Schneier on Security
A blog covering security and security technology.
« Clear Shuts Down Operation |
| Fake Receipts »
June 26, 2009
The Problem with Password Masking
I agree with this:
It's time to show most passwords in clear text as users type them. Providing feedback and visualizing the system's status have always been among the most basic usability principles. Showing undifferentiated bullets while users enter complex codes definitely fails to comply.
Most websites (and many other applications) mask passwords as users type them, and thereby theoretically prevent miscreants from looking over users' shoulders. Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed. So, password masking doesn't even protect fully against snoopers.
More importantly, there's usually nobody looking over your shoulder when you log in to a website. It's just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue.
Shoulder surfing isn't very common, and cleartext passwords greatly reduces errors. It has long annoyed me when I can't see what I type: in Windows logins, in PGP, and so on.
EDITED TO ADD (6/26): To be clear, I'm not talking about PIN masking on public terminals like ATMs. I'm talking about password masking on personal computers.
EDITED TO ADD (6/30): Two articles on the subject.
Posted on June 26, 2009 at 6:17 AM
• 181 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Lotus notes compounds the issue further by displaying multiple bullets for each keystroke, giving the impression that you have suffered contact bounce or accidentally pressed extra keys.
This reminds me of a similar useless convention - being asked to type your e-mail address in twice when it is displayed in plain text (and you end up cutting and pasting it from the first field anyway). A lot of web design seems to be copying what other do without thinking about what it all means.
Should come as an option. Finally, when I have a colleague around, I would still like to have the masking on..
*IF* you're going to mask, then the Lotus notes approach does kind of make sense (once you realise, as a user, what's going on). The double entry of email addresses is certainly a waste of time.
I disagree. I think most passwords become something that you can blindly type without thinking. You don't need to see what you're typing.
And if you could see what is typed it you be a major hassle to log into email/facebook/whatever when friends are around.
I've just read Jakob Nielsen's article but I can hardly agree with it:
What about homebanking application on the Internet?
What about the Internet cafés where anybody may be looking over your shoulders without you knowing it?
Don't you think that if somebody fails its password three times, he most probably would have failed it although no password masking were on?
What about the use of ATMs to get money from them? People are queuing behind you, while you're typing your password or PIN number.
I think the activation of password masking should depend on some security aspects as for example the datas you're accessing and the environment where you're working.
As a software developer, I completely disagree with this idea of displaying passwords in the clear. I'm constantly giving demos and using applications quickly to large audiences across the internet. They are (supposedly) focused directly on what I'm typing on the screen. I'd be handing out my passwords to my email, calendar and other personal productivity software left and right.
I'd much rather see the username/password convention fade away in favor of some sort of easily managed digital certificate system. When you register for an application, present your cert with some personally identifiable information in it (like an email address). Then I don't even have to bother logging in as long as I have my cert. For some reason, that approach as well as encrypted mail just doesn't seem to take off.
As someone who frequently: (a) gives demos, (b) works in an open-plan office with other colleagues nearby, and (c) sits temporarily behind other people's computers to assist them, I'm not terribly enthusiastic about this.
If the default is always 'masked' and one has to disable the masking on every log-in, then I can go along with it. But sooner or later someone is going to make it possible to have the default as 'unmasked', with the obvious resulting problems.
As far as websites is concerned, it is quite easy to write a bookmarklet that turns every password-type input to an edit-type.
(You could also use a greasemonkey-script, in firefox, if you want it done always)
Browsers have a "remember password" feature that assumes the remembered password is masked, not displayed in the clear. It's one thing if someone who sits down at my desk can log into a website using my remembered password, but it's more serious if they can see the clear password, because then they can use it at their leisure from another computer or use it on other websites if I reuse the password.
I think the comment about shoulder surfing being uncommon is a little removed from the reality of the average worker. All of us are not CTOs that get an office instead of a cubicle, or even to work from home.
Is this correct? Many people use computers in public places. If passwords are shown in the clear, shoulder surfing may become too easy.
It seems better to use e.g. the browser's password management mechanism to deal with usability for low-value passwords.
I don't know if this will post correctly, but if it does here's a bookmarklet that should work:
I suspect the bulleting is more of an issue for "touch-typists" than for hunt-and-peck types who dont look at the screen til they are done anyway; and a relatively "secure" password isnt going to be something where a typo jumps out at you anyway.
Of course people who never had formal typing training are probably becoming a dying breed; do they teach typing in schools now? (I mean for everyone; it was an elective when I was in eighth grade but you had to be female to sign up. just like home economics.)
What bothers me more is our slow computers where there is a 2-60+ second delay between you typing a key and ANYTHING showing up (and then it comes in batches), so if you suspect you made a mistake you have to redo the entire thing because the hysteresis neutralizes any value to the feedback.
"It's one thing if someone who sits down at my desk can log into a website using my remembered password, but it's more serious if they can see the clear password"
Won't help that much. The people who can't type their password without a mistake also frequently mistype their username (which is not masked) and don't notice.
If you take this line of reasoning to its logical conclusion, you don't *have* passwords, and auto-complete the username. There's no security in that, but it sure does improve usability!
We're talking here about 8-12 characters anyhow. People who use *long* passphrases (all seven of us) know how to type them in another entry area and cut and paste. People routinely type more than 8-12 characters while looking away from the screen. No big deal. Total non-issue.
The only exception I can think of is when it gets really humid and the keys start sticking and spitting out 2-3 instances of the character when pressed only once. But that does all KINDS of bad things to usability; passwords are not the only or even the major issue there.
Would you want your ATM password to appear on the kiosk's screen in plaintext?
Or at the grocery store, when you're entering the PIN?
Presentation demos? Showing a neighbor how to do something on your laptop? Doesn't matter what situation you wind up in, you will be bitten the time you forget to click that "mask password" checkbox when you need it the most.
It's a non-issue now because no one has shown password fields in cleartext for decades.
Most security features are an inconvenience to the user on some level.
Masking password fields isn't an unreasonable inconvenience for the user. If you're working on a computer, you should know how to type. Period.
I agree; if I don't want someone seeing the information on the web site -- such as Internet banking or brokerage -- I don't want them seeing the password, either. Therefore, I only enter the web site when they can't shoulder surf. If they can't shoulder surf, the password can be in the clear.
There's one of the papers in Cranor and Garfinkel (don't have my copy handy, so I can't reference it right now. Sorry!) describing research into the trade-off between shoulder-surfing and ease of input. They found that if the password field _progressively_ hides the password, so the last three characters are always visible, login failures are reduced but shoulder-surfing attacks are not more successful.
The iPhone password entry displays the one most recently-entered password character for a short time after entry, I've (personally, no scientific evidence to back it up) found that it doesn't do much to help with failed logins. But then that keyboard is so different from other places where I enter my password, I can't rely on muscle memory to get the input roughly correct.
I'm a sysadmin for a large agency and one of my daily activities is setting and resetting user passwords on laptops. The user is right there waiting for me to hurry up and get it done. Masking is a practical necessity.
I'm a sysadmin for a large agency and one of my daily activities is setting and resetting user passwords on laptops. The user is right there waiting for me to hurry up and get it done. Masking is a practical necessity.
I think the important thing would be to offer a choice as to if you want it displayed or not - and by default I would choose not. However, if for some reason I had mis-typed it - I might click it on to be sure I wasn't having a keyboard problem. Also I too was a Lotus Notes user for a long time and found there masking and hieroglyphics very distracting so I wouldn't advise going down that path.
I agree with >99% of what you write, but not this.
Just for those odd occasions when you're showing a colleague something online you need the password to be obscured by default.
An option to show the text would be nice, as would an option to show each character briefly as you type it. But the default must be to obscure the text.
> Of course people who never had formal typing
> training are probably becoming a dying breed
Actually, I think the reverse is true.
In the eighties and up into the early nineties, nobody much had access to a typewriter (much less a computer) until they got to high school, at which point they took a year or two of formal typewriter training, on the grounds that it was considered necessary in order to succeed in the business world. It was considered important to get up to 60wpm or so, in order to be competitive, because it was assumed that you'd be typing things that were already on paper, either typed or handwritten, and so speed mattered.
Now, more and more people are growing up around computers, learning to use them when they're way to young for formal typing training (hands not large enough to reach across the official hand positions, fingers not long enough to reach all the rows without moving the hands), and so they grow up developing their own typing methodologies. Typically they use 2-4 fingers instead of 9, move their hands more, and, if they use the computer a lot, can do about 25 wpm. That's plenty fast enough these days, because the old usage model assumption (that you mostly type things that are already written) is deader than the rotary telephone.
Typing, even at 25 wpm, is so much faster than writing by hand, everybody just types their stuff into the computer in the first place; retyping is no longer a major activity, and so typing speed only has to be enough to keep up with the rate at which you can compose your thoughts into words -- somewhere around 25wpm. For that level of proficiency, the official typing methodologies and hand positioning and whatnot aren't strictly necessary.
So more and more people grow up typing in a way that's "good enough" and never bother with the formal training.
All of which is neither here nor there as far as masked passwords are concerned. People who have used computers very much can type their password without looking, whether they've ever had formal typing training or not.
