Password masking. You all know what it is, right?

It’s when you type in your password, and instead of “shearer9″ or, if you’re feeling particularly security conscious “p@55w0rd”, but all you see is either •••••••• or ******** depending on what you’re using.

This of course prevents The Hooded Claw from being able to read your password over your shoulder and type it in. Now, I don’t know about you, but I tend not to let people I don’t know come into my house and sit behind me when I’m connecting to online security services. Also, I bet if you compare the number of passwords stolen by machines infected with keyloggers as compared to Sylvester Sneekly looking over your shoulder, I’d suspect keyloggers would win hands down. Besides which, if Sylvester Sneekly is looking over your shoulder, he could always watch the keyboard to see what you press, as opposed to the screen.

That’s not to say that there’s not a place for password masking in some circumstances. In an internet cafe, or a library, or some other form of shared computer. Some computer where you don’t know who is around. Having said that, I’d not trust my online banking to computer which could have anything installed on it, but that’s because I’m security paranoid.

The Grand Usability Guru Jakob Nielsen pointed out the problem with password masking in a recent Alertbox: that because it decreases confidence (you can’t always be 100% sure of what you’ve typed), it actually leads to reduced security:

The more uncertain users feel about typing passwords, the more likely they are to (a) employ overly simple passwords and/or (b) copy-paste passwords from a file on their computer. Both behaviors lead to a true loss of security.Jakob Nielsen’s Alertbox: Stop Password Masking

Unfortunately, Jakob has misunderstood what causes password masking, and is blaming it all on the poor web developer again.

Most websites (and many other applications) mask passwords as users type them…Jakob Nielsen’s Alertbox: Stop Password Masking [2]

It’s not the websites. It’s your browser.

What your browser does whenever it encounters something in HTML like this <input type="password" name="password"> — an input box with a type of password, is it decides to mask it. Now if you want the website to choose whether or not to mask it, you’d need to set, or unset the input type according to user preferences. You’d need to reload the page (or use javascript to alter it). Whereas if it was a browser preference, the browser could simply change the way it displays it as according to your personal preference.

It’s therefore a thing where the browser manufacturers possibly need to consider whether password masking should be mandatory or optional. Quite a few people have chipped in with their own opinions. Rather than simply offer another voice saying much the same thing, I instead thought it might be useful to draw together some of the opinions on this.

Bruce Schneier agrees with Jakob:

Shoulder surfing isn’t very common, and cleartext passwords greatly reduces errors. It has long annoyed me when I can’t see what I type: in Windows logins, in PGP, and so on.Schneier on Security: The Problem with Password Masking

Graham Cluley from Sophos thinks that password masking should remain, for security reasons, at least in a business environment:

When an IT guy comes to visit my desk, and he needs to log in to fix whatever I’ve broken on my PC – should the system password be visible for the whole world to see? I bet I’m not the only one to be sitting in a completely open plan building – anyone could be passing by and looking over my shoulder.Graham Cluley: Why it’s a **** idea not to mask passwords

Out-law produce quotes from Schneier and Nielsen without adding any new opinions of their own.

So what are the problems?

• Masked text increases errors and reduces confidence
• …which leads to simpler, more hackable passwords (or the same password used in multiple places)
• Password masking might lead people to believe their passwords are safe, whereas masking is no guarantee that they are being sent securely, or that they aren’t being picked up by keyloggers
• …but on the other hand, if you don’t have masked passwords for secure logins, someone could see what you’ve typed and reveal the admin password

Um… well I’m afraid I’ve got to go with Nielsen and Schneier on this one (sorry Graham!). Of course, the best idea as regards Windows masking of login passwords would be for this to be a policy issue. Then companies where certain people have access to an admin password can choose to mask passwords: the rest of us don’t have to worry about it.

As Graham says, in an open plan office you can’t be sure there’s no-one behind you. Unfortunately his thinking would seem to suggest that the organisation can’t trust its own employees. Now in terms of security, this is something that organisations do need to think about. However, if you can’t trust the employees in a given office, then you really need them out of the office when you’re typing in the password, because otherwise they could always just watch to see what keys you press… and if you are going to send them out of the office, then it hardly matters whether or not the password is visible on screen or not.

Graham’s other argument doesn’t really hold water with me either.

Or what happens when I am at a friend’s house and I want to quickly log in to my web email account to forward him something I have been discussing with him? Sure, he’s my friend and I trust that he’s not going to misbehave – but I really don’t think I should be sharing my password with him. Equally I don’t want to be put in the awkward social position of going to the extra effort of ticking a box to obscure my password from him.Graham Cluley: Why it’s a **** idea not to mask passwords [2]

I suspect most people under the circumstance would be happy to very flamboyantly look in a different direction. I don’t see why it should be seen as embarrassing to ask a friend to look away while you type in a password. I mean, I don’t see how it can possibly be seen as a social faux pas not to want to give away your passwords. Unless it’s just maybe that if you work in IT security, you and your friends spend half your time stealing each other’s passwords…

So, despite Nielsen getting the source of the password masking incorrect, I’d be quite happy to see his ticky-box option to hide or not hide passwords introduced by the browser manufacturers…