Comments on: Password Masking – a Necessary Evil

By: unbound

unbound — Sat, 15 Aug 2009 06:48:20 +0000

Not surprised at the claims made by security resources. At this point, it is far more art than science, so most security resources make up claims based on their own experiences…not a lot of research into real world context.

By: Jon

Jon — Wed, 05 Aug 2009 02:10:05 +0000

The number of times I’ve seen a text box fill up with asterix’s (asterii, asterix?) when someone else was filling in a password proves to me that it’s necessary.

If all of those passwords were plaintext, then even assuming that it would become the norm to look away entirely (a’la PIN numbers) it wouldn’t be hard to find passwords.

When it’s my bank PIN I actually feel better knowing that they’d have to physically mug me for my card – a step I’d say few would take – rather than the “safer” stealing of a password to, for example, my bank.

Sorry Nielsen, you’ve got it wrong this time – a little too long spent in a posh office, I suspect.

By: Jeremy Bergsman

Jeremy Bergsman — Thu, 16 Jul 2009 05:56:30 +0000

Nice post on the subject–you beat Schneier to it. Just want to point out that masking is only one five password usability issues that must be considered to minimize the risk that users do insecure things like write down their passwords. Here’s a discussion of those five issues:

http://irec.wordpress.com/2009/07/08/5-properties-of-passwords-that-must-be-managed-to-reduce-risk/

By: Andrew

Andrew — Sat, 04 Jul 2009 15:05:52 +0000

Personally I have no problem with masked passwords. In fact, I get alarmed when I type in a password and it’s not masked.

By: Jeff Jncula

Jeff Jncula — Thu, 02 Jul 2009 16:34:10 +0000

I hate it most when I forget my password. So, why not also add a “Show me my password” check box. That way I can still type it in when I’ve forgotten it.

This actually improves security because I’d NEVER have to write my password on a sticky-note!

Now, THAT would be really user-friendly.

On a more serious note, are the masses (users) clamoring for an end to password masking? I think its something we’ve all learned to live with, and usually don’t give a second thought.

By: Steve Parker

Steve Parker — Wed, 01 Jul 2009 16:54:51 +0000

I have been following this discussion with interest.

I would prefer a compromise where I can select, via a checkbox, whether the password I am about to type, should be visible or obfuscated.

If on trivial sites I choose a password of “becauseisayso” or “justdoit” and I want to be sure that I’ve not mistyped it (as opposed to mis-remembering which common password I provided to this site) then seeing what I type could be useful. Similarly, when I am in a secure environment, when I log onto a “serious” site/application/etc, I may prefer to visually confirm that I actually *did* type my password (‘f*^30-{]p”1d9pe’, since you ask) correctly before I press “submit”, especially if (this being an ultra-secure site) I would be locked out completely if I get it wrong.

So there are pros and cons to both approaches.

Somewhere, someone mentioned the Lotus Notes approach of obfuscaion: The first character is “*”, the 2nd is “**”, the third is “***” etc. That really does not help anybody!

By: Ricky Staniforth

Ricky Staniforth — Wed, 01 Jul 2009 15:02:23 +0000

Shoulder surfing isn’t very common? Aww come on. Shoulder surfing can get you into the Pentagon. http://video.google.com/videoplay?docid=-2160824376898701015

By: Password Masking - a Necessary Evil » Counter Measures « Jared Rimer’s Technology blog and podcast

Wed, 01 Jul 2009 08:07:26 +0000

[...] Password Masking – a Necessary Evil » Counter Measures. [...]

By: “Wachtwoord sterretjes noodzakelijk kwaad” | Lost in the Noise

“Wachtwoord sterretjes noodzakelijk kwaad” | Lost in the Noise — Wed, 01 Jul 2009 02:12:55 +0000

[...] Micro’s Rik Ferguson vraagt zich af of schoudersurfen werkelijk geen probleem is en ziet graag bewijs voor de uitspraak van [...]