The people who can't are people who have never had a computer at home or at work (or who have had one at home because a family member provided it but they've not used it much either because they were uncomfortable with using it or because they didn't have a desire or need to do so). And like I said, they also frequently typo their username and don't notice. Based on my experience helping these kinds of users (I work at a public library, where they come to use the internet when they need to do so), the username and password have typos with about equal frequency, and are forgotten or misremembered with about equal frequency as well. From a usability perspective, the major issue with the masking is that the first time they ever try to type a password in, they get confused about why it's not letting them type anything other than stars or dots or whatever. Someone has to explain this to them *once*, and then they know.
It has a point, the imperative to think; I dislike WLAN password entries where I can't see what I type -- I'm going to type it only once, and normally the password is really complex.
However generally I can't agree. Spying a password by looking at someone's typing on the keyboard requires concentration. However, how long a glance to the screen do you need to read a password? If it's a common word with modification, you don't need many tenths of a second to see it.
I disagree. Most users don't care if they see the password while typing or not either because it is muscule memory and they don't even think in terms of words when typing or they're using some other kind of mnemonics or generated passwords where seeing what you type doesn't help to type them with less errors.
For example my typical password would look like '[e`dfz#ctujlyz*gjujlf". I can remember it because it is actual phrase in russian typed with latin layout. Even if I'd see what I type I wouldn't notice a typo or anything like that
> An option to show the text would be nice
I wouldn't object to a context-menu option for that.
If a password is in the clear, then you will not type it with someone looking over your shoulder. If it is masked, then you will type it and expose the password via the keyboard.
This is a case where an obvious risk can increase security. Another might be the argument that air-bags causes more reckless driving than not having an airbag resulting in more total danger (I am not endorsing/refuting this). Masking does help when you are presenting and the audience cannot see your keyboard, but can see the screen. Masking seems to come from the philosophy that you cannot trust the user to look around before he/she types in a password.
Security trade-offs are an extension of a philosophy about human behavior. My personal take is to keep some element of risk so the user is never too comfortable- that way they may detect something unexpected.
I doubt that the user/password concept will die anytime soon but in the meantime I've found a decent way of bypassing it on Windows when I bought my first Asus notebook. It came with an application called Asus Security Protect Manager that got installed with the fingerprint scanner drivers. It's not perfect by a far stretch of imagination but it does a decent job of safely storing (using proper encryption) and auto-completing information such as user/password pairs for any application and/or webpage that you register with it.
The driver/app package can be grabbed from the Asus driver download site and I've been able to install and use the stand alone app on all my (non-Asus) computers.
I think there is a reason that shoulder-surfing is rare: password masking is a cheap and universal way to make it much harder. So people stopped doing it.
So, by way of analogy, we should get rid of tetanus shots because tetanus is rare now?
My GPG pass phrase is >20 characters, including spaces.
OTOH, I thought that part of the reason for obscuring passwords as you typed them was to protect against TEMPEST?
There is one simple, reliable way to prevent shoulder-surfing. Turn around, stare the guy in the face, and tell him to PISS OFF.
This also has the nice side-effect that they won't watch your fingers when you type your pass.
As Casey says, this is good because it brings your perception of risk right up to the reality. A theme which Bruce has explored before.
If you are in an Internet cafe, or a public place, you also have the false sense of security. Your risk is not being shoulder-surfed, your risk is that someone has a keylogger. (Why the hell are you entering your valuable passwords on an untrusted computer?)
This whole conversation is quite ridiculous if you ask me.
I guess since I know where the keys are on the board, I don't have issues not being able to see the 8-12 characters I have to type once or twice a day.
"It has long annoyed me when I can't see what I type: in Windows logins, in PGP, and so on."
Hey, hey, hey, now! Let's stop right there, mister!
Dontjaknow only TERRORISTS use PGP!! I'm sure you're violating some federal law by using that...
"OTOH, I thought that part of the reason for obscuring passwords as you typed them was to protect against TEMPEST?"
--Actually the emissions from the keyboard are more likely to be picked up using TEMPEST style monitoring. However that isn't really a common risk.
What is a common risk for most of us though is the casual glance. I'm in an open plan office where I can read the text on 3 or 4 other people's screens, and there are 3 people who can reasonably see my screen from their desk. On top of that there are all the people who come to talk to me at my desk etc.
"Shoulder Surfing" isn't a risk when its reasonably tricky. But if the password is on screen it can be seen practically by accident as a casual glance. It's one thing to notice somebody is looking at buying a hairdryer on Ebay, but another thing to notice that their password is "arsenal1".
Consensus here is right, the objection to masking is wrong, but it is an invitation to rethink the purpose of a password and what measure of security it actually affords a person in exchange for the inconvenience.
It's a pretty small inconvenience, but it's also only single factor authentication.
I see a bunch of mention of ATM banking systems: but least at an ATM an attacker has to take possession of both the card and the pin, and that's usually unlikely. Additionally, there's a third factor in that most ATMs have video surveillance equipment installed or nearby, so that misuse of the card and PIN can be audited visually after the fact. With force of law against theft, that's almost as good as three factors, in fact it's more reliable than automating authentication with biometrics.
You probably could display a pin in cleartext on an ATM terminal without a great deal more loss. Of course it would be boneheaded to design something that tolerates a little more loss for such a small convenience.
Web usernames and passwords really are only keeping honest engineers and shoulder surfers honest. That doesn't mean there'd be no unintended ill effect from defaulting to passwords in cleartext, though it might teach people to be a lot more careful about entering passwords in public or giving people physical access to their machines with the consequences so high. That could possibly be of real benefit in some tiny number of very narrow cases that probably aren't worth speculating about here.
Password masking may not be effective against "truly skilled criminals" but is the reason why shoulder surfing is supposedly not common.
Try using cleartext passwords in an open space and the problem will be raised again.
Let's not forget that the most part of the attacks comes from employees, not 3rd parties.
Password masking may not be effective against "truly skilled criminals" but is the reason why shoulder surfing is supposedly not common.
Try using cleartext passwords in an open space and the problem will be raised again.
Let's not forget that the most part of the attacks comes from employees, not 3rd parties.
 Why do people keep assuming that any attacker is a criminal?
Simply install a keylogger or a tiny camera.. that should get the password :)
With a decent astronomy telescope, you can read a book over someones shoulder 100 feet away.
In the general case, plaintext passwords will come back to bite you.
In certain very specific cases, where you can't tell if you mistyped your (very long) password or if something else went wrong. (Such as trying to get wireless to work on cheap hardware.) Then a plaintext option, even with the risks, would be nice for debugging.
I enjoyed reading the article, if only because it challenges a commonly accepted idea, and therefore forces the reader to think about it.
I'm not sure about the conclusion, though. Password shoulder surfing isn't very common, but maybe that is precisely because the passwords are usually masked on the screen.
Cut... paste... no overlookers...
@ Steven S,
"So, by way of analogy, we should get rid of tetanus shots because tetanus is rare now?"
Ever had a small pox vaccination?
And if so when and why?
Tetanus is actually not rare at all it is still very much alive and kicking in farm stock. The reason we rarely see it in humans these days is the demise of the horse being used for both agriculture and transportation into populated areas.
In some countries where horse flesh is eaten they still see incidences of tetanus at much higher levels than countries where it is not, or have strict food safety standards.
@Jonadab, who said:
"If you take this line of reasoning to its logical conclusion, you don't *have* passwords, and auto-complete the username. There's no security in that, but it sure does improve usability!"
No, that's just taking the reasoning down a slippery slope. What was proposed was no longer masking the password. It was not proposed nor implied that there should be no password nor an auto-complete for user names.
It's okay to argue the point, as many have, and I happen to agree that masking is still probably the right thing to do "for now". But creating a slippery slope and calling that the "logical conclusion" doesn't pay attention to the argument. It shifts it so you have an easier target to hit.
Jakob Nielsen usually makes a lot of sense, but in the article cited by Bruce, he says: "Password masking has become common for no reasons other than (a) it's easy to do, and (b) it was the default in the Web's early days."
What does the Web have to do with it? Mainframe computers were hiding login passwords long before the Web came along.
People read what they expect rather than what they see, which is shy spellcheckers often find errors in documents even after you have proofread them.
That is why websites often ask for e-mail addresses twice. If you were to type it only once and not spot the error you will not receive an e-mail but will incorrectly blame the site for something that was your fault. If you cut and paste the address then you have removed that safeguard.
For the same reason, most password systems require you to type a password twice when you change it. The residual error rate is much lower, even though neither password is displayed.
I have worked as CISO in several banks and can confirm that shoulder surfing does take place. Consequently, I would ban any system that displays passwords in a shared office or in public.
I might be persuaded to permit them in single-occupancy offices or at home, but only for low-risk applications.
"I dislike WLAN password entries where I can't see what I type -- I'm going to type it only once, and normally the password is really complex"
That's the one place I've noticed where Mac OS X has an option to disable masking, although masking is still the default. It's convenient, even though I'm only entering it once.
But on the topic of WLAN, a completely backward choice for usability and (as far as I can tell) meaningless choice for security is that Windows XP asks you for the WLAN password twice when *joining* a network.
This may apply to keys (anything with a high enough entropy to be hard to remember), but certainly not to passwords.
