and I want to be sure that I’ve not mistyped it (as opposed to mis-remembering which common password I provided to this site) then seeing what I type could be useful. Similarly, when I am in a secure environment, when I log onto a “serious” site/application/etc, I may prefer to visually confirm that I actually *did* type my password (‘f*^30-{]p”1d9pe’, since you ask) correctly before I press “submit”, especially if (this being an ultra-secure site) I would be locked out completely if I get it wrong.

    So there are pros and cons to both approaches.

    Somewhere, someone mentioned the Lotus Notes approach of obfuscaion: The first character is “*”, the 2nd is “**”, the third is “***” etc. That really does not help anybody!

    Reply
  5. Pingback: Password Masking - a Necessary Evil » Counter Measures « Jared Rimer’s Technology blog and podcast

  6. Pingback: “Wachtwoord sterretjes noodzakelijk kwaad” | Lost in the Noise

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>