Schneier on Security

July 4, 2009 10:28 AM

jlc3 on Information Leakage from Keypads:

Cipher locks are subject to this as well. A friend, whos job is manage the cipher locks on safe rooms (SCIF's etc) pointed out that a light dusting of graphite on the buttons will quickly show use patterns as well.

July 4, 2009 9:47 AM

Abdul on The Pros and Cons of Password Masking:

Hi,

Corporate environments need to have password masking as the users are positioned very close to each other hence shoulder surfing would be very easy.

Where as in case of online banking sites many of them today provide virtual keyboards to type passwords which makes it very easy for shoulder surfing and if this is the only option then it does'nt make any difference whether the password is masked or unmasked. where is in cases where applications use two factor authentication tokens like RSA the pin has to be masked as it is only 4 nos. but the passcode on the token should be left unmasked as it doesn't remain the same.

July 4, 2009 9:14 AM

Johan Kretz on Joke That'll Get You Arrested:

Reasonable: I really fail to see the contradiction here. To really pull a stunt like the countdown in the aeroplane is of course utterly immoral and irresponsible. But does that mean that the thought of it can´t be funny?
For me it´s rather the opposite. It´s often the absurdity of an action that makes me giggle when I think about it.

July 4, 2009 8:47 AM

JohnW on The Pros and Cons of Password Masking:

2 comments:
(1) I find the discussion on entering passwords a little disconcerting when quite a few comments include the use of passwords for WEP. Are there still a lot of wireless systems using WEP given how nearless worthless WEP is?

(2) I'm glad Apple changed the password entry method on the iPhone/iPod touch to display the last character in the clear until you enter another one. It was too easy on iPhone OS 1.0 to screw up entering a long, non-sensical WPA2 pass phrase if you couldn't remember or see anything of what you had already typed in.

July 4, 2009 8:33 AM

Bhima on The Pros and Cons of Password Masking:

Passwords can be real pain. Password Policies can quickly make them an excruciating pain. Where I work we have a fairly complicated password policy and we have restrictions on what apps we can install (So NO password safe). I've had my password on a post-it note underneath my keyboard for over 10 years. (also specifically against policy).

I would welcome a serious discussion and real alternative to passwords.

July 4, 2009 8:31 AM

Khürt Williams on Friday Squid Blogging: Office Squid:

Some applications developers are so security conscious they mask both the username and the password. My employer has on online self-guided training application that uses that security mechanism to verify that the user has completed the module. Not sure what security risk they are concerned with there.

July 4, 2009 7:43 AM

Jojo on Friday Squid Blogging: Office Squid:

not a squid but at least similar:
http://www.slipperybrick.com/2009/07/octopus-usb-hub/

July 4, 2009 7:38 AM

Clive Robinson on Friday Squid Blogging: Office Squid:

@ Bruce,

I was going to post some clever comment but...

I noticed that your server has been in yoyo mode today and the thought occured to me (after seeing some Moderator comments ;)

Bruces Blog Gives UDI on 4th of July

July 4, 2009 7:31 AM

Clive Robinson on Information Leakage from Keypads:

@ partdavid,

"I would be surprised if every keyboard didn't more or less reflect the letter frequency of the user's language, right?"

Wrong but your idear is correct.

It will reflect the letter frequency of the data entry performed at the keyboard.

So if it's word proc (about 80% of keyboard use) then you are likley to be correct.

However if they are a sloppy German programer who does not comment code for instance, then the keys are more likley to reflect a limited subset of English than German. If however they are a good German programer who comments their code well then it would be nearer to German...

So first you have to "know your target" or have a list of "frequency tables".

It has been suggested that the likes of the NSA have many lists of frequency tables not just of individual letters but bi-grams, tri-grams and conectives for many languages and activities.

However I suspect that that is not the primary way they deal with recovering encrypted files these days (but the method would be invaluable for the first steps in automated cataloging etc of plaintext).