And can you imagine what would happen at a school if every password box could be unmasked?
When logging into a WiFi network, Mac OS X has a checkbox labeled "Show Password". By default, the password is hidden, but you can simply check the box so you can see what you're typing. This is especially helpful for network passwords, like WEP keys which are strings of random numbers/letters.
Unlike Windows, which makes you type in WEP keys TWICE without verification on either of them....
A few things:
1) Remember there is "security" and the "feeling of security." As many seem to be slightly paranoid of someone watching over their shoulder, masking gives the warm-fuzzy that the goober at the cubicle next to them isn't watching over their shoulder.
2) I typically have a problem remembering "which password to use" not "typing the wrong characters." I tend to believe most people experience the same concern.
3) That said, there may be times I do want the password unmasked... perhaps early in the morning when I haven't spun up to full speed before the coffee.
So, the best solution would seem to be (similar to Dr. Nielsen's suggestion but with a little twist):
- Mask password by default
- Provide checkbox to "unmask password"
And, in separate but closely related curiosity... if anyone has seen research regarding the ability of a user to enter complex passwords under extremely stressful conditions (ie combat), I'd be interested in seeing it.
Andrew: this is because some WPA keys are passphrases, which are prone to mistakes but shouldn't be visible.
The answer if you really want to check the key is to type it into Notepad and copy it twice.
With more and more people accessing things from mobile phones and laptops on their commute, shoulder surfing is easier than ever.
All you need to catch in a short timeframe is the password. The username is normally displayed on every logged in page. Memorize one, then casually learn the username. Then your in.
Of course with 2 factor authentication... this wouldn't really matter that much.
"OTOH, I thought that part of the reason for obscuring passwords as you typed them was to protect against TEMPEST?"
The use of masked passwords is considerably older than Unix, in fact it goes back almost before the 1960's. Back then teletypes where still being used with +-90v serial signals that you could pick up well over 100 yards away, so the outbound signal from the teletype would have been no problem to pick up. Even untill well into the late 1980's serial teletypes and terminals using either +-12V (RS232) or +-90v where still comonly in use. And for accounting and other such activities carried out on Xenix (MS Unix) boxes serial terminals where still being used in the mid 1990's
Outside of the military it was not untill the 1970's that Van Eck publicaly demonstrated what we would now call a TEMPEST attack by using a VHF receiver to pick up the gun control signal off of a mono CRT monitor and redisplay it on a remote monitor (all be it hazy and poorly synced).
It was only in the past few years that Optical TEMPEST, and TEMPEST on LCD signals has been demonstrated (google [soft fonts tempest]).
By the way there is quite a bit more to TEMPEST than what we would now call EMC prevention (limit bandwidth and energy). One rule that does not often get a mention is "sychronus IO".
That is you double clock your inputs and outputs to prevent side channel timing attacks.
There are other rules but some have not yet been "publicaly" published but in most respects are not realy relevant to most people.
Well, count me as another vote in favor of password masking. I log into all kinds of things when lots of friends, acquaintances, coworkers, etc. are around me. If the password weren't masked, lots of these people would see my password, even if they weren't trying specifically to watch for it. I don't think it's safe to assume that unmasked passwords would be anywhere near as secure as masked ones - particularly with so many people using easy ones that can be remembered after a single glance.
Sure, it's not security that'll keep major governments from reading your files, but at least it'll keep your kid sister out. I don't think the masking is aimed at anything much higher than that - and it's a common enough problem, and a simple solution.
Before we take on password masking I think we should address two major problems with passwords first:
a) Forcing password changes every 3 months. There is no value in this. At all. Move it to a year. Auto expire accounts not used in a certain period of time.
b) Consistent password policies. Every web site and every company has their own take on password construction meaning that a password that works in one application doesn't work in another.
For some reason, at a very deep and primitive level, it just _feels_ wrong to me when I see my password on screen.
On the other hand, by masking the password, users may have an inflated sense of security. If they could see their poor password (e.g., 'password'), it may coerce their brain into choosing a better one.
Is there any research on this?
Absurd. Usability should always be *balanced* with security. Simple as that. You are putting far too much emphasis on usability.
If passwords were unmasked on websites, there would be issues with autocomplete.
What about malware that takes screenshots?
What about those people who enter their passwords in public locations?
" I can't see what I type: in Windows logins, in PGP, and so on. "
PGP does allow for seeing the passphrase as it is typed in,
(all versions from 2.x on)
the commandline option is
+SHOWPASS = ON
I can almost agree with your first assertion but only relative to the interval. For external-facing web apps with users who visit once or twice a year, expiring the password every 3 months is extreme (and unreasonable).
However, expiring the account is unachievable. First, there are instances where a member must have an account to keep off-line services (ie. insurance). Second, doing so would increase call volume for assistance.
So, if one was to "disable" the account and provide some mechanism to unlock it -perhaps with well-crafted security questions- then perhaps that would be a better solution than "expiring."
I hate password screens where they make you enter the password (obscured) TWICE. What sense does that make?
@rohrschach: "What about malware that takes screenshots?"
If your threat model includes malware on your machine, masking the password is not going to help anything.
I think this is the first time I've found myself disagreeing with Bruce.
"Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed." For me, personally, this is completely false. Without video recording, or pretty high speed, perfect recall, photographic/video memory, there's no way you can see my password by watching my hands. But that's because I can actually type quickly.
I also can't count the times I've been working with someone where they or me had to enter a password. When someone else is at the keyboard, I deliberately look away from the keyboard out of courtesy. If the password were displayed, the equivalent would require me to move out of view of the monitor.
I believe the small inconvenience of masked passwords is greatly outweighed by their practical benefit. The vast majority of the time, masking imposes zero overhead on me.
I gotta side with those that disagree. Shoulder surfing would be much more common if it weren't for masking.
And, frankly, especially with the use of the "shift" key and special characters, and the fact that most computer users know how to type (i.e., you're not looking at kids pressing keys one at a time), it is tougher to tell what someone is typing by watching which keys that hit.
Bruce's position on this surprises me, especially thinking back on his article "Blaming The User Is Easy – But It's Better to Bypass Them Altogether":Why trust users to defend against shoulder surfing when it is easy enough to defend against through masking? Also, when an attacker has a choice between an easy way and a hard way, they'll choose the easy way--why hack or decrypt the password when you can just read it.
Also, too many users use the same password for everything. One password read by a shoulder surfer may very well compromise several systems.
Further, masking also reinforces to users that keeping passwords private is important.
Ha, at least Firefox keeps a long list with visible passwords which it uses for autocomplete, easily accessible via options/security... it never mentions that it would be perhaps be better to use a master password... So Joe Average probably exposes his passwords
I have read the post of Mr. Nielsen and I can relate to the fact that people are less willingly to proceed logging in when it already failed multiple times, for what cause it may be. But I feel he wrote this mainly regarding customers who are accessing a companies website or extranet. In this case I think he has right because you could lose customers. Besides that, it is the responsibility the customer it self to keep his password secret at all time. But I would not recommend disabling password masking for users within the company, there is much more to lose besides productivity
Finally someone else saying this. I've been saying it for years (and designing for it). Because I am a designer with access to users for testing. Don't tell me usability cannot trump security until you have seen every user fail signon, or have the data on the cost of care calls to reset some huge percentage of your user base.
The need to mask is, on desktop, an exception. I like how OSX does it with network passwords, where you can select to mask or not. And of course you can switch halfway through, so don't complain about the default state. Default must be easy for the 99.995% of folks who enter things once, on their own.
Masking on blur is a decent option. Here, for example, is a screen (I designed) where you have to create a password and then type other stuff. So it's entered clear to avoid typos and lame retyping checks (which could just reinforce your bad keystrokes and you get two of the same wrong password so never can get in again) but becomes masked for the rest of the form:
(Note it also checks everything live, via js or ajax, to avoid throwing errors... just as secure and functional without annoying everyone.
Mobile passwords that are masked are even more stupid. This is very much a case of developers just following old practices without thinking. Who can shoulder surf a mobile without the user noticing? Text entry is much more difficult, often had different modes so keypresses may not be what is expected, etc. Entry unmasked for 1 character is not much of a solution. And the masked standard of two entries is a severe burden for difficult-entry devices, and the immediacy that mobile should provide.
Oh, and I have video out on my phone so routinely am demonstrating stuff to others who CAN see my phone. I know how to enter passwords first, or unplug for a moment while I do it, if needed. Special case people can always find an answer, and need to not be the drivers for everyone else.
I wonder to what extent the password masking has been trained into users such that they now use it as a proxy for the security of a site ... "oh, I can't use that website, it must be insecure, they don't even mask the password" ...
I'd like an option to unmask when I am struggling, but I still think masking creates a false sense of security.
I'm completely for masking. An option to unmask by default could be nice, but I won't use it.
email double entry does have some logic.
If you just blindly register on a site, and mistype your email once, you might end up logging a support call to get this problem fixed. It's much simpler to offload some of the effort onto the user.
User has to enter the email twice, so even if he copy+pastes, he has longer to realise that he made a mistake.
