The Pros and Cons of Password Masking

Usability guru Jakob Nielsen opened up a can of worms when he made the case for unmasking passwords in his blog. I chimed in that I agreed. Almost 165 comments on my blog (and several articles, essays, and many other blog posts) later, the consensus is that we were wrong.

I was certainly too glib. Like any security countermeasure, password masking has value. But like any countermeasure, password masking is not a panacea. And the costs of password masking need to be balanced with the benefits.

The cost is accuracy. When users don’t get visual feedback from what they’re typing, they’re more prone to make mistakes. This is especially true with character strings that have non-standard characters and capitalization. This has several ancillary costs:

  • Users get pissed off.
  • Users are more likely to choose easy-to-type passwords, reducing both mistakes and security. Removing password masking will make people more comfortable with complicated passwords: they’ll become easier to memorize and easier to use.

The benefits of password masking are more obvious:

  • Security from shoulder surfing. If people can’t look over your shoulder and see what you’re typing, they’re much less likely to be able to steal your password. Yes, they can look at your fingers instead, but that’s much harder than looking at the screen. Surveillance cameras are also an issue: it’s easier to watch someone’s fingers on recorded video, but reading a cleartext password off a screen is trivial.

    In some situations, there is a trust dynamic involved. Do you type your password while your boss is standing over your shoulder watching? How about your spouse or partner? Your parent or child? Your teacher or students? At ATMs, there’s a social convention of standing away from someone using the machine, but that convention doesn’t apply to computers. You might not trust the person standing next to you enough to let him see your password, but don’t feel comfortable telling him to look away. Password masking solves that social awkwardness.

  • Security from screen scraping malware. This is less of an issue; keyboard loggers are more common and unaffected by password masking. And if you have that kind of malware on your computer, you’ve got all sorts of problems.
  • A security “signal.” Password masking alerts users, and I’m thinking users who aren’t particularly security savvy, that passwords are a secret.

I believe that shoulder surfing isn’t nearly the problem it’s made out to be. One, lots of people use their computers in private, with no one looking over their shoulders. Two, personal handheld devices are used very close to the body, making shoulder surfing all that much harder. Three, it’s hard to quickly and accurately memorize a random non-alphanumeric string that flashes on the screen for a second or so.

This is not to say that shoulder surfing isn’t a threat. It is. And, as many readers pointed out, password masking is one of the reasons it isn’t more of a threat. And the threat is greater for those who are not fluent computer users: slow typists and people who are likely to choose bad passwords. But I believe that the risks are overstated.

Password masking is definitely important on public terminals with short PINs. (I’m thinking of ATMs.) The value of the PIN is large, shoulder surfing is more common, and a four-digit PIN is easy to remember in any case.

And lastly, this problem largely disappears on the Internet on your personal computer. Most browsers include the ability to save and then automatically populate password fields, making the usability problem go away at the expense of another security problem (the security of the password becomes the security of the computer). There’s a Firefox plugin that gets rid of password masking. And programs like my own Password Safe allow passwords to be cut and pasted into applications, also eliminating the usability problem.

One approach is to make it a configurable option. High-risk banking applications could turn password masking on by default; other applications could turn it off by default. Browsers in public locations could turn it on by default. I like this, but it complicates the user interface.

A reader mentioned BlackBerry’s solution, which is to display each character briefly before masking it; that seems like an excellent compromise.

I, for one, would like the option. I cannot type complicated WEP keys into Windows—twice! what’s the deal with that?—without making mistakes. I cannot type my rarely used and very complicated PGP keys without making a mistake unless I turn off password masking. That’s what I was reacting to when I said “I agree.”

So was I wrong? Maybe. Okay, probably. Password masking definitely improves security; many readers pointed out that they regularly use their computer in crowded environments, and rely on password masking to protect their passwords. On the other hand, password masking reduces accuracy and makes it less likely that users will choose secure and hard-to-remember passwords, I will concede that the password masking trade-off is more beneficial than I thought in my snap reaction, but also that the answer is not nearly as obvious as we have historically assumed.

Tags: , ,

Posted on July 3, 2009 at 1:42 PM99 Comments

Comments

moo July 3, 2009 2:00 PM

Which is best?
(1) Never mask passwords.
(2) A checkbox to turn masking on and off. Default either way, depending on application.
(3) Always mask passwords.

I would say that (1) is unworkable for a lot of situations in which passwords have to get typed in. My example before was the person giving a presentation over a projector to a lot of people, who has to log in with their own credentials while the desktop is displayed over the projector. But anyone working a desk job, who doesn’t have their own office, has to sometimes type in passwords while co-workers are wandering about near their screen.

(2) Is a usability nightmare. I wish Bruce and Nielson would stop asking for this, because its a bad, BAD idea. Some users won’t know what the checkbox is meant for, and will then click on it and get scared when their password appears in plain text. Other users will not notice that the password is plain text until they start typing it in one of those situations. For 99% of situations where passwords are used, this is a stupid idea and should not be implemented. The only case (the ONLY case) where I’d support having this option, is for typing in long things like WEP keys or passphrases. Guess what, web forum accounts or whatever, do not count. And your bank should never offer this “feature”. I don’t want to ever, EVER see my banking password in clear text, anywhere. Not even on my own computer monitor.

So the only realistic option, for most uses of passwords, is (3): always mask them. Or even do the Lotus Notes thing where you get visual feedback as you type the password, but you don’t get a row of stars telling you (and shoulder surfers) how many characters long it is.

Bruce Schneier July 3, 2009 2:12 PM

“So the only realistic option, for most uses of passwords, is (3): always mask them.”

That’s a perfectly reasonable analysis and conclusion.

sraun July 3, 2009 2:12 PM

I agreed with the thought, for one basic reason.

As part of my job, I have to help people who are not computerphiles (more like computerphobes) reset their passwords. Multiple times per day, on multiple systems. I wouldn’t be surprised to find out I’m doing an average of 50 password resets per week.

And maybe 3 of those successfully get their password changed on the first try. I remember one person who was apparently incapable of typing in their new password the same way twice – their manager finally got on the phone to ask me what the problem was after we’d been at it for maybe ten minutes and more than a dozen tries. I explained, the manager said ‘I’ll take it from here’, and I was done with the call.