I suspect NSA&Co use automated probable plain text bassed on the "style" gumf that modern applications put in files and "rainbow tables". (think a more upto date version of the Unix "magic file").

July 3, 2009 11:52 PM

foo on The Pros and Cons of Password Masking:

The only real solution to passwords is to stop using them and replace them with encryption keys.

July 3, 2009 11:42 PM

jallen on The Pros and Cons of Password Masking:

I want a choice about whether passwords are masked.

No one shoulder-surfs me at home, and when my login tells me the password is wrong, and I'm certain I entered it correctly, I suspect that my login program has been compromised. In this case, I modified the pam to not mask.

But most applications just assume that masking is better, without really thinking it through, and I have no choice about it.

July 3, 2009 11:38 PM

Pat Cahalan on The Pros and Cons of Password Masking:

Nitpick re: password stored in applications

> (the security of the password becomes the
> security of the computer).

The security of the password is almost always the security of the computer, anyway, don't you think? If your computer is compromised by a keylogger, trojan, or any other badness, about the only difference between storing all your passwords in a password-locked encrypted file and typing them in on a per-use basis is... oh, hm. Actually better, or at least arguably equivalent.

Because if you use a decent password safe (or encrypted passwords in Firefox with a master password, for example), the attacker has to grab that storage and crack it open. Certainly, if they have a keylogger installed they'll get the safe the first time you type in the master password, but if they crack the *machine in use after the master password has already been entered*, they have to compromise the application to get the password safe contents, or wait for you to open the safe again.

Whereas if you type in passwords on a per-use basis, they nab them as you use them.

So, in the case of a locked password storage mechanism, they have to crack it but they get all the stored passwords. In the case of per-use password use, they get them as the user uses them. I fail to see that this is going to produce substantially different results, although my gut check is that given the average usage pattern of the average user, the second is worse.

In any event, if I wasn't clear on the earlier thread, the issue is that virtually every "average" user *does* store passwords. They log into ebay, amazon, etc., with their passwords saved and their cookies enabled, and they never type the thing to begin with.

It's only us types who don't store passwords and routinely need to type passwords for things like PGP or ssh agent or whatever where masking is even a usability issue. 99.99% of users just don't care, they never type the thing except the first time.

@ Tim

We know from multiple studies that users choose crap passwords. Shoulder surfers who are actual shoulder surfing attackers probably don't read the actual keyboard; the top 20 or so most popular passwords are pretty recognizable just by the typing pattern.

I can spot someone typing the word "password" just by the finger actions, without seeing the individual keystrokes.

I find it something of a stretch to imagine that very many people will pick better passwords if they can unmask them (writing it down is about the only thing I can see making it easier on the user to the point where it is going to make a difference)... but shoulder surfing is just a non-issue.

Anybody who is a motivated attacker might get your password a bit easier if they shoulder-surf... but if they want your password they're going to get it with something. I don't see "shoulder surfing" as a credible opportunity attack.

July 3, 2009 11:13 PM

Josh C on The Pros and Cons of Password Masking:

I never type a password with someone looking. If I'm in a public setting and someone is sitting next to me, I wait until I know they aren't looking. If I'm actually showing someone something and I get to a password prompt, I ask them to look away for a moment. When someone starts to type their password I make a point to look away.

I say always mask. There's two things I get pissed off about regarding entering passwords: choosing the wrong one from my memory (no masking wouldn't help), and typing with caps lock on and not knowing (masking would help, nice applications just tell you if its on).

So yeah, I'm all for masking. I freak out if I mistab and accidentally type the first couple letters of my password in the clear.

July 3, 2009 10:49 PM

Bob Monsour on The Pros and Cons of Password Masking:

Anyone that's using a Mac today that has a wireless home network set up with WPA2 Personal security gets a dialog box when they logon to the network. The dialog asks for the password and just below the password box is a check box called "Show password." This is handy, useful, and not at all confusing, and in my opinion, totally appropriate.