Password masking is not a usability issue, unless you are incompetent or in management. This reminds me of a long time ago when we added passwords to our mainframe TSO sessions for engineering. The reason was to protect valuable resources. The password had to be entered on a separate screen from the userid. Two weeks later, they couldn't handle that and needed them on the same screen. Eventually, they had to be entered on the same line (userid/password with one stroke of the enter key). The original reason for passwords was long lost.
Yeah, I am completely for masking too. Unmasking will give me more uncomfortable as I do ATMs etc. I don't think masking password will be that difficult for me though.
I'm also for masking, I often happen to be looked at. Not by fraudulent or evil-minded people, but just curious people that pass buy, stare from another chair. I can cope with the usual "mistake" i can make while typing a 10 letters pass (note that if you fails repeatedly to type 10 chars without mistake, you got a serious problem with your keyboard that won't be solved with cleartext solely...)
I also like the iphone/pod way, that display all chars but the last one as bullets, the last typed one remains a clear char. For all I care, it could also morph into a bullet after a configurable delay.
Would you want your ATM password to appear on the kiosk's screen in plaintext?
Or at the grocery store, when you're entering the PIN?
Uh, at thirty feet while waiting in a bank line I shoulder scanned a woman's PIN when she used her debit card. Didn't have to see the screen at all. ATMs here still use PINs and I make sure that I can't get shoulder scanned by standing close to the machine and using odd fingers to press the buttons (nobody expects you to use your third and pinkie finger to enter numbers).
Perhaps a balance option. If someone mistypes their password N times (say 3), a message that says "You have mistyped your password 3 times. Would you like to view it in clear text?" Ater clicking yes, it could read "When you are sure no one else can see the screen, hit OK."
Perfect? No, but what is? Perhaps this would give some reasonable protect with complex passwords yet provide a usability backup before accounts are locked out. (I can't take too terribly much credit for this, I've seen something similar done on a colleagues blackberry.)
"I can't take too terribly much credit for this, I've seen something similar done on a colleagues blackberry."
You weren't shoulder-surfing were you? Oh, the irony! :)
Every day (it seems like) I'm authorizing the Parental Controls feature of OS X to give my kids another half hour of computer time at their pleading request. Which involves typing my password over the kid's shoulder.
They're good kids, but I still don't trust them with the great & terrible power of my admin password.
I also type passwords while on the bus, at the airport, and so on. I touch-type my keychain password at blinding speed so no one is going to figure anything out from watching the keyboard, but it might be possible to read it onscreen.
You couldn't be any more wrong. The password field is the only field typical masked and is no hardship to type your password in, whether it be touch typing or looking at the keyboard you should know what your typing.
I most definitely would not want people looking at my log in credentials especially for those people who use the same password which most do.
I think your making the wrong trade-off between convenience and privacy.
I can see both sides of this issue, but I wonder how important it really is by now. The major browsers can remember all your web passwords, and even protect them all with a master password if you wish. Isn't that both more secure and more convenient than the most common alternatives, like using the same password everywhere, or writing all your passwords down somewhere?
I hardly ever type web site passwords any more.
I would guess that users who are intimidated into using simple passwords now will also be intimidated by the complexity of an extra check-box for a mask/don't-mask option. Some web sites already a surprising array of "save password" and other log-in options. Consider the login for my web-mail account:
Don't get me wrong, I like this mail service so much that I actually paid real money for it. But it's not for novices; nine controls and three hyperlinks. Just to log in. Would this really be more usable with yet another check-box to specify obscured or not-obscured password entry?
On some mobile phones (where keyboard usage is at best difficult), the last letter typed appears for a short time before to turn into a * or something like it.
This seems like an interesting compromise, just like the option offered by PGP to show you your passphrase. When you are alone, no need to embarrass yourself with unneeded security.
Finally, about public places, and in particular regarding PIN codes at supermarkets, it is so easy to look at the keys that displaying the digits types would not make a great difference. Also, the screen is often visible only from a restricted angle, which makes life more difficult for snoopers.
Overall, I tend to agree that systematic masking actually is a call for poor passwords. A few weeks ago, I traveled to a foreign country, where I have used public computers with a different keyboard layout. Typing some of my passwords became a complete nightmare, just because they are a bit long and use several kinds of characters. I ended up typing very slowly, and I am sure that even a 5-year old would have been able to spy on my keyboard.
@Kevin S: "You weren't shoulder-surfing were you? Oh, the irony! :)"
Ha! Good observation, I should have seen where it would lead to that perception. :)
Seriously, I had said colleague instead of auditee because I didn't want to impress that it was my current employer. I was providing an assessment of the general security of the blackberry server and devices. Since typing on a blackberry is tougher than a keyboard, they were given a clear text option after so many invalid entries
The only difficulty I see is when using PasswordSafe, there are some websites, like American Express, that will not allow paste into the password field.
I like and much prefer a certificate idea, some file on my machine (or USB stick) that has the authentication any program needs.
I have to login on large wall screens in meetings and login for web-based presentations.
Even if there was a checkbox to bulletize my password characters it would not always be remembered. But it's very easy for an audience member who is supposed to be looking at the screen to remember something they read in a split second.
Woohoo, I disagree! Should be masked by default, with a non-sticky checkbox to unmask. Mistakes might be rare, but it only takes one before your password isn't yours anymore.
Maybe things are different for your PGP passphrase -- errors are more likely and you're probably more shoulder-surfer-conscious as you type it.
And someday, browsers should be able to hash what you type with the domain name and send *that* instead of the password. It means you no longer have to trust that none of the sites you visit stores passwords in the clear, since your browser takes care of the hashing. Also, with hashing, if you screw up and send a hash of your secure password to the wrong domain, it's less useful to the badguys.
(Maybe the larger trick is to implement a "secure password field": something out-of-band in the browser UI reminds you what domain you're talking to, and does the hashing trick, *and* has the nifty "show password" checkbox. It's coming in IE 8.5, I'm sure. :) )
The other thing that would be lovely is a trivial way to authenticate yourself with a cert from a USB dongle, but I digress.
What complicates matters even further is that stored passwords that are masked give the user a sense of protection from others being able to figure out the stored password.
When in reality, this is not the case. In fact, it has been a known exploitable issue in Windows systems for years.
Don't believe me? Try it:
Some assorted thoughts on the matter:
* There are definitely situations where masking is useful.
* I'm a bit surprised that Jakob Nielsen, of all people, doesn't advocate the OPTION of clear text password fields.
* Use PasswordSafe and you don't need to worry about mis-keying in passwords.
* If someone wants to type in the clear they can always type the password in another field or in Notepad then copy/paste into the password field.
* There are workarounds for seeing your password in the clear when the field is masked but no way to obscure your password when the field is unmasked.
* If someone is close enough to see your password on screen they are likely close enough to see which keys you are typing on your keyboard.
* To disguise my password length I would rather have the passwords operate *nix style with no feedback on screen than random amounts of bullets.
* It I really want someone's credentials I would use a key logger instead.
So, all you very tech-guys are sure that this is a bad idea. While it may be so for you, I couldn't disagree with all your reasoning for the average user more. Consider:
Most people I know log onto multiple sites every day, but only in the evening when they're at home. They don't touch-type (like 90+% of the population), most of them are in NO way computer-savvy. They use the same passwords they were issued when they signed up for banking, netflix, porn whatever. The passwords are written down and posted on their computer.
It's a giant PITA to not be able to see their passwords and adds nothing to their already low security.
My wife is dyslexic. What she types and what shows up are often different. Except that she can't see what she typed.
The last time I did a large presentation, I used a DIFFERENT login and PW combo. Because I'm not so stupid as to broadcast my normal ones.
Consider that being able to choose to unmask would take care of most of this. I concede the point about the kids.
Folks, think about the fact that most of the population doesn't do/need what you do. Then tell me what makes sense or not. The point of the OA was that for the most part, masking is unnecessary, not that it was NEVER necessary. In many ways, your comments could have been posted by TSA employees on the TSa website, in response to Bruce's discussions of security theatre.
>> It's time to show most passwords in clear text as users type them... Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed. So, password masking doesn't even protect fully against snoopers.
Bzzt. Wrong. This is the "Perfect Solution Fallacy". Saying that a skilled criminal could just look at the keyboard therefore there's no reason to mask the password on the screen is like saying a skilled criminal will just pick a lock therefore we shouldn't have locks.
We have locks not because they will stop all would-be intruders. We have locks because it stops a good percentage of them and reduces the attack vector space. Same thing with masked passwords.
People need to be educated on how to make secure passwords. The first step is to stop calling them passWORDS and start calling them passPHRASES and educating people how to make secure passPHRASES.
Perhaps rather than just a password and confirm password field pair, have a process you guide users through in order for them to create a secure passPHRASE. For example:
1) Type a private/personalized sentence or phrase you can remember
2) Which letter from each word would you like to have your passPHRASE use? (1,2,...n)
3) Choose some character replacements (ie: basic ciphering)
4) Confirm final passPHRASE
Of course still provide the option to go back to the 2-field password option for those who don't need the guidance.
@Tim "I disagree. I think most passwords become something that you can blindly type without thinking. You don't need to see what you're typing."
