I was reading an article on the The Register this morning which presented the views of usability expert Jakob Nielsen and security expert Bruce Schneier when it comes to the routine masking of passwords when logging in to services. They both call for an end to this practice.
Both Jakob and Bruce agreed that there was a net lowering of security caused by masking passwords. Jakob argues that masking passwords runs counter to basic usability principles on the one hand, and on the other:
“Users make more errors when they can’t see what they’re typing while filling in a form. They therefore feel less confident. This double degradation of the user experience means that people are more likely to give up and never log in to your site at all, leading to lost business. (Or, in the case of intranets, increased support calls.)
The more uncertain users feel about typing passwords, the more likely they are to (a) employ overly simple passwords and/or (b) copy-paste passwords from a file on their computer. Both behaviors lead to a true loss of security.”
On his blog, Bruce Schneier added a short post to say that he agreed with Nielsen’s point of view, adding
“Shoulder surfing isn’t very common, and cleartext passwords greatly reduces errors. It has long annoyed me when I can’t see what I type: in Windows logins, in PGP, and so on.”
I have a couple of issues with this, firstly “Shoulder surfing isn’t very common”? I really want to know what empirical evidence Bruce is basing that sweeping statement on. Nielsen added “More importantly, there’s usually nobody looking over your shoulder when you log in to a website. It’s just you, sitting all alone in your office”.
The vast majority of the global office population are definitely not fortunate enough to be sitting secure in their own private office. If I think back through the many office environments I have worked in, and how many screens were directly in my line of site and readable without even moving from my seat, the opportunities for (even accidentally) reading unmasked passwords seem clear. Even if it were true that shoulder-surfing is not common, isn’t that partly because it serves little purpose when passwords are masked? Chicken or egg Mr. Schneier, Mr Nielsen?
Password masking has always been the default because, given the choice between masked and unmasked, it is the most secure, and “secure by default” is a long established goal of system and infrastructure design. I fact in a blog post earlier this year Schneier himself said
“The solution is to better design security systems that assume uneducated users: to prevent them from changing security settings that would leave them exposed to undue risk, or—even better—to take security out of their hands entirely.”
It’s difficult to reconcile that point of view with allowing users to disable password masking…
Secondly, password masking is also an effective method of defeating malware which is designed to take snapshots of the users screen, which has long been a way that banking Trojans have overcome virtual or on-screen keyboards. Should we make it even easier by just letting the password sit there in plain text.
If it is simply because masking passwords makes a system less “usable”; then maybe I should remove the lock from the front door of my house? After all it is awfully inconvenient to have to fish my door-key out of my pocket when I have my hands full of shopping.
Maybe I could replace it with a PIN entry system, that reads the numbers back to me as I punch them in, because “Providing feedback and visualizing the system’s status have always been among the most basic usability principles” according to Nielsen.
After all, no-one’s listening, right?
Bruce Schneier posted a second blog on this topic in response to the large amount of feedback he received, he has reconcsidered his initial “snap reaction” and written a much lengthier and more considered view on the subject. here: http://www.schneier.com/blog/archives/2009/07/the_pros_and_co.html