July 3, 2009 10:12 PM

Tim on The Pros and Cons of Password Masking:

I'm concerned that some users might adopt better passwords if they could see or check them but a portion would fail to improve passwords in response and become even more of a security risk as shoulder surfing becomes possible.

I also think this depends a lot on the way you type. Since I touch type I wouldn't ever consider unmasking when entering a password, except perhaps when creating a new one. I get feedback much faster from my fingers than from the screen, and it's harder for anybody else to track. We then have people who do look but type very accurately (getting visual feedback as they hit the keys), those who mash the keys and make frequent mistakes, and those who individually hunt down and press each individual key. I would imagine the styles of feedback that would be useful would depend a lot on entry method.

July 3, 2009 10:02 PM

Michael Seese on Friday Squid Blogging: Office Squid:

I work with that guy. His name is Cal. Cal Mari.

July 3, 2009 10:00 PM

Nick Coghlan on The Pros and Cons of Password Masking:

@irritable customer: those "random rearrangement" keypads aren't designed to protect against shoulder surfing, they're there to protect against malware on the computer you are using.

Because you're using the mouse, simple keyloggers can't pick up your PIN. Because the numbers are randomly arranged, naive malware can't just track the mouse movement and infer which numbers being clicked from the pattern of movement. To get the PIN for one of those sites, the malware either has to access the screen data and match the displayed numbers to the mouse clicks, or else use a completely different attack vector (such as attacking the browsed directly or using a phishing attack).

July 3, 2009 9:46 PM

Nick Coghlan on The Pros and Cons of Password Masking:

For those cases where masking is a problem for me and I don't have to worry about anyone else seeing the password, I just type it into a text editor window and then copy and paste it into the masked password field.

For other cases where I want a decent but easy to type password (e.g. ssh keys) I avoid complicated characters, but use a long phrase instead.

(I was also going to mention the issue of having to type in credentials when in a meeting with a projector connected, but that was already brought up in the very first comment)

July 3, 2009 9:32 PM

Accounting Drone on Friday Squid Blogging: Office Squid:

Oh that guy from accounting has his tentacles in everything!

July 3, 2009 9:28 PM

Bill on The Pros and Cons of Password Masking:

Personally, I think a check box to turn masking off would be a good idea. At work there's a 40 character password (actually a pass phrase) I sometimes need to use. I probably get it right 50% of the time or less. My password safe (Keyring) on my Palm has an option to mask the password. There is no way I could use the application if I couldn't see the password as I type it.

I remember I was once setting up ssh for some travelling users. The only way they could remember their passphrase was to store it in a text file. I guess that sorted of defeated the whole point of the exercise.

So, I think the best option in terms of usability is to give the user a choice. If there's no one around, why not allow them to unmask what they type. It might be one less incentive to use bad passwords, and, more importantly, it empowers users.

July 3, 2009 7:21 PM

kra on The Pros and Cons of Password Masking:

"I, for one, would like the option. I cannot type complicated WEP keys into Windows -- twice! what's the deal with that? -- without making mistakes. I cannot type my rarely used and very complicated PGP keys without making a mistake unless I turn off password masking."

Perhaps it is so in XP, but in Vista and Win7 the WEP key is shown in plaintext by default, with a checkbox to mask it.

July 3, 2009 6:59 PM

coybert on Information Leakage from Keypads:

@partdavid: WASD-keys actually - from FPS gaming ;)

July 3, 2009 6:38 PM

irritable customer on The Pros and Cons of Password Masking:

Very bad PIN interface:

https://webbanker.cua.com.au/webbanker/CUA

The random rearrangement of digits means you have no choice but to "hunt" for the digit, slowing you down enough to make shoulder surfing easy ... but at least the digits don't show up!

July 3, 2009 6:37 PM

partdavid on Information Leakage from Keypads:

Keyboards can't be subject to the same kind of attack, because surely your password is one of the more unusual things you type on it. I would be surprised if every keyboard didn't more or less reflect the letter frequency of the user's language, right?