Try it. I recently reconfigured my workstation and now the keyboard is completely recessed under the desktop. I did this for...I dunno any longer. But it has annoyed me since and increased my keyboard error rate (i'm an 80wpm touch typist) not because I look at my fingers while I'm typing but I do need to orient my hands to the keyboard. Especially for the numeral/special character passwords in the top keyrow. And typing, mouse over, typing tab over changes that orientation over and over again.
What i do do is use password safe's copy and paste utility for passwords into field. I think a keystroke monitor is much more probable than a shoulder surfer.
Problem for the gov't (and it's 2 million employees and hundreds of millions of webservice users) is that password masking is a hardwired requirement from A-130 to 800-53. Leave it off and you've got a non-conforming finding during your audit and st&e. With rules like this it doesn't matter that they make sense to an individual case it's a rule for the class.
Give the user 3 choices:
- Not shown at all (not even ****).
- Show last char for a short period of time.
- Allow the user (ie: CTRL+S shortcut) to show all in cleartext for a short time.
I like how Mac OS X handles WiFi access keys. By default, a masked entry field appears. However, there's a check box next to it that you can use to show the field in plain text.
Then, you get the best of both worlds. If you want to see that you typed the right password, you can do so.
This is much ado about not much.
> I think most passwords become something
> that you can blindly type without thinking.
I think you're vastly overestimating the general computer populace, or re-using a small number of insufficiently complex passwords, or both. I can do this with 20 different complex passwords, 99.999% of moral users don't.
> I'd much rather see the username/password
> convention fade away in favor of some sort
> of easily managed digital certificate system.
I'd like a pet dragon, too. Digital certificate systems are *not* easily managed.
Most of the other commentary on this thread is really cosmetic. People don't type passwords on their laptops during their commute. They don't type passwords on their phone. They click on the "save my password" button the first time they log into the site, and their browser caches their credentials. This by itself is not a bad thing unless the passwords are stored in the clear themselves.
So use a password manager that loads into memory when you boot your machine and unlocks your password file with a master password.
That works great for low security applications; I advise similar schemes to lots of people. It's horrible for high security applications. Most people can't differentiate between the two.
"This reminds me of a similar useless convention - being asked to type your e-mail address in twice when it is displayed in plain text"
donotcall.gov is a particular example. You enter the phone number you want to block once, and your email twice. What's to stop you from mis-typing the phone number and blocking someone else from all those lovely solicitations?
A lot of things we do on the web (and elsewhere) are simply because "it's just the way it's done".
Wife shoulder surfs
Work in open plan office next to the kitchen, I can't write anything without a collegue seeing.
Please keep those passwords hidden
@Rich Wilson: "donotcall.gov is a particular example. You enter the phone number you want to block once, and your email twice. What's to stop you from mis-typing the phone number and blocking someone else from all those lovely solicitations?"
It's based on the consequence to the entity. If someone receives an unsolicited email due to error, they are embarrassed and/or have to deal with undoing the problem.
Consersely, what happens if the wrong number is placed in the do not call registry? Someone else does doesn't get calls from some telemarketers. Whose going to know?
Probably, among the phrases never spoken int he human language, "man, it's too quiet, something is wrong... a telemarketer should be calling me."
Short version: If they send an email to the wrong person, it is there problem. If someone else doesn't get a call from a third party, it isn't.
I think there's another Alertbox column many commenters here need to read. If you read the first couple paragraphs and think it's only telling you the obvious, then you NEED to read at least as far as the part about Google. I promise you it will be very interesting.
That said, I think I'd lean toward masking by default for corporate applications, with a "Show me what I'm typing" option.
I hope you don't really think people are always alone when they enter passwords.
Password masking isn't about stopping "criminals" who might install a keyboard sniffer. That's missing the point of masking entirely. It's to prevent accidental viewing. I don't want to know someone's password unless they want me to; if it's advertised right on screen, it'd be hard not to see them accidentally.
It's the same reason stored passwords are lightly encoded when saved by clients; it's not to prevent access, but to prevent accidental viewing.
I'm curious if Bruce's opinion was made to spark debate. Masking provides protection from only some specific attacks yes, but the cost is more or less free. Shoulder surfing the screen is much easier than shoulder surfing someone's fingers on the keyboard as they type. I would almost venture to say it promotes better security behavior. If you know you entered a password correctly without seeing it, there is probably a better chance you have it memorized versus written down on a post it somewhere.
@Jonadab the Unsightly, 7:32, re: typing
Agreed on much of that. I'm probably from the last age of people who were actually taught touch-typing on a mechanical typewriter with blank keycaps (1980, when I was 12; the school had a couple of Apple ][+s, but no computer labs or anything like that).
My experience with people younger than me is that most of them don't formally touch-type; they're either really good at hunt-and-peck, or they touch-type with hands wandering over the keyboard. Granted, this is partly because the computer keyboard has more keys than the standard typewriter keyboard, requiring a bit more physical hand motion.
I actually like what my cell phone does . . . shows each character as typed, but obscures it when I type the next character
I don't agree. What would be useful though is a small scratchpad beside logins that allows you testing for case-shift, which is the most common problem I've had with logging in, not always does the led on the keyboard turn on.
Kangaroo, this is getting old. I've asked you twice before not to insult other commenters on this blog. If you cannot control your temper, do not comment here.
I was on a conference call yesterday, and we were also sharing desktops. The person driving the desktop had to enter several passwords. In general, I am sure they appreciated the obfuscation.
That probably goes for many support situations, where the person offering support is sharing the screen but is not entitled to the passwords.
There is also the ease with which malware could capture a screen to consider. If passwords were not generally masked, that would be an extremely common attack vector.
If the only concern was shoulder surfing, then there could be an argument against this form of security. But shoulder surfing is the least of it.
In Linux/*NIX you can't even see how many characters you've typed.
Wow, and WOW.
Are you kidding me? Bruce, I respect you and your views so highly it's almost stupid of me to admit, but you really throw me for a loop sometimes.
I think this is an awful idea, simply awful, and it comes as no surprise because, being a web developer for over 10 years now, I've read a lot (too much?) of what Mr. Nielsen has had to say over the years, some of it is great, some of it is borderline retarded.
This one falls under the latter in my opinion, for a myriad of reasons (most of which have already been outlined in the 100+ comments).
I just thought I'd throw my hat in the ring for 'WTF? Awful idea...".
For my part, I would estimate that at least 60% of the time I type in a password, someone is sitting or standing right next to me and looking directly at the screen. Nearly 90% of the time, there are people behind me, around me, or meandering around the room/office.
Granted, it would take an exceptionally brilliant person (or idiot savant) to be able to remember the random garblegasm of mixed case nonsense passwords I use in the time it takes me to type it in and press 'enter', but that's beside the point. A few lucky glances and a pad of paper, and boom! There goes my security. I happen to frequent the same places every day, see the same people, and use the same passwords for more than a week (duh), so it'd only be a matter of time and will before my bank account was wide open.
As for the 'smart attacker looking at the keyboard' issue, I take exception to that. My hands obscure most of the keyboard while I type, my passwords are long strings of mixed-case gobble-de-crap, and I generally type them in excess of 110 WPM simply because I have to type them ALL THE TIME. If you can find me anyone out there who can't tell me what the weather was like outside the pavilion where so and so was shot in 1724 or some crap, but can decipher what I'm typing based on the movement of my hands over the span of 20+ keystrokes (counting shifts) in under 2 seconds, I'll gladly accept defeat. Sure, one, two, even 8 clearly spotted keys, but honestly, it'd be near impossible for most folks even if I gave them three go-get-em attempts at any angle they wanted, pen and paper included.
The double email address issue is generally silly, I'll give you all that, but I will say that it certainly saved my ass at least twice, because I had made typos that were not noticeable at a glance, but would've been disastrous if I had hit 'submit' without knowing it.... and I mean disastrous. Not to mention the fact that my hands/muscle memory generally want to type my main email address for everything, as opposed to the plethora of others I have and use for various things. The double checking is good for making me think, especially when it's something you have to type OVER AND OVER AND OVER.... my brain gets lazy, and sometimes lazy-brains overlook the simplest things. It's annoyance is the trade-off for it saving your ass someday.
I mean, every SSH account I have is limited to three incorrect attempts with a lockout on the fourth, and they don't even MASK the passwords, it's just a blank screen. Suffice to say that I've never been locked out of any of these systems before.
If my passwords were in the clear on any of those systems, you can bet I'd be throwing a blanket over myself and the machine every time I typed them in.
Oh Jakob.... *sigh* In the world of security trade-offs, honestly, just *HOW* inconvenient is it for users... really. This isn't like being stripped search while getting on the Metro, this is *maybe* having to type your password an extra time on every third or fourth log-in. The trade-off here is almost non-existent. Unless you hunt and peck. In which case you're screwed no matter what.
The network manager in Ubuntu Linux allows unmasking of WEP/WPA passwords for wireless access points. It takes longer to hit the checkbox than to just type the password (even if you are incorrect once). On the other extreme, as Phillip mentioned the terminal stuff doesn't even put in the bullets thus obscuring the length of the password.
I think they should kill two birds with one stone. The capslock is totally unnecessary for passwords; every keyboard has a light for it, and many password prompts will even notify the user that they have capslock on anyway. The shift key can be held much more discretely and securely. The capslock key could unmask passwords imo. Of course there could be accidents, but if you don't watch what you are doing at all, you could type your password in an unmasked box anyway.