I don’t want to think about the things that we’ve done to get people’s passwords successfully reset. It’s scary.

Jere July 3, 2009 2:14 PM

When typing a password on my Nokia E70, it displays the most recent character for a second or two, before it changes into an asterisk (or I type the next character). I think this is a very sound compromise.

On the Web, this is something that should be left for the browser to implement, while websites continue to use the ‘password’ input field. The behavior should in fact be a user-configurable preference. There are other important reasons as well: Password values should not remain cached in the back/forward history, a password value should not be possible to copy to the clipboard, and password managers wouldn’t be able to recognize a login form without a ‘password’ type field.

Carl "SAI" Mitchell July 3, 2009 2:26 PM

Keepass (keepass.info) is a password safe program. By default, it masks passwords, but there’s a nice, easy button to unmask. I like that system. Masking/unmasking should be easy, and should be possible to do it quickly/temporarily. If you have passwords unmasked, & one day need to enter your password while someone is watching, and the mask/unmask choice is in the preferences window, which can’t be accessed until you log in, you’re out of luck. Thus, if the option is provided, it must be possible to change it before/during entering a password.

tim July 3, 2009 2:32 PM

The issue with passwords is not masking but the policies that govern them and how they are implemented. The real problem is that different applications have different password requirements. For instance a password that works on one site won’t work on another. Or they force changing passwords every 90 days which makes the user choose simpler passwords. And on and on. Arguing over password masks seem a bit silly to me.

(I have a blackberry – the password function doesn’t operate like described in the post – however my iPhone does work that way)

lanaer July 3, 2009 2:39 PM

I disagree that having a checkbox or option to disable masking is a bad idea. I do think that, when the option is present, it should default to “masked” (users should not be surprised by their password appearing in plain text, ever).

I do not think it is a usability nightmare so long as it is labelled clearly. “Show me my password as I type” as pretty clear.

However, I do think that websites should leave the issue alone, and that browsers should have the ability to configure the behaviour of password fields.

John S July 3, 2009 2:40 PM

When typing 128-bit WEP passwords into windows I usually type them into notepad then copy/paste them into the password entry box. That way I only have to type them once and if I make a mistake I can fix it without starting from zero.

If resorting to this sort of thing isn’t proof that something is broken then I don’t know what is…

Dave Page July 3, 2009 2:40 PM

I concur with moo’s comments that having a checkbox to enable / disable password masking would be a usability nightmare. I’d still like to be able to right-click on a password field (which would default to masking) and have the option of my browser unmasking what I’m typing.

KDE’s password entry box for wifi seems to do this, and it may be more widespread than that – it’s certainly very handy for typing in ~40 character random passwords!

Jan van Prooijen July 3, 2009 2:41 PM

For WEP Keys and alike I use a text editor and then cut and paste the password. For me it works.

eric July 3, 2009 2:51 PM

I agree with you, that complete masking should not be done when it inhibits usability (blackberry, iphone) or represents a password that the user shouldn’t be expected to remember (WEP Key). To be consistent, however, I have to object to this practice of planning for the lowest common denominator.

“On the other hand, password masking reduces accuracy and makes it less likely that users will choose secure and hard-to-remember passwords”

There are two things that drive me up the wall with password systems:

  1. The system doesn’t trust that my password is good, so it expires it after a certain period of time, or requires a second password or PIN to ‘authenticate’ the first password.
  2. The system doesn’t want to go through the trouble of protecting itself from code injection, so it disallows most, if not all, non-alphanumeric characters, making me change my password scheme to something less secure for that particular system.

So even though I agree with your conclusions, I have a really hard time seeing how the user’s potential password strength should factor into the decision of whether or not to mask the passwords. We have very good easy to implement algorithms which give feedback on the strength of a password. Why not just require a certain password strength from the user and decide whether you want to mask the password independently?

Russ July 3, 2009 2:59 PM

There is one issue with password unmasking that I did not see raised when I briefly scanned the comments. In the company where I used to work our laptops were quite often used to make presentations to, sometimes large, groups of people on an overhead projector, in a virtual classroom with screen sharing and on netmeeting. If the password were not masked, everyone would be able to see it and company policy states that revealing your password is a termination offense. If the password is to be unmasked at all then at the very least there should be an option to mask/unmask it to handle the situations where is actually needs to be masked.

Henning Makholm July 3, 2009 3:04 PM

Jere: That’s the truest thing that has been said about the matter. On the web, this decision needs to be taken in the browser — the remote site should simply inform the browser that this is a password field, and it is then up to the browser to supply a user interface that its user considers appropriate for password fields.

There’s still room for disagreement about what should be the browser’s default, though. The “secure by default” choice would probably mean that the non-power users who would benefit the most from seeing their password as they type it would never find the option to turn masking off… (At the minimum the setting should be changeable on a field-by-field basis directly from the input field’s context menu).

But under no circumstances should a website lie to the browser and claim that a password field is an ordinary non-password text input! Abandoning logical markup in order to “improve usability” is like peeing your pants to keep warm…

A possible middle way might be to default to masking iff the form action is a https url.

Tim July 3, 2009 3:06 PM

Sure, people usually type passwords on their own, but how many people never type passwords when people are watching.

None.

So the only possible UI would be a ‘show password’ checkbox, which I think you’ll find no-one has ever really wanted or has asked for.

Kenneth Finnegan July 3, 2009 3:15 PM

I feel like there is a middle ground. Passwords should definitely be masked, for at the very least the sense that it’s a secret (us internet people forget how incompetent the average person is on the computer). A middle ground would be a visual password hash. I don’t remember where I read it, but the example was a ring of keys with different size keys in different positions. A real world example would be the SSH key pictures. Then as the user continually types their password, they would learn the progression of images, and be able to spot mistypes right away.

Jeff July 3, 2009 3:21 PM

I believe it’s Windows Vista (not XP), but it gives me the option to turn off masking when entering my network key, and I love it, as that password is such random characters (making it a good password) that I always mistype it.

Giving the user the option is, IMHO, a great idea.

Clive Robinson July 3, 2009 3:25 PM

@ Henning Makholm,

“the remote site should simply inform the browser that this is a password field, and it is then up to the browser to supply a user interface that its user considers appropriate for password fields”

I think the word you are looking for is “Policy”.