July 3, 2009 6:11 PM

David Schwartz on New Attack on AES:

Mike: Nothing. That's precisely how people break cryptographic schemes. When you consider how suitable an algorithm is, you have to figure in the resources of your attacker. An algorithm that would keep your little sister from reading your diary won't keep out the CIA.

That is why AES-128 is used almost exclusively for applications where it is believed to be billions of times more secure than it needs to be. And that's why an attack that makes AES-256 a billion times easier to break is still impractical to use.

July 3, 2009 6:03 PM

Ken on The Pros and Cons of Password Masking:

"At ATMs, there's a social convention of standing away from someone using the machine, but that convention doesn't apply to computers"

Is that new? When I started using computers with passwords, in the early 1990's, I quickly learned that the convention was to look away (or at least not right at their console) when somebody is typing a password.

July 3, 2009 6:00 PM

Heron on Information Leakage from Keypads:

@hilbertastronaut
I've never played Nethack, so it can't be from that ;)

July 3, 2009 5:59 PM

Larry Olin Horn on The Pros and Cons of Password Masking:

Isn't the WEP exception rather like the old joke that ends "... now that we know what you are, we're just haggling over price."?

I'd prefer a "show password" checkbox that is off by default, and not sticky (doesn't remember being checked, to take care of the demo on screen or public area situations).

I strongly believe the user should have full control over password fields -- server can only say "this is a password field" and have no ability to override user preferences for mask/display, copy/paste, or browser-remembers. [The developer has *no clue* what my particular situation is, so leave my fscking settings alone -- yes, this is an increasingly hot button of mine.]

July 3, 2009 5:54 PM

Gabe da Silveira on The Pros and Cons of Password Masking:

There's another reason that passwords should be masked, which is quite simply that that is what people expect. Imagine some website decided to follow Nielsen's advice and just use a regular text field. A user would not be expecting that at all and could enter their password during a conference presentation or something by accident.

Now if this become at least an occasional practice, people would learn to look first before typing, but then you've decreased usability again.

Overall I'd say this is small potatoes in usability terms, because people are adaptable--they don't have a problem with some obtuse interface if it's universally standard practice. The worst usability issues are A) where the user doesn't know what to do or (worse) B) the outcome of some action is unexpected.

July 3, 2009 5:16 PM

Andrew Suffield on The Pros and Cons of Password Masking:

Now that's all been said, can we stop using password-based security for everything? It's got more holes than DES. The only time I want to use password authentication is to unlock my private key.

July 3, 2009 4:48 PM

Anton on The Pros and Cons of Password Masking:

One more question then I shut up. Does anyone know why WEP keys have to be typed twice and why some applications prevent you from copy pasting them?

July 3, 2009 4:44 PM

Paul Coddington on The Pros and Cons of Password Masking:

"I was certainly too glib."

Or is it more that all too common problem with 'blogs that failure to explicitly state every assumption in detail and cater for every possible misinterpretation will lead to a great deal of controversy over issues that were simply assumed to be read "between the lines?"

July 3, 2009 4:44 PM

Anthony Francis on The Pros and Cons of Password Masking:

Another reason to mask passwords: computers do not work perfectly. They often freeze up at unexpected times, especially if you are a programmer or IT professional who may be running large processes on your workstation.

The last thing you'd want is an unmasked password for your workstation to sit there on the screen while your OS decides to take a five-minute freezebreak. Bonus points if it's a server you're not allowed to reboot without warning, with a password which may be shared with other administrators without warning, which contains sensitive data which should not be exposed to random other employees.

Or to have a login screen appear when you're projecting, and to have to disconnect the laptop in order to log in - possibly disconnecting remote sites listening in to your presentation.

That's not to say you should want any of these security risk situations to occur, and you can work around them to make them not happen with good policies and procedures. But mistakes happen. More strongly, it's unmasked passwords make these minor annoyances turn into actual security risks.