Of course as a huge geek, I have no problem with typing a long password and getting no visual feedback. Also, you have to consider the threat of simple video cameras (even those in cellphones; hacked firmware can mean no telltale signs such as recording lights) being used to gather passwords. The resolution of such devices keeps improving. So you need not only worry about people standing around, but what cameras could be around and who has access to them. For most people, going on the internet means authenticating for something (like e-mail). There could be no cameras near computers!
For me password masking is situation-dependent. The majority of the time someone's at least potentially looking at my screen (public area, open-plan office, etc.), and in those cases I definitely want the password masked to make shoulder-surfing infeasible. And for the most part even when I'm not in public password masking isn't too much of a pain.
There's only a few times when I'd figure unmasked passwords are worth the risks. Mostly they're all uncommon administrative events, eg. entering a complex hexadecimal WPA password into a router or NIC configuration.
Doesn't matter much to me either way.
My password is 9 asterisks.
Holy oversight Batman!
I have to agree, 64-char hex passwords that I've never had a need to memorize (so I don't) should be unmasked, especially since (generally) you only really enter them once per device.
However, that said, I have yet to find an instance of any wireless router or NIC I've used that doesn't already give you the option to show the password as you type.
Which is not to say that any of the wireless security protocols are even going to garner you all that much protection, password or not.
As both a application developer and security professional, I am consistently faced with the dilemma of usability vs security. I wrote up a whole blog post on this subject that you might be interested in.
Also, as an item of note, shoulder surfing and surveillance is a big part of every site audit that I take part in. It is not as uncommon as people are led to believe.
That's awesome! I always hoped people did that. In my office, I'm probably the only one who isn't shopping online or face-booking for 7 out of 8 hours per work day.
Which reminds me, I should stop reading and commenting on Bruce's blog for the day, hahaha, but at least it's relevant to my job function... mostly ;)
@Chris: "Also, as an item of note, shoulder surfing and surveillance is a big part of every site audit that I take part in. It is not as uncommon as people are led to believe. "
@Shane: "That's awesome! I always hoped people did that. In my office, I'm probably the only one who isn't shopping online or face-booking for 7 out of 8 hours per work day."
When I do an IT audit of any kind, I always include things like shoulder surfing, dumpster diving, evesdropping, snooping, etc. in it.
I've cracked passwords, hacked systems, and pretty much any other ethical penetration within reason, but I do the old school attacks for two reasons:
1. Why put all the effort into breaking authentication and finding holes if I can just read or observe it?
2. What good is state of the art security systems and insanely strong authentication if the users tell you how to get in or you can find everything you want in the dumpster, written down, or on unencrypted mobile devices.
The computer-equivalent of putting locks, cameras, alarms and armed guards at the front door but leaving the back window open and unmonitored.
Which is why I understand Bruce's point in theory but disagree in practice.
Ah, see I was hoping it was more of a 'employee productivity' audit, rather than a security audit.
Just as good though :)
@Shane: "Ah, see I was hoping it was more of a 'employee productivity' audit, rather than a security audit."
I do those too. :)
I'm a rare auditor that has actually, on more than one occassion, has recommended lessening a control(s) to free employee time to produce in other areas. Accuracy is important, but sometimes a couple minor errors are a small price to pay for enhanced production.
Of course, I do check for where employees may be wasting time. (I just conveniently exclude schneier.com from my internet sample, saying it is that i shouldn't audit myself. kidding.) = P
Just a little thought,
Rather than argue about the right and wronk of password masking...
How about proposing systems to replace passwords, or somehow scramble what the has to enter so shoulder surfing is not going to work (think those door keypads that randomly change the position of each digit).
If the sugestions are workable then the argument over masking becomes of little or no interest.
Technically there's a problem: it breaks all automatic password managers.
What about people using computers hooked up to projectors? This is extremely common in schools; the teacher wants to show a powerpoint, and turns on the projector before logging into the system.
However, in certain places I do think it's nice to be able to control it. As someone else noted, in Ubuntu's wireless manager, there's a checkbox to unmask the wireless encryption key, which is very useful when trying to flawlessly enter in a 26 hexadecimal digit code.
That "blindly entering a 26 character hexadecimal code" requirement is in Microsoft's wireless setup dialog. Only you get to enter that password *twice*.
Try entering 52 random hex characters correctly. No peeking.
Just stupid. (I type the damn thing into Notepad and cut/past every time I'm stuck doing that.)
Whoa, I'm late to this party. Back in the day of managing security into web products that were also accessible in a mobile/mini world we used some sweet options like:
1) the option to enable masking or turn it off in a radio option next to the input field
2) a timer set a second or two after each digit was entered to covert to a mask (thus giving visibility for the current digit but masking all prior)
The bottom line was we had data to help inform the security designs. Changing options on tens of millions of devices always showed up as real $$$ to the help desk. Users complaining that they felt insecure made our case easier, but complaints that their account was locked again from fat-fingering the password or that they are tired of all the hoops and timeouts...well, then we had to rethink masks etc..
What about electromagnetic eavesdropping risks of computer displays ?
Personally I think this is one of the things Truecrypt does right in its Windows and Linux GUIs. Passwords are masked by default with a checkbox providing the option to show them in the clear. The user can assess whether it's safe before clicking it.
I'll also echo ulrik's comments on WLAN keys, though in practice I setup WLAN gear on a trusted machine, copy/paste from a key generator to an editor to the WLAN gear's UI. The iPhone's WLAN key entry is probably the best I've seen. I particularly like that for WEP keys, you enter the key once, and it tries the various interpretations (ASCII string, hex digits) until one works, or all fail.
The ATM is a bad example - they could just put the screen behind a fresnel lens so that it could only be read from a very narrow field, or put a hood on the screen. Also, most people can manage to type a short PIN without visual feedback - the beeps would be enough.
I work in an open office as well, though, and the masking is useful protection against casual accidental eavesdropping. Maybe the login box could have a (default checked) checkbox prominently located next to the password field for "mask password" or even "hide typing" to show nothing, even the password length. That way when, like the other day, I mistype my password several times in a row, I can SHOW the typing to make sure I'm typing what I think I'm typing. After making sure the area is secure enough for me, of course.
I think a gross oversight is security cameras. It's too easy to point it at a screen, capture the video, and replay it to see all of the places they've inserted passwords. And before someone says you can just look at the keys they type, that's incredibly more difficult than just looking at a screen where the information lies until the next page is loaded. This as well with slow typers and shoulder surfing, the longer it takes you to put in your password, the longer a passerby can look at your password and guess it on their own (they don't need the whole thing if it's conventional).
I think that "Shoulder surfing isn't very common" might be falling prey to the availability heuristic. I'd bet a lot of people in the world use computers in situations like this:
I think we can kill two birds with one stone on this. By default do not show the password, but do show it if the caps lock key is down. This obviates the need to whine at the user that the caps lock key is down and provides a way for people who do want to see their password to see it.
Don't we have enough problems with password security without this ludicrous idea for user friendliness? I won't even type my online banking password (even with masking) if there are people around and never on a public machine.
If people actually used 9+ character mixed alpha-numeric-symbol passwords, then the shoulder surfing risk remain modest (since the risk of someone looking and remembering a complex password is akin to the risk of them watching your hands carefully). And the value of displaying the passwords has greatly increased due to their complex length.
This could be an argument against masking, or for it.
Against Masking: Because people are lazy and have short/memorable passwords, I think the shoulder surfing risk is too great since visible passwords can be easily remembered by people nearby.
For Masking: However, the very fact we mask passwords in the UI prevents people from choosing longer/more complicated ones.
Subtlety #1: In an "open office" context where people can see each others screens all the times, even complex passwords can be pieced together by coworkers over time. If "inside jobs" are the biggest corporate security risk, why make auditing of who-did-what (since passwords can be glanced/remembered) even less reliable?
Subtlety #2: I could see unmasked passwords making sense for home users, but even there, I see the scenarios where kids seeing parental passwords doesn't lead to good outcomes (PCs otherwise locked down to prevent spyware, etc).
Middle-ground possibility #1: UIs with checkboxes indicating mask/no-mask, and if the checkbox state changes, the user is prompted whether they want to change the masking flag just this time, or for all time.
Middle-ground possibility #2: OS-level configuration flags for masking or non-masking and/or corporate policy setting.
Suggestion: Perhaps Jacob Nielsen should follow his own advice and do some actual sample testing of not just the implications for usability (has he done this?), but also the implications for security, with at least five users. (Preferrably under multiple security scenarios.)
Moral observation: A world with unmasked passwords by default is a world where a lot more accidental 'shoulder surfing' will occur. Because passwords are used to provide access to interesting and/or power-giving information, a good fraction of people accidentally viewing passwords will be tempted to use them, and will go ahead and use them. It's just human nature. With password masking, more effort (e.g. watching the hands, knowing tricks, etc) is required by the average bystander to do "evil". Why lower the barriers to doing evil? Why increase temptation? ("evil" here = accessing a system with another's credentials, unauthorized)
On balance, Bruce's position that we shouldn't mask OS/web passwords just doesn't make sense to me. Maybe the corporate environments Bruce accesses his computer in have been a lot more secure than mine.