In essence this is what the issue is about who sets the policy and why.

It is easy to see that there are atleast three parties who want to set policy,

1, The Server owner.
2, The Client owner.
3, The user.

From the point of the Server owner, the password is not a usability issue but primarily a resourse issue closely followed as an access issue and a long way down from that a security issue.

From the client owner (the one who pays for the user access etc) perspective the password is not generaly a resource issue but primarily an access issue closley followed by a security issue.

From the user perspective it is all about usability, they usually do not care about security (unless the are also the client owner) and the resources involved is usually unseen by them.

Therefore any Policy solution has to take into acount the sometimes conflicting perspectives of the three players.

And reading the various postings it does become clear which perspective the various posters are comming from.

aikimark July 3, 2009 3:29 PM

I wish I had found an archive of Matt Groening’s Life In Hell comic strip. There was a topical strip (password discussion between Jeff and Akbar) from 5/1/2009.

Petréa Mitchell July 3, 2009 3:43 PM

I don’t think you were wrong! This is the argument I’m seeing:

Nielsen: “Here is a suggestion based on actual data from studies my colleagues I have been performing on actual users and software.”

Dissenters: “I disagree based on my subjective personal experience.” Or “I disagree based on what feels like common sense.”

There’s a teachable moment in here somewhere…

Erik July 3, 2009 3:44 PM

I think the masking on the iPhone and I understand on blackberrys too, showing the character briefly while you type, is good at least for mobile devices with a non-standard keyboard which is more prone to typing mistakes. In particular on phones with a numeric keyboard – just how many times did I type 4?

It could be a reasonable alternative to completely unmask passwords although I generally side with those in favour of always masking.

I don’t think masking should be a user choice, your bank should be able to impose masking while other sites may use the temporarily unmasked model. Just like sites should decide whether they can accept storing username and password. Why shouldn’t a site decide only to allow storing your username in the password manager?

I think it is up to the provider to determine and deploy the policies they find adequate, users must then opt whether they find the service worth the trouble.

pfogg July 3, 2009 3:49 PM

I consider the ‘usability nightmare’ scenario for the masking checkbox to be overstated. I agree the switch should be clearly labeled, and would argue the default should always be ‘masked’ so that one never has to justify or excuse turning masking on (or accidentally start typing when it’s off). However, to build an argument around the assertion that some people would be frightened by seeing their passwords after accidentally hitting a clearly marked toggle doesn’t seem reasonable to me. It supposes (without anyone actually testing the assertion) that this would be more of a problem overall than people revealing their passwords with the measures they’re forced into by the existing masked system (simple passwords, cut and paste lists, or others). The alternatives can be used securely, if chosen and used carefully based on the context. Are people in general doing that?

Designing an interface around an overriding concern about what people will do the first time they encounter it seems a bit off to me as well. You need to balance that with what an initial ‘interface friendliness’ costs in terms of regular use thereafter. For most people, the latter would be a lion’s share of their interaction with the interface. New Coke had an analogous problem.

As data points, I would add that for any password I type in often I regularly use password lists for cut-and-paste, lean on mozilla/firefox’s password storage, and choose easy-to-type passwords when the above can’t be used. I’ve tried alternatives, but this is the only practical way I can think of to maintain longish passwords. Everyone else I know, save one, uses short, simple passwords to resolve this problem.

John Fouhy July 3, 2009 4:00 PM

@Jeff: “I believe it’s Windows Vista (not XP), but it gives me the option to turn off masking when entering my network key,”

That’s another feature they borrowed from Mac OSX 🙂

Nick July 3, 2009 4:02 PM

@Petréa Mitchell

Apply what you say to the following.
In a world of always fully patched PCs there is no data to suggest that unpatched systems are a bad idea.

NielsenDoe: “Here is a suggestion based on actual data from studies my colleagues I have been performing on actual users and software.”

DissentersDoe: “I disagree based on my subjective personal experience.” Or “I disagree based on what feels like common sense.”

It is a horrible idea to allow a person with binoculars to catch your password because you like to sit close to a window view.

Mailman July 3, 2009 4:09 PM

I like the Blackberry compromise of displaying the character for a brief moment before changing it to an asterisk. Masking the password completely on Blackberry devices would not be a good idea, especially on models that have two letters per key, like the Blackberry Pearl. When you press 1, you should be able to see if you’re typing an E or an R, or a 1. This is even more true when typing the wrong password too often can have serious consequences, such as wiping the content of the device.

aikimark July 3, 2009 4:14 PM

I wonder if I should offer up an unmask keyboard action on my applications that would allow the user to see the password they just typed.

Tack July 3, 2009 4:26 PM

@Tim: the BlackBerry behavior described applies to SureType devices, like the Pearl. Full qwerty BlackBerrys don’t do that.

Petréa Mitchell July 3, 2009 4:30 PM

Nick:

“Apply what you say to the following.
In a world of always fully patched PCs there is no data to suggest that unpatched systems are a bad idea.”

I assert that in order for a given patch to exist, someone must have documented an issue that required the patch to be created. Ergo, there is data that it is a bad idea. (From someone’s point of view, anyway.)

Anton July 3, 2009 4:32 PM

My “Password Safe” password is rather long and complicated. When I have not used it for a long time my fingers forget and I need to see it on the screen. In this case I just open notepad type it there and then copy paste it into the masked password field.

Anton July 3, 2009 4:42 PM

Bruce, whatever happened to the idea of using an external token. Like with an ATM card, physical security plus a simple password to protect the exposed period between loss of token and cancellation of token should work?

Trevor Stone July 3, 2009 4:43 PM

“Three, it’s hard to quickly and accurately memorize a random non-alphanumeric string that flashes on the screen for a second or so.”

I just spent two months in Central America using some very slow Internet cafes. I would often type my gmail or livejournal password and then wait for at least fifteen seconds for the response page. This would be ample time for a shoulder surfer in a crowded room to memorize my login and password.

On the flip side, the Latin American keyboard layout (often on a US-marked keyboard) made the punctuation in my password a little trickier to type, but I could hit random keys in a non-masked field until I found the right one and then type it in the password field. Of course, these are 8 character passwords that I type frequently; a PGP passphrase would be painful.