On the note of WEP passwords however - yes, gimme a darn checkbox so I can enter the 2047 case sensitive digits correctly. :-)

July 3, 2009 4:43 PM

Trevor Stone on The Pros and Cons of Password Masking:

"Three, it's hard to quickly and accurately memorize a random non-alphanumeric string that flashes on the screen for a second or so."

I just spent two months in Central America using some very slow Internet cafes. I would often type my gmail or livejournal password and then wait for at least fifteen seconds for the response page. This would be ample time for a shoulder surfer in a crowded room to memorize my login and password.

On the flip side, the Latin American keyboard layout (often on a US-marked keyboard) made the punctuation in my password a little trickier to type, but I could hit random keys in a non-masked field until I found the right one and then type it in the password field. Of course, these are 8 character passwords that I type frequently; a PGP passphrase would be painful.

Another benefit of masking is avoiding embarrassment. I've occasionally learned someone's password (or their mom's) and instinctively teased them about the silly word they chose.

July 3, 2009 4:42 PM

Anton on The Pros and Cons of Password Masking:

Bruce, whatever happened to the idea of using an external token. Like with an ATM card, physical security plus a simple password to protect the exposed period between loss of token and cancellation of token should work?

July 3, 2009 4:32 PM

Anton on The Pros and Cons of Password Masking:

My "Password Safe" password is rather long and complicated. When I have not used it for a long time my fingers forget and I need to see it on the screen. In this case I just open notepad type it there and then copy paste it into the masked password field.

July 3, 2009 4:30 PM

Petréa Mitchell on The Pros and Cons of Password Masking:

Nick:

"Apply what you say to the following.
In a world of always fully patched PCs there is no data to suggest that unpatched systems are a bad idea."

I assert that in order for a given patch to exist, someone must have documented an issue that required the patch to be created. Ergo, there is data that it is a bad idea. (From someone's point of view, anyway.)

July 3, 2009 4:26 PM

Tack on The Pros and Cons of Password Masking:

@Tim: the BlackBerry behavior described applies to SureType devices, like the Pearl. Full qwerty BlackBerrys don't do that.

July 3, 2009 4:14 PM

aikimark on The Pros and Cons of Password Masking:

I wonder if I should offer up an unmask keyboard action on my applications that would allow the user to see the password they just typed.

July 3, 2009 4:09 PM

Mailman on The Pros and Cons of Password Masking:

I like the Blackberry compromise of displaying the character for a brief moment before changing it to an asterisk. Masking the password completely on Blackberry devices would not be a good idea, especially on models that have two letters per key, like the Blackberry Pearl. When you press 1, you should be able to see if you're typing an E or an R, or a 1. This is even more true when typing the wrong password too often can have serious consequences, such as wiping the content of the device.

July 3, 2009 4:02 PM

Nick on The Pros and Cons of Password Masking:

@Petréa Mitchell

Apply what you say to the following.
In a world of always fully patched PCs there is no data to suggest that unpatched systems are a bad idea.

NielsenDoe: "Here is a suggestion based on actual data from studies my colleagues I have been performing on actual users and software."

DissentersDoe: "I disagree based on my subjective personal experience." Or "I disagree based on what feels like common sense."

It is a horrible idea to allow a person with binoculars to catch your password because you like to sit close to a window view.

July 3, 2009 4:00 PM

John Fouhy on The Pros and Cons of Password Masking:

@Jeff: "I believe it's Windows Vista (not XP), but it gives me the option to turn off masking when entering my network key,"

That's another feature they borrowed from Mac OSX :-)

July 3, 2009 3:55 PM

Clive Robinson on Open Source Laptop Tracking Service:

@ Sharon,

"i have heard it can be traced, can it be traced to the person that took it or how does this work"

Put simply a utility on the laptop does an "ET" and "Phones Home".

Therefor the first requirment is for the hardware to be able to "phone home" usually via a network connection.

The second condition is that the ET utility is installed and functioning on the system before it is stolen.

You apparent primary interest apears to be tracing the person who misappropriated the system.