Against Masking=>Against Unmasking
For Masking=>For Unmasking
I'm not going to read all the replys, but it seems people are putting a lot of false hope in masking.
If you think someone can read the password off your screen they can read the keys you type. Keyboards are big and it give a lot of details even without exact keypresses. It is unreasonable to leave one of these things on a threat list while leaving the other off.
In a office envoirement where you have little control of the network or are not the *only* root user of the machine. You should assume your passwords are not safe in general. You should never ever assume that a cybercafes computers are "safe". Really at least a overlooker has to be there....
My bank now makes using a cybercafe for internet banking a breach in terms etc at the level of giving out your pin. And i tend to agree. But this has nothing to do with shoulder surfers.
I would sometimes browse the web or open my computer with some family member nearby. The opposite is true when they use the computer. I don't give a damn about snooping criminals that could take a look at my password, I just don't want my family to know my various passwords and certainly do not want to ever know their passwords either. The whole usability stuff is horseshit, tons of users do it just fine. There's also "clear feedback" already - if you don't input the right password, it will tell you that you didn't .
Just because the author doesn't usually have people looking at the screen when he is browsing doesn't mean that doesn't often happen.
perhaps it should be toggle-able. most of the time I agree, however, there are times when someone is right there... so it'd be nice to be able to change it. I figure most people can read faster than they can follow keystrokes.
Bruce I am shocked to hear you agree with it. It goes against your own published principles. Sure you can look at the keyboard if you want... But that's a lotter harder than you think especially with a fast typist and a reasonably complex password. And even failing that, you could say it's certainly more difficult then just reading the password off the screen. One of your own principles if that there is no such think as perfect security, just increasing levels of difficulty. And password masking clearly increased the level of difficulty when it comes to shoulder surfing. The idea that you should throw it out just because it's imperfect is... well a bit hypocritical. And certainly wrong headed. Sorry to say, but I think the idea is just plain wrong.
The argument makes sense, but I can see why no website would want to go first in making the switch to plaintext. Also, providing a checkbox would add unnecessary clutter. This should be done as a preference setting in the web browser, or perhaps the operating system, so as to maintain consistency across applications.
There are two usage scenarios with passwords :
creation and use. When creating a password, masking is seriously bad for usability and the user can take care of the threat (primarily shoulder surfing but also screen memory snapshots etc) if they wish. When using a password, masking is not too onerous for usability and has a security benefit because the machine cannot determine whether the environment of the user is "safe" or not. I agree with the majority that masking is appropriate in use. I disagree with the majority that it is appropriate at time of creation
With the "unhide passwords" firefox extension, you can toggle between hide and unhide by double clicking in the password field.
When I type a password or pin on my crackberry I see the digit typed for a second, then it reverts to an asterisk.
Very useful, as I use a Storm (think iPhone-like touch-keyboard) and often make keying mistakes.
Seems like a good compromise.
I am surprised and shocked that you agree on this. It gives me the impression that you work alone in your office with nobody around.
Masking passwords is necessary, anybody who claims otherwise must be a hermit.
In the following I propose Password Based PKI Certificates. I further propose that the (longer) password be split into two parts, one that is not echoed, and one that is.
Password masking is worthless with present computer security. Keyloggers are everywere.
If everybody accepted how bad security really is, perhaps we can adjust as a society to better norms.
Masking is suitable for special equipment and needs.
With increasing push towards forcing people to have more complex passwords I think I agree with unmasking them - or at least giving the user the option to.
When passwords were normal text words like 'password' then they were easy to type, now it is more likely to be something like pa55w0rd, more error prone when typing.
I am no hermit, but I agree that shoulder surfing isn't common, workmates don't look over my shoulder and I trust my family! Though I guess it is different if you are a regular user of internet cafes.
So overall I think an 'unhide' option would be beneficial.
Just on typing email addresses twice, I think it is the best way identified to try and validate an address. I used to cut and paste to the second field but realised the the double entry was for my benefit. If I type my address wrong the site may never be able to contact me.
One more thought - what I would definitely like to see is the option for clear text when creating passwords!
As long as we continue to use passwords, they need to be masked. Showing the password is good as an option, but masking should be default.
I very often login with people around, usually collegues, my kids or fellow travellers. I do not want them to see my password.
Seeing what someone types is very difficult if typed with 10 fingers. I tried once (with permission) to discover someones password by recording his typing with a camera. I could not discover his password even with a frame for frame replay.
And I am quite sure my laptop has no keylogger installed!
What I do find a nuisance is if Word or a mailtool steals focus while I am logging in to a website. If I am not looking at the screen, the password appears in my Word or mail document!
'Shoulder surfing isn't very common'
It's an endangered species! So unmask passwords to ensure it's future.
Wow. Gonna need scientific notation on the main page to show reply count. Whodathunkit?
How about this: apparently there are 2 large groups of people out there (no opinion as to which is larger, dont approve of "tyranny of the majority" except where absolutely necessary and this isnt it):
- People who mostly use computers in an environment where shoulder surfing is a concern. Let them set a flag to say "obfuscate".
- People who mostly use computers in an environment where shoulder surfing is NOT a concern. Let them set a flag to say "cleartext".
- People who wear a belt AND suspenders. Let them set a flag to mask the password AND the account name.
- (I assume there is no group where they want account masked and password clear, but???)
Maybe Bruce has an office to himself? Works from home? I work in cubeville, I am lucky if I can pick my nose once a day and not have 4 people see it. I have a coworker who is the fastest typist I have ever seen. He uses a password which must be 30 characters long; reminds me of when Data hijacked the Enterprise (STTNG) and set a password 256 characters long.
I personally believe it is way easier to steal a password on the screen (which combines a static display with 40+ years of reading) than by watching hands moving on keyboard (dynamic and
To dissuade shoulder surfers I like to have a couple "double characters" in my passwords, where I press the same key twice in a row so that they will hopefully lose track of what key I hit or how many times.
OTOH the reason I NEED this is because I use 20 passwords on a given day, they all force me to change them periodically and they all use different rules. Therefore I use "keyboard patterns" which would be silly easy to shoulder surf (or hack for that matter, also motivating double-keys).
I think the issue for me is that while a shoulder-surfer can simply look over my shoulder as I am typing the password, if the password isn't masked on the screen it sits there for an extra few seconds as the browser makes its request and renders the next page. More time = more chance for my password to be stolen.
I have to disagree. The next logical step is to get a load of post-its printed saying "My password is .....".
The fact that shoulder-surfing isn't common is a poor argument. Neither is it common for there to be a burglar waiting outside when I leave the house - but I lock it by default. In an open plan office you may well be unaware of someone standing behind you, and even at home, what's the point of having passwords if your kids could easily see them? And the asterisks are at least some kind of reminder that passwords are private and should be looked after.
Neilson concedes that in the tension between usability and security, "sometimes security should win". So "sometimes" we should try not to loose all our company's data or all our customers' credit card details?
Sorry, but this is the wrong campaign. Let's look instead for example at password expiry, which really does encourage bad password discipline.
Maybe in Neilson's corporate environment every user has their own office where they can close the door... I sit in a room with 200 people, and often they are standing around my desk when I type in passwords. I don't need it displayed on the screen for them, thanks.
In addition, we often have presentations given over a projector to a roomful of people. Its very common for the person giving the presentation to have to log into the network, using their own credentials, in order to access some material for their presentation. There's nothing wrong with displaying a row of **** on a projector for a roomful of people, but displaying unshielded passwords to them would be pretty stupid.
In short, I think there is absolutely no reason why passwords should EVER be displayed on a screen, unless they are computer-generated temporary passwords which the user is required to change on first use anyway.
'Shoulder sirfing isn't very common'..Don't agree with this. At least its more common than 'snatching laptops'.
If you really want to unmask password then do it the iPhone way...
Sorry, Bruce, I think you missed an easy one. For all the complaints about Lotus Notes and the obfuscation of the number of characters (I agree--that's just stupid) the 'visual hash' on the left of the dialog (at least in older versions) is a great way to assure the user: 1. You have typed in the password you intended. 2. You are logging into an authentic server, or at least one which has been copied by people who have enough skill that you won't even feel the dollars leaving your bank account...
The process could be even better served by using something like the 'Identicons' invented by Don Park (his original blog post offline, here's a link to Coding Horror's commentary: http://www.codinghorror.com/blog/archives/... to give the user feedback without revealing his or her password, even inadvertently. While the 'reveal plaintext' option is certainly useful for WPA/WEP purposes in particular, the every day user is not going to adequately consider the consequences of the 'reveal password' checkbox, to say nothing of the possibility that the user has 'fido1234' for every possible banking, social networking, professional, and email site. One inadvertent reveal, and there's a lot that can go wrong, quickly. Availability heuristic and all that notwithstanding, the point is to design systems that work and are useable and useful, without allowing a really easy mechanism for making mistakes with large and ugly consequences.
Quite agree! This has bugged me for years.
My company (rightly) enforces strong passwords (with a ! or a $) and I work in Europe and am often using a different keyboard layout. I wind up typing my password into notepad to check it.
Must be an option to hide password for those rare times when my laptop is connected to a beamer and on view by 50 people though.
