Stop password masking (******) in website and software log-ins

probe

Masking passwords with ***** is dumb, reduces security (puts people off using longer more complex passwords, because they can't see what they have entered), and makes websites and software applications less user-friendly. Stupid. Dumb. Brain dead. Dysfunctional.

More: http://www.useit.com/alertbox/passwords.html

JDxtra

Well, I like it. I dont want somebody looking over my shoulder and seeing my password.

ethernet

Can't say this bothers me. Also would prefer its basic security if someone were to shoulder snoop.

I think the iPhone shows the character for a second or less before you enter the next character and it's then converted to *.

probe

JDxtra wrote: »

Well, I like it. I dont want somebody looking over my shoulder and seeing my password.

Who looks over your shoulder? Can they not see your keystrokes anyway watching your hand? You can always look around when logging in to see if someone is watching. Did you read the article?

Gavin

Having the choice is useful, with a default of it masked. It takes a degree of skill to see a password as it's typed on a keyboard, not so much to just see it on a screen.

Logging on where another can see the screen is relatively common, particularly in terms of computer support people.

carveone

Interesting that you bring this up at this point in time. Jakob Nielsen and Bruce Schneier both seem to agree. See The Register today.

jimmycrackcorm

meanwhile people can look over your shoulder at what you are typing.

Martyr

IMHO, it should be optional for the user..not removed completely.
Having it as an option might help certain people recall / memorise it.

people choose poor passwords because they're easier to remember, theres really no other reason.
i don't think removal of masking or password reminders would change that.

biko

The checkbox is definitely a good idea, I've seen it on the web but very rarely.

mickoneill30

jimmycrackcorm wrote: »

meanwhile people can look over your shoulder at what you are typing.

So they can grab the password of somebody who's typing in hello with one finger. If they're a touch typist and have a proper password (with caps and the odd punctuation mark) somebody looking at your keyboard won't get it.

The checkbox is a good idea though. It'd be handy for web sites. I'd say put a disclaimer under it saying

"Press this to have your password displayed, this absolves this website from any account compromises because of somebody using your password"

probe

mickoneill30 wrote: »

"Press this to have your password displayed, this absolves this website from any account compromises because of somebody using your password"

Keep it simple. Don't discourage people with needless disclaimers. One of the few areas in life where complexity is good is passwords. Complex passwords are hard to enter if one is "blindfolded" with ********* crap. If someone wants to steal your password, they will use a keystroke logger (software or hardware). The only way to defeat that is to add multi-factor authentication (MFA) to the login.

With most MFA logins, you enter an additional password code that changes every 30 or 60 seconds. You can see the code both on the token and when you enter it into the web form without ***** stuff.

With the Ubikey (www.yubico.com) MFA solution, you insert an USB key into the PC and press a button on the key and it squirts a long password into the form field. This code changes on each login attempt - so it doesn't matter if someone sees it. You can also set the Yubikey to squirt a fixed long password for websites that don't support MFA. (This is not as bulletproof as the constantly changing default system because a keystroke logger might be able to capture the password squirted into the system by the Yubikey).

If you want real security you go for multi-factor authentication. Using ***** is a step backwards, because it induces people to use dumb passwords that are soft targets for a dictionary or brute force attack.

Gavin

probe wrote: »

Keep it simple. Don't discourage people with needless disclaimers. One of the few areas in life where complexity is good is passwords. Complex passwords are hard to enter if one is "blindfolded" with ********* crap. If someone wants to steal your password, they will use a keystroke logger (software or hardware). The only way to defeat that is to add multi-factor authentication (MFA) to the login.

With most MFA logins, you enter an additional password code that changes every 30 or 60 seconds. You can see the code both on the token and when you enter it into the web form without ***** stuff.

With the Ubikey (www.yubico.com) MFA solution, you insert an USB key into the PC and press a button on the key and it squirts a long password into the form field. This code changes on each login attempt - so it doesn't matter if someone sees it. You can also set the Yubikey to squirt a fixed long password for websites that don't support MFA. (This is not as bulletproof as the constantly changing default system because a keystroke logger might be able to capture the password squirted into the system by the Yubikey).

If you want real security you go for multi-factor authentication. Using ***** is a step backwards, because it induces people to use dumb passwords that are soft targets for a dictionary or brute force attack.

Multi factor authentication or one time passwords are better solutions, no doubt. But to remove the password masking on current systems is not a good idea for the reason I mention above, people looking over your shoulder. Which is quite common when doing any sort of on site work.

probe

Gavin wrote: »

But to remove the password masking on current systems is not a good idea for the reason I mention above, people looking over your shoulder. Which is quite common when doing any sort of on site work.

