The Curse Of The Masked Password

Saturday, July 4, 2009 7:20 | Filed in Standards, Technology

Password masking. You all know what it is, right?

It’s when you type in your password, and instead of “shearer9″ or, if you’re feeling particularly security conscious “p@55w0rd”, but all you see is either •••••••• or ******** depending on what you’re using.

This of course prevents The Hooded Claw from being able to read your password over your shoulder and type it in. Now, I don’t know about you, but I tend not to let people I don’t know come into my house and sit behind me when I’m connecting to online security services. Also, I bet if you compare the number of passwords stolen by machines infected with keyloggers as compared to Sylvester Sneekly looking over your shoulder, I’d suspect keyloggers would win hands down. Besides which, if Sylvester Sneekly is looking over your shoulder, he could always watch the keyboard to see what you press, as opposed to the screen.

That’s not to say that there’s not a place for password masking in some circumstances. In an internet cafe, or a library, or some other form of shared computer. Some computer where you don’t know who is around. Having said that, I’d not trust my online banking to computer which could have anything installed on it, but that’s because I’m security paranoid.

The Grand Usability Guru Jakob Nielsen pointed out the problem with password masking in a recent Alertbox: that because it decreases confidence (you can’t always be 100% sure of what you’ve typed), it actually leads to reduced security:

The more uncertain users feel about typing passwords, the more likely they are to (a) employ overly simple passwords and/or (b) copy-paste passwords from a file on their computer. Both behaviors lead to a true loss of security.Jakob Nielsen’s Alertbox: Stop Password Masking

Unfortunately, Jakob has misunderstood what causes password masking, and is blaming it all on the poor web developer again.

Most websites (and many other applications) mask passwords as users type them…Jakob Nielsen’s Alertbox: Stop Password Masking [2]

It’s not the websites. It’s your browser.

What your browser does whenever it encounters something in HTML like this <input type="password" name="password"> — an input box with a type of password, is it decides to mask it. Now if you want the website to choose whether or not to mask it, you’d need to set, or unset the input type according to user preferences. You’d need to reload the page (or use javascript to alter it). Whereas if it was a browser preference, the browser could simply change the way it displays it as according to your personal preference.

It’s therefore a thing where the browser manufacturers possibly need to consider whether password masking should be mandatory or optional. Quite a few people have chipped in with their own opinions. Rather than simply offer another voice saying much the same thing, I instead thought it might be useful to draw together some of the opinions on this.

Bruce Schneier agrees with Jakob:

Shoulder surfing isn’t very common, and cleartext passwords greatly reduces errors. It has long annoyed me when I can’t see what I type: in Windows logins, in PGP, and so on.Schneier on Security: The Problem with Password Masking

Graham Cluley from Sophos thinks that password masking should remain, for security reasons, at least in a business environment:

When an IT guy comes to visit my desk, and he needs to log in to fix whatever I’ve broken on my PC – should the system password be visible for the whole world to see? I bet I’m not the only one to be sitting in a completely open plan building – anyone could be passing by and looking over my shoulder.Graham Cluley: Why it’s a **** idea not to mask passwords

Out-law produce quotes from Schneier and Nielsen without adding any new opinions of their own.

So what are the problems?

  • Masked text increases errors and reduces confidence
  • …which leads to simpler, more hackable passwords (or the same password used in multiple places)
  • Password masking might lead people to believe their passwords are safe, whereas masking is no guarantee that they are being sent securely, or that they aren’t being picked up by keyloggers
  • …but on the other hand, if you don’t have masked passwords for secure logins, someone could see what you’ve typed and reveal the admin password

Um… well I’m afraid I’ve got to go with Nielsen and Schneier on this one (sorry Graham!). Of course, the best idea as regards Windows masking of login passwords would be for this to be a policy issue. Then companies where certain people have access to an admin password can choose to mask passwords: the rest of us don’t have to worry about it.