Bruce, I was hoping to see you analyse Nielsen's suggestion seriously. This response feels half-baked; I'm disappointed. Given the prevalence of both "insider jobs" and large open-plan offices in the corporate environment, I think you need to provide some evidence before asserting that shoulder-surfing isn't going to be a problem if password masking is removed.
I am working at my home office and my kids often are beside me. I would not agree to have password displayed in clear.
Much more important seems to be Password length and character set.
According to analysts any standard PC is able to generate about 800 Mio NTLM hashes per second. Fast enough to find any such password within 80 Hours...
@Jon Nicholas: "Must be an option to hide password for those rare times when my laptop is connected to a beamer and on view by 50 people though."
Perhaps reverse that and make the option to show passwords. Sort of like what password safe does. As far as I can tell, there is no way to show them by default, but there is an option to "show password" when the user needs to see it.
This can be done two ways, or a combination of the two.
* Create a button that says "show password in clear text"
* Prompt the user if they want to show it in clear text once they have typed it wrong N number of times.
Bruce: you are wrong here. Sure, masking is not a cure-all, but it is hardly a major usability issue either (Lotus multi-dots excluded). I prefer the slightly better security from it compared to the slightly decreased usability, and do NOT want web developers to change their default behavior (which is currently correct).
Bruce, rather than masking perhaps the password field should show the character for a second or so and *then* mask it. That way the user gets visual feedback, but it still masks (worst case anyone spying over my shoulder would pick up one char).
Masking is a pain, especially in an environment where more than one language is installed (posting from a friends internet cafe here in Athens Greece with Greek, English and Arabic keyboards).
A rather bigger gripe from the privacy angle is the insistence of some programs to offer to "remember me on this computer". You'd be amazed how many people do that (and how many fail to signout of e.g. Yahoo, Skype etc..).
This does not compute.
So because post-it notes and similar bad practice make the security of password masking imperfect, we'll just give up on it all together?
It's like saying because one person broke out of jail, let's just give and show all the inmates where the keys are.
Bruce is also saying that a home computer is less of an issue that one at work or in a cafe. I find that actually offensive..... that in some way my personal bank accounts, email accounts, web accounts.... where untold financial and non-financial damages could be done to me personally, is in his expert opinion an acceptable risk.
1] That you always still need to mask in some places and scenarios... exceptions.
2] You now need to control and police these exceptions.... this creates a new decision point, and any decision point creates an new error factor.
Whether it's children, a friend, parent, work collegue, manager or complete stranger, it matters not, I wouldn't want any of them access to my personal email. How dare it be suggested by an respected expert that my online privacy should be weakened in the name of usability. This is crackpot stuff.
If you have accessibility or password rememberance issues, you have hardware token options and the use of the 'remember my password' function in the major browsers anyway. So what problem are we trying to solve again?
I absolutely disagree, and also find some fault with Neilsen's analysis. His focus is so mired in the world of web UI that his benchmark for the past starts and ends there, ignoring the years prior where systems, not just website front-ends, indeed did mask passwords. Neilsen further dredges up the threat of weak passwords, when these same systems now routinely enforce password strength/complexity. This just reinforces the sense that his entire approach to the issue is both dated and web/UI-centric to a fault (no real shock here, as he is a usability, not security, expert). On the whole I remain unconvinced of his argument. We tell users at every turn they are the only person who may know their password; in turn we owe them all the protection (even if incremental) we can offer for that password. Nielsen's suggestion would diminish this, yet when he argues for his point, he comes off as uninitiated.
I'm sure someone already posted this, but with 160+ comments, I'm probably not the first to duplicate.
I shoulder surfed the school admin's password when I was 9 years old. This was despite the fact that the password was masked and I had to rely on looking at the admin's fingers.
If a 9 year old is savvy enough to figure out how to shoulder surf and steal the administration password for the whole school, one should not assume it is a non-threat.
Yes, the best criminals don't get phased by it... but that shouldn't be an excuse to give the bottom 99% the same criminal edge that the 1% had.
You are forgetting about mobile devices. Laptops in coffee shops & airplanes. Smart Phones anywhere. The co-worker hovering in your cube. Keep the passwords masked!!
This is a non-issue. I don't hear anyone talking about this as a problem.
How about making it optional? A show/hide option by the password field?
FOR WEB DEVELOPERS:
Developer Byron Rode released a new jQuery plugin "targeting usability for password masking on forms". Today.
Blog post about showPassword:
Provide such comments easier than considering the big picture and the impact to the financial industries. I believe this is kind of marketing approach to promote some companies..let's stop this.
> The capslock key could unmask passwords imo.
IMO, the CAPSLOCK key is about twenty years overdue for being removed from the keyboard layout. It hasn't served a sufficiently useful purpose to justify a dedicated key on the keyboard since case-insensitivity logic was introduced (to software like BASIC interpreters and spreadsheets) in the 8-bit days. While we're at it, can we finally get rid of the Scroll Lock key as well, and maybe make the "Print Screen" keytop read "Screenshot"?
I was involved in a supreme court case where password masking became an important issue way back in the 80's. The issue quickly became a popularity contest. As most "expert" witnesses stated it was common practice to have password masking, the view from the bench was that therefore the software should have password masking. Whether it was really needed for security or not was beside the point and I guess too difficult for the Judge. So in my opinion, password masking needs to be in all software simply because most people think it should be there, not because it is useful. To me this demonstrates the modern trend of EVERYONE having a vote on all things technical and whether the technology works or not is not really relevant.
Here's an idea: Instead of showing an asterisk for each keystroke, briefly display the actual character for say, 0.2 seconds, and then replace it with an asterisk. That way the user can get fleeting visual feedback of what he's typing, but which doesn't stay visible for more than a fraction of a second.
I, like many others agree with you most of the time but I'm sorry, I can't agree with this proposal.
The security risks have been completely understated and makes the post seem a little naive; in-the-clear password entry is and always will be susceptible to screen-grabbing. Consider this blog was posted on the SAME DAY a zero-day Adobe vuln was reported and at least one exploit of this weakness is known to take periodic screenshots before converting them to a .cab file and sending them to a China-based server.
(In my opinion, David Tribble's post is exactly on-the-money as a viable solution)
Sorry but I disagree... only because our help desk personal routinely takes control and "runas" certain applications to elevate their privilege on our machines while in a remote session. We are not shoulder surfing on purpose but in this case the password needs to be masked.
Hi all. She got her looks from her father. He's a plastic surgeon.
I am from Nigeria and learning to write in English, please tell me right I wrote the following sentence: "Women who soar real women in the media."
With love :(, Canace.
How did we ever get into a position where we
find ourselves scrambling to keep others (criminals) from stealing our private information after we ourselves have made it so easy for them in our haste to use the very technology that, plainly is not ready to
use due to it's transparency to hacking? Why
then is this technology not fully completed?
Is it not possible to protect my privacy when I have to use expensive programs and create a whole industry simply due to the inefficiency of companies like Microsoft
and others who started this whole movement? How stupid can you be?
You might imagine the whole thing to
be a conspiracy to create another whole industry around the theft of personal data,
and who are the beneficiaries but those who designed the whole thing in the first place? Am I being duped to spend my money on virusware only to have hackers
cleverly enter my private territory un invited? Do you get the picture? I have often wondered about this picture. What's wrong with this picture(???)---Doug Rosbury
Got news for you...internal attacks (including such things as shoulder surfing and social engineering) remain the top threats for any business today. Seriously, if you are actually in the security business, you need to look over current stats, take additional training, or find a new industry.
Don't want to sound like a hater, but, sorry, your just a noob that doesn't know how to type.
Whatever you do, please do *not* implement it in the web page. Have the web page use password-type fields, and let the web browser set the policy for whether or not to obscure the password.
I do think that password masking is required. And most people just get used to typing the password without even looking at the keyboard. If the author is so against password masking, I say a better thing would be to provide an option to unmask the password.
I just read that article. It suggests that web sites stop masking passwords. But web sites don't mask passwords, web browsers do. Web sites should continue to mark password fields as such, so that the browser can behave as the client asks, either masking or not.
Using the "password" option of the text box tells the Browser to mask the input. If the site didn't use that option for defining that field, the browser would not be masking it.
For the dictionary words --- such as 5*!5f@tI0n --- password unmasking probably won't help the user.
For passwords that are nominally secure --- such as Ⴍܖܨ♰Αλ^Rε個倏兀兄 --- password unmasking will help the user locate errors.
To me, the more important problem is that websites won't allow nominally secure passwords such as Ⴍܖܨ♰Αλ^Rε個倏兀兄, but insist on insecure dictionary words such as 5*!5f@tI0n.
With passwords unmasked, how many shoulder surfers will pick up on the difference between ﭗ and ﭖ or that there are three different characters in ̀èè ?
OTOH, how many English language websites allow ̀
in a password? Or allow non-Latin writing systems to be used in a password?
With 107K characters in Unicode 5.2, there are at least 1.50073035 × 10^30 reasons (6 character password) why passwords should be allowed to contain characters from the entire range of Unicode that has been assigned at least one character. Make that 1.96715136 × 10^50 reasons, if 10 characters are allowed in a password.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.