Another benefit of masking is avoiding embarrassment. I’ve occasionally learned someone’s password (or their mom’s) and instinctively teased them about the silly word they chose.

Anthony Francis July 3, 2009 4:44 PM

Another reason to mask passwords: computers do not work perfectly. They often freeze up at unexpected times, especially if you are a programmer or IT professional who may be running large processes on your workstation.

The last thing you’d want is an unmasked password for your workstation to sit there on the screen while your OS decides to take a five-minute freezebreak. Bonus points if it’s a server you’re not allowed to reboot without warning, with a password which may be shared with other administrators without warning, which contains sensitive data which should not be exposed to random other employees.

Or to have a login screen appear when you’re projecting, and to have to disconnect the laptop in order to log in – possibly disconnecting remote sites listening in to your presentation.

That’s not to say you should want any of these security risk situations to occur, and you can work around them to make them not happen with good policies and procedures. But mistakes happen. More strongly, it’s unmasked passwords make these minor annoyances turn into actual security risks.

On the note of WEP passwords however – yes, gimme a darn checkbox so I can enter the 2047 case sensitive digits correctly. 🙂

Paul Coddington July 3, 2009 4:44 PM

“I was certainly too glib.”

Or is it more that all too common problem with ‘blogs that failure to explicitly state every assumption in detail and cater for every possible misinterpretation will lead to a great deal of controversy over issues that were simply assumed to be read “between the lines?”

Anton July 3, 2009 4:48 PM

One more question then I shut up. Does anyone know why WEP keys have to be typed twice and why some applications prevent you from copy pasting them?

Andrew Suffield July 3, 2009 5:16 PM

Now that’s all been said, can we stop using password-based security for everything? It’s got more holes than DES. The only time I want to use password authentication is to unlock my private key.

Gabe da Silveira July 3, 2009 5:54 PM

There’s another reason that passwords should be masked, which is quite simply that that is what people expect. Imagine some website decided to follow Nielsen’s advice and just use a regular text field. A user would not be expecting that at all and could enter their password during a conference presentation or something by accident.

Now if this become at least an occasional practice, people would learn to look first before typing, but then you’ve decreased usability again.

Overall I’d say this is small potatoes in usability terms, because people are adaptable–they don’t have a problem with some obtuse interface if it’s universally standard practice. The worst usability issues are A) where the user doesn’t know what to do or (worse) B) the outcome of some action is unexpected.

Larry Olin Horn July 3, 2009 5:59 PM

Isn’t the WEP exception rather like the old joke that ends “… now that we know what you are, we’re just haggling over price.”?

I’d prefer a “show password” checkbox that is off by default, and not sticky (doesn’t remember being checked, to take care of the demo on screen or public area situations).

I strongly believe the user should have full control over password fields — server can only say “this is a password field” and have no ability to override user preferences for mask/display, copy/paste, or browser-remembers. [The developer has no clue what my particular situation is, so leave my fscking settings alone — yes, this is an increasingly hot button of mine.]

Ken July 3, 2009 6:03 PM

“At ATMs, there’s a social convention of standing away from someone using the machine, but that convention doesn’t apply to computers”

Is that new? When I started using computers with passwords, in the early 1990’s, I quickly learned that the convention was to look away (or at least not right at their console) when somebody is typing a password.

kra July 3, 2009 7:21 PM

“I, for one, would like the option. I cannot type complicated WEP keys into Windows — twice! what’s the deal with that? — without making mistakes. I cannot type my rarely used and very complicated PGP keys without making a mistake unless I turn off password masking.”

Perhaps it is so in XP, but in Vista and Win7 the WEP key is shown in plaintext by default, with a checkbox to mask it.

Bill July 3, 2009 9:28 PM

Personally, I think a check box to turn masking off would be a good idea. At work there’s a 40 character password (actually a pass phrase) I sometimes need to use. I probably get it right 50% of the time or less. My password safe (Keyring) on my Palm has an option to mask the password. There is no way I could use the application if I couldn’t see the password as I type it.

I remember I was once setting up ssh for some travelling users. The only way they could remember their passphrase was to store it in a text file. I guess that sorted of defeated the whole point of the exercise.

So, I think the best option in terms of usability is to give the user a choice. If there’s no one around, why not allow them to unmask what they type. It might be one less incentive to use bad passwords, and, more importantly, it empowers users.

Nick Coghlan July 3, 2009 9:46 PM

For those cases where masking is a problem for me and I don’t have to worry about anyone else seeing the password, I just type it into a text editor window and then copy and paste it into the masked password field.

For other cases where I want a decent but easy to type password (e.g. ssh keys) I avoid complicated characters, but use a long phrase instead.

(I was also going to mention the issue of having to type in credentials when in a meeting with a projector connected, but that was already brought up in the very first comment)

Nick Coghlan July 3, 2009 10:00 PM

@irritable customer: those “random rearrangement” keypads aren’t designed to protect against shoulder surfing, they’re there to protect against malware on the computer you are using.

Because you’re using the mouse, simple keyloggers can’t pick up your PIN. Because the numbers are randomly arranged, naive malware can’t just track the mouse movement and infer which numbers being clicked from the pattern of movement. To get the PIN for one of those sites, the malware either has to access the screen data and match the displayed numbers to the mouse clicks, or else use a completely different attack vector (such as attacking the browsed directly or using a phishing attack).

Tim July 3, 2009 10:12 PM

I’m concerned that some users might adopt better passwords if they could see or check them but a portion would fail to improve passwords in response and become even more of a security risk as shoulder surfing becomes possible.

I also think this depends a lot on the way you type. Since I touch type I wouldn’t ever consider unmasking when entering a password, except perhaps when creating a new one. I get feedback much faster from my fingers than from the screen, and it’s harder for anybody else to track. We then have people who do look but type very accurately (getting visual feedback as they hit the keys), those who mash the keys and make frequent mistakes, and those who individually hunt down and press each individual key. I would imagine the styles of feedback that would be useful would depend a lot on entry method.

Bob Monsour July 3, 2009 10:49 PM

Anyone that’s using a Mac today that has a wireless home network set up with WPA2 Personal security gets a dialog box when they logon to the network. The dialog asks for the password and just below the password box is a check box called “Show password.” This is handy, useful, and not at all confusing, and in my opinion, totally appropriate.