Consider this password: mYdg$s%m%g%n%f%c%n%t - easy to enter if you can see what you are entering. Easy to remember too - it is basically my dog is magnificent with the Y change of case and the addition of the $ and % signs and removal of the vowels.

I doubt if someone with a photographic memory could retain this shoulder surfing. And one can make it a lot more complicated if one is paranoid.

By all means put a checkbox allowing people to switch on ***** crap, even make ***** the default for dumbo set-ups.

But enforcing ***** is totally dumb, software writing sheep following other sheep, typically anglo-saxon based where little thought goes into the design of anything. eg American cars, public transport in Britain, signposting in Ireland..... a "culture" with a mental block when it comes to intelligent design of virtually anything!

Ronan_

probe wrote: »

Consider this password: mYdg$s%m%g%n%f%c%n%t - easy to enter if you can see what you are entering. Easy to remember too - it is basically my dog is magnificent with the Y change of case and the addition of the $ and % signs and removal of the vowels.

I doubt if someone with a photographic memory could retain this shoulder surfing. And one can make it a lot more complicated if one is paranoid.

By all means put a checkbox allowing people to switch on ***** crap, even make ***** the default for dumbo set-ups.

But enforcing ***** is totally dumb, software writing sheep following other sheep, typically anglo-saxon based where little thought goes into the design of anything. eg American cars, public transport in Britain, signposting in Ireland..... a "culture" with a mental block when it comes to intelligent design of virtually anything!

Logs onto boards as probe

If the password box displayed the characters of a password, people would think there is something wrong with the website but if the website displays ***'s, people will just think it is unnecessary.

I don't think that seeing *'s has much of an effect on the length / or complexity of password I choose - that being said, the choice of hiding or showing the characters in the box would be ideal.

However, some sites out there, display the character when you key and then change it to '*' a second later / or on entry of next character - This just confuses me.

towel401

ethernet wrote: »

Can't say this bothers me. Also would prefer its basic security if someone were to shoulder snoop.

I think the iPhone shows the character for a second or less before you enter the next character and it's then converted to *.

I think every phone I have used for the past 10 years did that

... fecking iPhone

probe

Ronan_ wrote: »

Logs onto boards as probe

If the password box displayed the characters of a password, people would think there is something wrong with the website but if the website displays ***'s, people will just think it is unnecessary.

I don't think that seeing *'s has much of an effect on the length / or complexity of password I choose - that being said, the choice of hiding or showing the characters in the box would be ideal.

However, some sites out there, display the character when you key and then change it to '*' a second later / or on entry of next character - This just confuses me.

I use really strong passphrases for some applications at work (as in 50 odd characters long) and I need to be able to see them because the chances of entering 50 characters in the blind without mistake is much smaller than a password like dog123. Fortunately the software I use is intelligently designed to give me the option of setting a default to display the password rather than ******* stuff.

Security / encryption systems are only as strong as your password. In the same way as if you had a combination lock on your front door where the combination was "123" - I don't think it would be very secure!

trout

Interesting read on The Register today ... "Security expert Bruce Schneier has said that he probably made a mistake when he backed a usability expert's plea to website operators to stop masking passwords as users type because it does not improve security and makes sites harder to use"

Register link here

Original Out-Law.com article here

towel401

how about for every character you type a letter from another word completely unrelated to your password but the same length shows up. if you get a letter in your password wrong the word appears wrong also, maybe throws in a random letter in instead

it would be kind of hard to implement on a website but web applications are ****e anyway.

trout

The thing is ... static passwords aren't ever really secure, no matter what tricks you play with uppercase / lowercase and l33t symbols ... if the password is short enough to remember and type in, it's in a rainbow table somewhere. Even a 50 character password can be sniffed or keylogged.

Anyone with enough patience and processing power can brute force through your static password, and if that same static password is part of a single sign-on system then all of your directory enabled applications can be exposed at once.

The **** password masking doesn't bother as much as the Lotus Notes login sequence, with multiple XX's appearing for each keystroke, and those awful hieroglyphics appearing in the dialog box. I've had Notes evangelists explain the thinking behind the multiple XX's and the glyphs ... and on the face of it, I can see how it claims to improve security ... but really it's security theatre.

For any sensitive applications, static passwords alone are insecure - use MFA.

If the system you are protecting is sensitive enough, MFA can be cost-justified.
People who play World of Warcraft, and are security conscious, can elect to use dual-factor authentication, namely user id & password AND a 6 digit one time code from the Blizzard Authenticator ... and that's to play an online video game.