Unfortunatly even if the system had an ET utility on it and it did "phone home" and the police etc recovered the system, unless there is a provable link between the person the police recovered the system from and an employee etc then the answer is no you can't.

The way to deal with "insider theft" is generaly by audit processess and controls supported by physical security mechanisms.

Many people know my dislike for laptops and aside from ergonomic issues my main objection is they are high value items that are just to easy to steal.

July 3, 2009 3:49 PM

pfogg on The Pros and Cons of Password Masking:

I consider the 'usability nightmare' scenario for the masking checkbox to be overstated. I agree the switch should be clearly labeled, and would argue the default should always be 'masked' so that one never has to justify or excuse turning masking on (or accidentally start typing when it's off). However, to build an argument around the assertion that some people would be frightened by seeing their passwords after accidentally hitting a clearly marked toggle doesn't seem reasonable to me. It supposes (without anyone actually testing the assertion) that this would be more of a problem overall than people revealing their passwords with the measures they're forced into by the existing masked system (simple passwords, cut and paste lists, or others). The alternatives *can* be used securely, if chosen and used carefully based on the context. Are people in general doing that?

Designing an interface around an overriding concern about what people will do the first time they encounter it seems a bit off to me as well. You need to balance that with what an initial 'interface friendliness' costs in terms of regular use thereafter. For most people, the latter would be a lion's share of their interaction with the interface. New Coke had an analogous problem.

As data points, I would add that for any password I type in often I regularly use password lists for cut-and-paste, lean on mozilla/firefox's password storage, and choose easy-to-type passwords when the above can't be used. I've tried alternatives, but this is the only practical way I can think of to maintain longish passwords. Everyone else I know, save one, uses short, simple passwords to resolve this problem.

July 3, 2009 3:44 PM

Erik on The Pros and Cons of Password Masking:

I think the masking on the iPhone and I understand on blackberrys too, showing the character briefly while you type, is good at least for mobile devices with a non-standard keyboard which is more prone to typing mistakes. In particular on phones with a numeric keyboard - just how many times did I type 4?

It could be a reasonable alternative to completely unmask passwords although I generally side with those in favour of always masking.

I don't think masking should be a user choice, your bank should be able to impose masking while other sites may use the temporarily unmasked model. Just like sites should decide whether they can accept storing username and password. Why shouldn't a site decide only to allow storing your username in the password manager?

I think it is up to the provider to determine and deploy the policies they find adequate, users must then opt whether they find the service worth the trouble.

July 3, 2009 3:43 PM

Petréa Mitchell on The Pros and Cons of Password Masking:

I don't think you were wrong! This is the argument I'm seeing:

Nielsen: "Here is a suggestion based on actual data from studies my colleagues I have been performing on actual users and software."

Dissenters: "I disagree based on my subjective personal experience." Or "I disagree based on what feels like common sense."

There's a teachable moment in here somewhere...

July 3, 2009 3:33 PM

aikimark on The Pros and Cons of Password Masking:

At least there's xkcd
http://xkcd.com/538/

July 3, 2009 3:29 PM

aikimark on The Pros and Cons of Password Masking:

I wish I had found an archive of Matt Groening's Life In Hell comic strip. There was a topical strip (password discussion between Jeff and Akbar) from 5/1/2009.

July 3, 2009 3:25 PM

Clive Robinson on The Pros and Cons of Password Masking:

@ Henning Makholm,

"the remote site should simply inform the browser that this is a password field, and it is then up to the browser to supply a user interface that its user considers appropriate for password fields"

I think the word you are looking for is "Policy".

In essence this is what the issue is about who sets the policy and why.

It is easy to see that there are atleast three parties who want to set policy,

1, The Server owner.
2, The Client owner.
3, The user.

From the point of the Server owner, the password is not a usability issue but primarily a resourse issue closely followed as an access issue and a long way down from that a security issue.

From the client owner (the one who pays for the user access etc) perspective the password is not generaly a resource issue but primarily an access issue closley followed by a security issue.