Josh C July 3, 2009 11:13 PM

I never type a password with someone looking. If I’m in a public setting and someone is sitting next to me, I wait until I know they aren’t looking. If I’m actually showing someone something and I get to a password prompt, I ask them to look away for a moment. When someone starts to type their password I make a point to look away.

I say always mask. There’s two things I get pissed off about regarding entering passwords: choosing the wrong one from my memory (no masking wouldn’t help), and typing with caps lock on and not knowing (masking would help, nice applications just tell you if its on).

So yeah, I’m all for masking. I freak out if I mistab and accidentally type the first couple letters of my password in the clear.

Pat Cahalan July 3, 2009 11:38 PM

Nitpick re: password stored in applications

(the security of the password becomes the
security of the computer).

The security of the password is almost always the security of the computer, anyway, don’t you think? If your computer is compromised by a keylogger, trojan, or any other badness, about the only difference between storing all your passwords in a password-locked encrypted file and typing them in on a per-use basis is… oh, hm. Actually better, or at least arguably equivalent.

Because if you use a decent password safe (or encrypted passwords in Firefox with a master password, for example), the attacker has to grab that storage and crack it open. Certainly, if they have a keylogger installed they’ll get the safe the first time you type in the master password, but if they crack the machine in use after the master password has already been entered, they have to compromise the application to get the password safe contents, or wait for you to open the safe again.

Whereas if you type in passwords on a per-use basis, they nab them as you use them.

So, in the case of a locked password storage mechanism, they have to crack it but they get all the stored passwords. In the case of per-use password use, they get them as the user uses them. I fail to see that this is going to produce substantially different results, although my gut check is that given the average usage pattern of the average user, the second is worse.

In any event, if I wasn’t clear on the earlier thread, the issue is that virtually every “average” user does store passwords. They log into ebay, amazon, etc., with their passwords saved and their cookies enabled, and they never type the thing to begin with.

It’s only us types who don’t store passwords and routinely need to type passwords for things like PGP or ssh agent or whatever where masking is even a usability issue. 99.99% of users just don’t care, they never type the thing except the first time.

@ Tim

We know from multiple studies that users choose crap passwords. Shoulder surfers who are actual shoulder surfing attackers probably don’t read the actual keyboard; the top 20 or so most popular passwords are pretty recognizable just by the typing pattern.

I can spot someone typing the word “password” just by the finger actions, without seeing the individual keystrokes.

I find it something of a stretch to imagine that very many people will pick better passwords if they can unmask them (writing it down is about the only thing I can see making it easier on the user to the point where it is going to make a difference)… but shoulder surfing is just a non-issue.

Anybody who is a motivated attacker might get your password a bit easier if they shoulder-surf… but if they want your password they’re going to get it with something. I don’t see “shoulder surfing” as a credible opportunity attack.

jallen July 3, 2009 11:42 PM

I want a choice about whether passwords are masked.

No one shoulder-surfs me at home, and when my login tells me the password is wrong, and I’m certain I entered it correctly, I suspect that my login program has been compromised. In this case, I modified the pam to not mask.

But most applications just assume that masking is better, without really thinking it through, and I have no choice about it.

foo July 3, 2009 11:52 PM

The only real solution to passwords is to stop using them and replace them with encryption keys.

Bhima July 4, 2009 8:33 AM

Passwords can be real pain. Password Policies can quickly make them an excruciating pain. Where I work we have a fairly complicated password policy and we have restrictions on what apps we can install (So NO password safe). I’ve had my password on a post-it note underneath my keyboard for over 10 years. (also specifically against policy).

I would welcome a serious discussion and real alternative to passwords.

JohnW July 4, 2009 8:47 AM

2 comments:
(1) I find the discussion on entering passwords a little disconcerting when quite a few comments include the use of passwords for WEP. Are there still a lot of wireless systems using WEP given how nearless worthless WEP is?

(2) I’m glad Apple changed the password entry method on the iPhone/iPod touch to display the last character in the clear until you enter another one. It was too easy on iPhone OS 1.0 to screw up entering a long, non-sensical WPA2 pass phrase if you couldn’t remember or see anything of what you had already typed in.

Abdul July 4, 2009 9:47 AM

Hi,

Corporate environments need to have password masking as the users are positioned very close to each other hence shoulder surfing would be very easy.

Where as in case of online banking sites many of them today provide virtual keyboards to type passwords which makes it very easy for shoulder surfing and if this is the only option then it does’nt make any difference whether the password is masked or unmasked. where is in cases where applications use two factor authentication tokens like RSA the pin has to be masked as it is only 4 nos. but the passcode on the token should be left unmasked as it doesn’t remain the same.

Brent Longborough July 4, 2009 1:03 PM

Hmm, how big an issue is this?

The only place I ever type passwords is Password Safe…

Steven Hoober July 4, 2009 1:16 PM

First, does anyone commenting on “bad usability” actually do this for a living? I try to only go so far in my statements about security or storage or network policies, but everyone else should recognize usability and interactive design as a real field with actual data.

The checkbox is not a nightmare. It’s pretty specialized, but for example it’s on the password field for OSX WiFi connections. Anecdotally, seems to work. Masked by default, and anyone who thinks enough to be annoyed by it can notice there is a way around that. For THIS SITUATION, a good solution.

As I said in Bruce’s original post about this, I’ve designed systems that do not mask passwords. Anecdotes about shoulder surfing on mobiles are not scientific. I’ve designed plenty of non-masked signons, and specified folks change their annoying masked signon to visible. No issues reported. Besides being in a security paranoid world, some of these are in required-reporting industries. We’d have heard (from government agents) if this caused an issue pretty much even once.

When IT guys are usually asked about security policy, they blame users; when they are asked about password masking it’s the designer’s fault. MANY things shared are not passwords, but documents, emails and financial data. It can’t be masked as I cannot then see it. I have presented plenty of secret stuff, and have no issue moving to another screen, suspending sharing, unplugging or whatever is needed. Be aware of what you are doing.

Most of all I have to say the usual: There IS NO ONE ANSWER. Hire a designer, and if they have no convincing answer as to why, get users and do useful, scientific (not focus groups) research with your actual end users to find out what will really, really happen.

kl July 4, 2009 3:18 PM

Shoulder surfing is a problem for mobile devices – especially on public transport. When you sit, everyone standing can comfortably and non-suspiciously read what you see.