As Graham says, in an open plan office you can’t be sure there’s no-one behind you. Unfortunately his thinking would seem to suggest that the organisation can’t trust its own employees. Now in terms of security, this is something that organisations do need to think about. However, if you can’t trust the employees in a given office, then you really need them out of the office when you’re typing in the password, because otherwise they could always just watch to see what keys you press… and if you are going to send them out of the office, then it hardly matters whether or not the password is visible on screen or not.

Graham’s other argument doesn’t really hold water with me either.

Or what happens when I am at a friend’s house and I want to quickly log in to my web email account to forward him something I have been discussing with him? Sure, he’s my friend and I trust that he’s not going to misbehave – but I really don’t think I should be sharing my password with him. Equally I don’t want to be put in the awkward social position of going to the extra effort of ticking a box to obscure my password from him.Graham Cluley: Why it’s a **** idea not to mask passwords [2]

I suspect most people under the circumstance would be happy to very flamboyantly look in a different direction. I don’t see why it should be seen as embarrassing to ask a friend to look away while you type in a password. I mean, I don’t see how it can possibly be seen as a social faux pas not to want to give away your passwords. Unless it’s just maybe that if you work in IT security, you and your friends spend half your time stealing each other’s passwords…

So, despite Nielsen getting the source of the password masking incorrect, I’d be quite happy to see his ticky-box option to hide or not hide passwords introduced by the browser manufacturers…

You can leave a response, or trackback from your own site.

8 Comments to The Curse Of The Masked Password

  1. Gary Miller says:

    July 4th, 2009 at 8:16 am

    Sometimes annoys me too. I agree it should be a user choice.

    Err…by the way, has your banner had a facelift since yesterday. Or, as usual, am I not remembering things properly?

  2. JackP says:

    July 4th, 2009 at 3:11 pm

    No, indeed it has: the web home page has changed since yesterday afternoon; there’s now two banners – the Blog and TPis versions – and I wouldn’t rule out further changes in the future!

  3. Mike says:

    July 4th, 2009 at 6:26 pm

    ok, first up, I’ll admit I kind of stopped reading at “it’s not the website’s it the browser”, and it’s 3.15am, so I might not be making much sense.
    But it seems to me it IS the websites. I mean the dev chooses what input type is displayed. S/he could just as easily programme an input type of text – couldn’t they?
    Likewise, I could also just as easily implement a checkbox on the page that determines what type of input box is displayed (via Javascript/Ajax or whatever) to the user. So the DEV decides whether the masking is optional or mandatory.
    Personally though until my users start asking to be able to see their passwords (something I don’t envisage anytime soon)I’m unlikely to start implementing the feature on any of my sites; there’s always a whole list of must-haves come before would-likes like that…

  4. JackP says:

    July 4th, 2009 at 9:19 pm

    I know what you’re saying there, but the dev doesn’t say to the browser ‘mask this’. There could well be a situation where you might want the server to handle different types of input fields differently – and if it’s a browser preference, the user needs to set it once, as opposed to on every site they visit… so from a usability POV it ought to be done in the browser anyway!

  5. Gary Miller says:

    July 5th, 2009 at 9:50 am

    I like it – the banner really stands out well, it sort of jumps out and hits you in the face when you first land on the page.

    Look forward to other changes…

  6. Graham Cluley, Sophos says:

    July 6th, 2009 at 12:03 am

    Bruce Schneier has blogged about this issue again, and I reckon he’s leaning back towards password masking… :)

    Check out his thoughts here:

  7. Seb Crump says:

    July 6th, 2009 at 7:52 am

    The iPhone has a interesting partial solution to this (mainly because of the number of mistypes on its virtual keyboard probably though) – each character you type in displays normally for a couple of seconds and then turns to the bullet.

  8. garment business daily says:

    July 28th, 2011 at 5:33 pm

    Websites worth visiting…

    [...]here are some links to sites that we link to because we think they are worth visiting[...]……

Leave a comment