From the user perspective it is all about usability, they usually do not care about security (unless the are also the client owner) and the resources involved is usually unseen by them.

Therefore any Policy solution has to take into acount the sometimes conflicting perspectives of the three players.

And reading the various postings it does become clear which perspective the various posters are comming from.

July 3, 2009 3:21 PM

Jeff on The Pros and Cons of Password Masking:

I believe it's Windows Vista (not XP), but it gives me the option to turn off masking when entering my network key, and I love it, as that password is such random characters (making it a good password) that I always mistype it.

Giving the user the option is, IMHO, a great idea.

July 3, 2009 3:19 PM

Joel F on Information Leakage from Keypads:

@Ramki B Ramakrishnan
"1234, 0000, 4567, 0123 all are fine; wondering whats the logic behind 1986 & 1968..."

Actually, 0000, 4567, and 0123 are not indicated by the second picture. The keys for 1, 2, 3, 4, and Enter are the ones that are worn (they're shiny, polished smooth by many finger-presses).

In the first picture, the logic behind guessing 1986 and 1968 is that important years (wedding, birthdate or graduation of oneself or a loved-one, etc.) are too often used as numeric codes because they are easy to remember.

July 3, 2009 3:15 PM

KrazyNomad on Information Leakage from Keypads:

That's amazing. I've got the same combination on my luggage.

July 3, 2009 3:15 PM

Kenneth Finnegan on The Pros and Cons of Password Masking:

I feel like there is a middle ground. Passwords should definitely be masked, for at the very least the sense that it's a secret (us internet people forget how incompetent the average person is on the computer). A middle ground would be a visual password hash. I don't remember where I read it, but the example was a ring of keys with different size keys in different positions. A real world example would be the SSH key pictures. Then as the user continually types their password, they would learn the progression of images, and be able to spot mistypes right away.

July 3, 2009 3:13 PM

err on Anti-Stab Knife:

I just hope it wasn't patented or anything, I don't think the rounded edge is much of a novel idea, mostly because I already have a couple of knives with rounded edges at home?

July 3, 2009 3:07 PM

err on Protecting Against the Snatched Laptop Data Theft:

Hmnn, only Idea I could have is making the laptop cold shutdown automatically if the cap is closed (which at least is possible with ubuntu and should most certainly in windows) and have an encrypted drive for the precious information.

July 3, 2009 3:06 PM

Tim on The Pros and Cons of Password Masking:

Sure, people *usually* type passwords on their own, but how many people *never* type passwords when people are watching.

None.

So the only possible UI would be a 'show password' checkbox, which I think you'll find no-one has ever really wanted or has asked for.

July 3, 2009 3:04 PM

Henning Makholm on The Pros and Cons of Password Masking:

Jere: That's the truest thing that has been said about the matter. On the web, this decision needs to be taken in the *browser* -- the remote site should simply inform the browser that this is a password field, and it is then up to the browser to supply a user interface that its user considers appropriate for password fields.

There's still room for disagreement about what should be the browser's default, though. The "secure by default" choice would probably mean that the non-power users who would benefit the most from seeing their password as they type it would never find the option to turn masking off... (At the minimum the setting should be changeable on a field-by-field basis directly from the input field's context menu).

But under no circumstances should a website lie to the browser and claim that a password field is an ordinary non-password text input! Abandoning logical markup in order to "improve usability" is like peeing your pants to keep warm...

A possible middle way might be to default to masking iff the form action is a https url.

July 3, 2009 3:02 PM

Unix Ronin on The Insecurity of Secrecy:

This isn't secrecy. There's another, better word for this behavior: Furtiveness.

July 3, 2009 3:01 PM

Clive Robinson on The Insecurity of Secrecy:

@ Tangerine Blue

"And to everyone, may we all live in a land that is free with a people that's brave."