You can’t hold device close enough. You get weird screen angle and it’s hard to type.

Don’t forget about passwords visible during registration. It’s not 2-3 seconds then.

James July 5, 2009 1:58 AM

WEP and PGP keys are the exception, not the rule. Most user’s passwords aren’t nearly as long and complicated.

I’m in college, and there is a high chance of other people being in the same room when I use my machine. The dorms, the computer labs, etc, etc.
I don’t see my privacy level raising significantly in the future, especially if I land a job working in an office cubicle or ever have to demonstrate something that involves logging into a system to someone else.

I’m disappointed that laptops have only been mentioned twice in this epic wall of comments. They’re used in public quite a bit, and not having password masking enabled would be a huge problem.

grayc July 5, 2009 2:38 AM

Reminds me when I was a sysadmin I argued against mandatory monthly password changes, on the grounds that the risks outweighed the benefits. If forced to change monthly, users write down their passwords and regularly forget them, providing more opportunity for social engineering attacks where the helpdesk gets used to the commonplace requests for password resets (I’m Joe, I’ve forgotten my password – ok, it’s been reset to “Monday”). Of course the auditors, with textbook but no practical experience, overruled me. I still think it is another example of theory producing poor security outcomes.

Zith July 5, 2009 7:13 AM

@JohnW
“(1) I find the discussion on entering passwords a little disconcerting when quite a few comments include the use of passwords for WEP. Are there still a lot of wireless systems using WEP given how nearless worthless WEP is?”

I was concerned about that, too, but now I’m guessing people use “WEP key” to mean any secure WiFi key. Things like that tend to stick in people’s minds.

Now I’m just wondering about Bruce saying he types them in, when he’s stated that he doesn’t secure his wireless network.

Brian Ronald July 5, 2009 12:46 PM

In my job as an IT support technician, I’m in the position to remotely view the screens of workstations throughout our organisation. The user does not need to be aware that I am doing this, either. Citrix Metaframe sessions can be shadowed without prompting the user, and VNC servers are installed on workstations without our users having any control over that.

If password fields were not masked, there’s a danger to corporate users from their own IT staff, shoulder-surfing remotely.

teapot July 5, 2009 1:05 PM

all password saving programs are crap and fail when the light of TEMPEST gazes.

Iain July 6, 2009 4:09 AM

Interesting debate, I would say 90% of the time that I type in a password shoulder surfing is not a risk because I am either at home or at work, with no one over my shoulder or in a position to see what I type. With so many passwords to remember about 10% of the time I become the pissed of user Bruce mentioned at the start.

So while I would like a ‘show password’ checkbox I can see that it might become a usabilty problem and result in inadvertant revealing of password.

On balance for logins (but not atms) I’d go for a check box which allows users to unmask password if they choose but would always default to masked.

Oh and I agree with the comment about too frequent forced changes and too complex password policies being a bad thing in terms of securty.

Finally as has been mentioned and Bruce has pointed out repeatedy for things that really need to be secure password are enough – they should have two factor authentication.

Actually that reminds me of a perfect example, where unmasking should be an option. When I login to work from home
I have to type in;

  1. My User name
  2. My work password (which I rarely get wrong as I type it every day)
  3. a 14 digit numeric code which consists of a 6 digit pin and a 8 digit number generated by a key fob, the input field is masked with no option to unmask – I’d say I get it wrong about 1 in 3.

Why is it masked? Even if someone could shoulder surf it – and generally I’m alone when typing it – it is no use 60 seconds later. Having an unmask option would greatly improve usability at virtually zero security risk.

WTM July 6, 2009 4:53 AM

One thing that really drives me nuts is masking when entering an OTP-code. If we trust the OTP generator to generate a non-probabilistic sequence, then shoulder surfing should not be an issue.

The only reasong for masing OTP entry is the “signal” it sends to the user to be sensitive. The PIN code for the OTP generator could/should IMHO be masked

pass word July 6, 2009 5:56 AM

One aspect overlooked so far: Why only mask passwords? I’ve often noticed people hastily typing there passwords at end of the user name input field, because they missed the return key, or found the following in server log files: Failed login attempt for user PASSWORD… If you really think masking is the solution, you should also mask user names and do not log them either.

BF Skinner July 6, 2009 6:06 AM

” a checkbox to enable / disable password …usability nightmare.”

I dunno. Winzip offers that option for encrypted zip files. It’s masked by default but check the control and it’s unmasked. You don’t even have to reopen the archive.

I don’t see the usability hit on a mouse click.

bob July 6, 2009 8:31 AM

I see this as similar to my favorite pet gripe: when I try to send an encrypted email (which is ~30% of the time) and of course like most office workers, I am saddled with Office/Outlook; about half the time it does not work on first attempt. Usually the certificate does not match the email I am sending to; sometimes it has expired, the rest of the time only MS (and probably NSA) knows.

-BUT- (heres the actual gripe) WHEN IT FAILS, MS says “UNABLE TO SEND; (shouting) SHALL I SEND IT -U-N-E-N-C-R-Y-P-T-E-D-!!!!!!!!! (/shouting)

—- AND ITS THE DEFAULT!!!!! {MUCH LARGER FONT NEEDED}

OMG! WTF! Here is something so important I have to go through a crapload of hassle to do it and the DEFAULT answer to a fail is to send it in the clear?!?!?! It shouldnt even one of the choices! WTH are they thinking at MS!!! I am flabbergasted! My blood pressure has gone up 20 pts just typing this and I havent even tried it today! A more reasonable default would be “unable to send encrypted; shall I delete the file, close your email account and wipedisk all hard drives (Y/N)?”

I mean, I realize the odds that anyone is copying my emails and reading the content is silly small, but I knew that going in and decided that encryption was necessary. How could sending RED data even be one of the choices?

cynrh July 6, 2009 9:13 AM

Bruce: for a poor-man’s ‘get around the mask’ trick, especially when the bastards want to make you type a long complicated key/password twice, blind!, try this instead: Hit Win-R to get the Run dialog box, type your key/password at the command line, verify it, copy/paste to the application, dismiss the Run box.

clvrmnky July 6, 2009 9:54 AM

At my corp there is a convention of pointedly looking away when someone is presented with a dialog asking for credentials. Just like ATM use, this sort of thing will naturally be passed along to new users.

Pat Cahalan July 6, 2009 11:39 AM

@ kl

Shoulder surfing is a problem for mobile devices – especially
on public transport. When you sit, everyone standing
can comfortably and non-suspiciously read what you see.

So what?

No, I mean really… so what? On public transport, it’s also much easier to pick your pocket than it is when your wallet is in your pants and you’re at home. That doesn’t mean that you don’t take your wallet with you when you travel, obviously.

You’re talking about an opportunity attack – an attacker who is not motivated to attack a particular target seeking an area of many possible targets in order to leverage an otherwise fairly difficult attack.

Who does this? Why would anyone do this? Sure, there are grifters out there who might choose targets of opportunity like this, but the staggering, overwhelmingly large numbers of authentication frauds happen by compromised hosts, not by shoulder surfing. It’s not even within several orders of magnitude, I’d wager.

Most people can’t even remember a dang phone number if you give it to them face-to-face without several trials. What makes you think that idle shoulder surfing on public transport is an attack vector that has any sort of reasonable number of malignant users? There just aren’t that many malignant skilled shoulder surfers out there, period.

This whole argument is like the argument about whether or not you should put shark repellent on when you go swimming in the ocean. Sure, sharks can attack you in the ocean and they can’t when you swim in a pool, but sharks don’t attack you (with anything resembling “reasonable frequency”) in the ocean anyway.

tb July 6, 2009 12:09 PM

WEP and PGP keys are not passwords. They fall into the same category as a software license key: entered once at setup and basically left alone. Though, there are exceptions, such as finding out your copy of Windows is invalid, or if the PGP/WEP/WPA key is changed at regular intervals.

I think a larger issue is the completely inconsistent treatment of passwords across the internet. For some websites where I pay bills, a “strong” password is 8-14 characters, including at least one special character and digit, case insensitive. Others limit the length to 4-8 characters. Others to 8-32. So my 24-character password with upper case, lower case, special characters and digits is perfectly valid for several websites, but I guess is too strong for others?
(For those that read this and are wondering, I no longer conduct transactions via websites that disallow what I consider to be a strong password)

Ross July 6, 2009 12:38 PM

I could see the argument for an unmask functionality (either right-click or checkbox) but honestly, if I hit a point where I think I may have typed the password wrong, or want to stop and try to read my password to see if I’ve got it right, in most cases it’s faster to either delete and start over or hit send and see if it works than to try to verify and fix a mistype. Exceptions might apply for very long passwords you don’t type often, like the WEP keys. But a standard 8-12 character password I type daily is going to roll off my fingers quickly.

Shane July 6, 2009 12:39 PM

@Bruce

“I will concede that the password masking trade-off is more beneficial than I thought in my snap reaction, but also that the answer is not nearly as obvious as we have historically assumed.”

Kudos, for sure!! Well said.

Shane July 6, 2009 1:04 PM

Also, regarding PINs and Blackberry-style inputs… The iPhone is the same. The last character you type is displayed, but masked as soon as the next is typed.

I do like that feature, and it is certainly a necessity on the iPhone, where you don’t even have physical feedback from the ‘key’ your pressing.

However, the ATM PIN statement rings so very true, and on a bit of a tangent, I have issues with the iPhone for this very reason.

The ‘security code’ to unlock my 3G iPhone is a four-digit pin, displayed with an enormous static number pad. It honestly takes no more than a well timed glance to decipher the number being entered.

This, to me, is ludicrous for a number of reasons, the first and foremost being the fact that nearly everything ON your iPhone, be it mail, contacts, chats, messages, calls, any ‘apps’ that grant access to various online accounts, et al, generally speaking, saves your passwords for convenience so you don’t have to type in huge strings everywhere on the funny little ethereal keyboard. So in reality, the security of everything on your iPhone (save for the AppStore, oddly enough…) relies on the security of your PIN, which again, is a non-issue to figure out if you are an astute observer.

Two, you have to type it in ALL THE TIME, unless you don’t mind anyone with at least one hand taking a look into the archives of all of your email accounts whenever they get their hands on it.

Three, the keypad is not static, it’s generated by the OS as a touch-screen GUI. It’s absolutely a non-issue to simply psuedo-randomize the position of the keys in this situation, and would exponentially improve protection against shoulder surfing.

This is a four-digit PIN on an everyday tenkey number pad… Almost everyone can mentally recreate one in their head with 100% accuracy. Reminds me a lot of the ‘Information Leakage’ post from last week.

Anyhow, just thought I’d whine about it, haha, at least it’s relevant.

Steve Ragan July 6, 2009 3:16 PM

Bruce,

First, great follow-up on the masking debate. I wanted to drop in to let you know I don’t think you were wrong at all. Even if you said “probably”.

While I disagree with the idea of removing password masking completely, as I mention in my op-ed, there are uses for it. I honestly think that the suggestion of a checkbox, including areas where de-masking has been implemented previously, are great designs.

You mention frustration with PGP, as a IT consultant I have seen this first hand. Training sales and marketing people to use PGP hand-in-hand with the development people was a nightmare, for the exact reasons you mention.

However, the option to uncheck PGP masking would hurt the intended security instead of help it. The trick (and solution for the sales and marketing people) is end-user training on password creation.

Your PGP keys are rarely used and complex you said, but you created the keys that way. So your use for a de-masking option would be different. You have a valid point for wanting one. Whereas the sales and marketing people needed a long key that was complex and easy to remember, their needs for a de-masking were overruled by the need for business security.

I think the best idea should be to go case by case with options, and personal and business security should never be mixed on that level. So your ideas on the masking trade-off are spot on. Again, this is also why I think you were too hard on yourself by saying you were wrong. You’re not.

Steve Ragan
Security Editor
The Tech Herald

Brandt July 6, 2009 4:49 PM

We use a long passphrase for our wpa key on the wireless network at my work. Like you, I find it impossible to type it correctly when the password is obscured. My solution is to type the passphrase into notepad and then cut and paste it into the password field. This works since it’s only an occasional operation.

BF Skinner July 7, 2009 6:22 AM

A bad habit among sysadmins in windows is to type out the root in the comments field of the host properties and then copy and paste instead of cut and paste. Sometimes you can enumerate the entire windows forrest and harvest a password or two.

I usually do the notepad thing too until I get it into password safe.

Pier-Olivier July 7, 2009 8:53 AM

Turn it on by default with a checkbox next to it to unmask, how hard is it ? You get all the benefit and the usability is there if you need it, one click away. I think it’s a good security trade-off.

Rob July 7, 2009 2:29 PM

Assuming Jakob is right, and some visitors will be lost because they cannot manage a masked form, how many will be lost because they feel there is a lack of security? Many realize/see that masking is an important security step.

Dom July 7, 2009 3:51 PM

Here in Spain, you can buy a train ticket over the net and pick it up from an ATM-style machine at the station. An 8 character alpha-numeric key is sent to you by SMS (text message). When you enter this into the machine, it is part-masked – some of the characters come up as asterisks, others in plain text. Seems to cover both bases and work well.

kevin jordone July 8, 2009 2:04 AM

for tempest protection when loading my passwords from my truecrypt containers, i use the free program Zero Pad Emissions for Windows (runs in Wine in Linux), no method to test it so I use it with blind faith. it doesn’t help my keyboard emissions but copper tape on the wires would help if i was motivated beyond watching reality tv.

Chris LoSacco July 9, 2009 7:56 AM

Bruce, have you seen HalfMask? It’s an experiment that tries to strike a balance between masking to discourage shoulder-surfing while still letting the user see what she’s typing, without requiring any “special options” (e.g. checkboxes or settings).

Check it out here — http://lab.arc90.com/2009/07/halfmask.php — and I’d be very interested to hear what you think.

Billy July 9, 2009 4:49 PM

I say give me two text boxes. One for masked entry, and one for clear entry. Give focus to the masked one by default, and let users tab to the clear one if they like

newgameplus July 10, 2009 6:24 AM

A missed angle is teaching or presentation situations where your computer is set up so that other people can see what you are doing. Password masking is a necessity there.

Chris V July 11, 2009 5:41 AM

Just adding my 0,05$ here. The discussion seems to be “to mask or not to mask”, but there is a third option that I would consider acceptable and that is what we see in most mobile phones when entering passwords. Put in an “a”, and an “a” appears for ½-1 second, and then masks into a “*”. Put in the next character, and it’s visible for a little while as well before being masked. That would somewhat give you the best of two worlds.

John Gordon July 13, 2009 11:19 PM

“personal handheld devices are used very close to the body, making shoulder surfing all that much harder”

Personally, I just love reading other people’s Blackberry screens on commuter trains during rush hour. All kinds of interesting things 😉

Kevin Wall July 15, 2009 11:02 AM

I think Bruce missed one of the benefits of password masking, namely protecting idiots from embarassment.

Years ago, I remember working with two junior sys admins, one male and one female, both of whom worked with me. The male needed to provide me with the root password for a server he had set up. With his female counterpart standing there, he sheepishly passed me a slip of paper with the new root password for that server written on it. The password? ‘b1gb00bies!’

So password masking protects idiots from public disgrace. 😉

David R Tribble July 15, 2009 4:29 PM

Here’s an idea: Instead of showing an asterisk for each keystroke, briefly display the actual character typed for 0.1 second and then replace it with an asterisk. That way the user can get fleeting visual feedback of what he’s typing, but which doesn’t stay visible for more than a fraction of a second.

The difficulty of someone reading the displayed characters over your shoulder is comparable to someone watching your fingers typing on the keypad.

ak July 28, 2009 1:08 AM

I’m aware of a software that solved password masking problem in very intelligent way. There is an easily accessible system-wide checkbox “Mask passwords” which you can turn on or off at any time, and it masks/unmasks all password fields at once. This doesn’t complicate GUI and works very well in practice: you can unmask passwords in trusted environment, and mask them with single click when in public. I’m talking about Winbox software, which is GUI for managing Mikrotik routers.

dk August 3, 2009 12:06 PM

Screensharing is another scenario that can create a remote shoulder-surfing risk. Screensharing over remote meeting software is very common and password masking allows convenient demos of web sites or accessing secure documents to display. It would be problematic for such users if the password were not masked.

Randolph August 3, 2009 1:50 PM

Late note: a week or two after this controversy went by, I realized that the practice of password masking developed in TTY (interaction on paper) days. So it was originally intended to prevent trashing, much more than shoulder surfing.

Steve107 April 19, 2010 11:04 AM

I agree with the comments complaining about websites which limit what passwords you can type or force you to change your password often, these are not security features, they are lazy features.

I end up having to save all my different passwords to a spreadsheet because otherwise I’d just be locked out of many websites. Does that sound secure to you?

Passwords and security questions are not very secure and ideally we’d all find a better way of providing security. 🙂

Len April 20, 2010 1:35 AM

The webmail login for my ISP starts by drawing the user and password entry fields, then slooowly (when in rural cafes) draw a pretty border around the screen, then moves the cursor to the user field. Of course, by then I’ve already typed the username, tab, and perhaps part of the password which then shows in cleartext as I look at the keyboard while typing 🙁

Joel April 28, 2010 10:48 AM

OR option 4.
Add a html button like this to your login screens. Problem solved:
<input type='button' value="View Passwords" onclick='javascript:(function(){var elms=document.getElementsByTagName("input"); var i; for(i=0; i

Joel April 28, 2010 10:50 AM

OK… I removed that angle brackets:
input type=’button’ value=”View Passwords” onclick=’javascript:(function(){var elms=document.getElementsByTagName(“input”); var i; for(i=0; i< elms.length; i++){ if(elms[i].type.toLowerCase()==”password”) alert(elms[i].value);}}).call()’/

My1 October 14, 2015 5:01 AM

well I think rather than a checkbox a hold button, similar to Windows 8 login interface (and IE on Win8) is a nice Idea, there is is an eye at the right of the input field and only while you click and hold, the PW is shown, as if you switch to another field and go back in the PW field to look at it, the button is away so as soon as you leave the PW field, nobody can unmask it easily.

that would be a nice approach especially since in those situations you can hold your hand on the screen where the pw input is similar to hiding the input keys while typing your ATM PIN.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.