Aymen to that, speaking of 4th July and people that are brave. Tomorow evening I shall be meeting a "boyhood hero" of mine Buzz Aldrin and hear what he has to say about the 40th aniversary of the Apollo 11 moon landing.

July 3, 2009 2:59 PM

Russ on The Pros and Cons of Password Masking:

There is one issue with password unmasking that I did not see raised when I briefly scanned the comments. In the company where I used to work our laptops were quite often used to make presentations to, sometimes large, groups of people on an overhead projector, in a virtual classroom with screen sharing and on netmeeting. If the password were not masked, everyone would be able to see it and company policy states that revealing your password is a termination offense. If the password is to be unmasked at all then at the very least there should be an option to mask/unmask it to handle the situations where is actually needs to be masked.

July 3, 2009 2:51 PM

eric on The Pros and Cons of Password Masking:

I agree with you, that complete masking should not be done when it inhibits usability (blackberry, iphone) or represents a password that the user shouldn't be expected to remember (WEP Key). To be consistent, however, I have to object to this practice of planning for the lowest common denominator.

"On the other hand, password masking reduces accuracy and makes it less likely that users will choose secure and hard-to-remember passwords"

There are two things that drive me up the wall with password systems:

1. The system doesn't trust that my password is good, so it expires it after a certain period of time, or requires a second password or PIN to 'authenticate' the first password.

2. The system doesn't want to go through the trouble of protecting itself from code injection, so it disallows most, if not all, non-alphanumeric characters, making me change my password scheme to something less secure for that particular system.

So even though I agree with your conclusions, I have a really hard time seeing how the user's potential password strength should factor into the decision of whether or not to mask the passwords. We have very good easy to implement algorithms which give feedback on the strength of a password. Why not just require a certain password strength from the user and decide whether you want to mask the password independently?

July 3, 2009 2:41 PM

Jan van Prooijen on The Pros and Cons of Password Masking:

For WEP Keys and alike I use a text editor and then cut and paste the password. For me it works.

July 3, 2009 2:40 PM

Dave Page on The Pros and Cons of Password Masking:

I concur with moo's comments that having a checkbox to enable / disable password masking would be a usability nightmare. I'd still like to be able to right-click on a password field (which would default to masking) and have the option of my browser unmasking what I'm typing.

KDE's password entry box for wifi seems to do this, and it may be more widespread than that - it's certainly very handy for typing in ~40 character random passwords!

July 3, 2009 2:40 PM

John S on The Pros and Cons of Password Masking:

When typing 128-bit WEP passwords into windows I usually type them into notepad then copy/paste them into the password entry box. That way I only have to type them once and if I make a mistake I can fix it without starting from zero.

If resorting to this sort of thing isn't proof that something is broken then I don't know what is...

July 3, 2009 2:39 PM

lanaer on The Pros and Cons of Password Masking:

I disagree that having a checkbox or option to disable masking is a bad idea. I *do* think that, when the option is present, it should default to “masked” (users should not be surprised by their password appearing in plain text, ever).

I do not think it is a usability nightmare so long as it is labelled clearly. “Show me my password as I type” as pretty clear.

However, I do think that websites should leave the issue alone, and that browsers should have the ability to configure the behaviour of password fields.

July 3, 2009 2:32 PM

tim on The Pros and Cons of Password Masking:

The issue with passwords is not masking but the policies that govern them and how they are implemented. The real problem is that different applications have different password requirements. For instance a password that works on one site won't work on another. Or they force changing passwords every 90 days which makes the user choose simpler passwords. And on and on. Arguing over password masks seem a bit silly to me.

(I have a blackberry - the password function doesn't operate like described in the post - however my iPhone does work that way)

July 3, 2009 2:26 PM

Carl "SAI" Mitchell on The Pros and Cons of Password Masking:

Keepass (keepass.info) is a password safe program. By default, it masks passwords, but there's a nice, easy button to unmask. I like that system. Masking/unmasking should be easy, and should be possible to do it quickly/temporarily. If you have passwords unmasked, & one day need to enter your password while someone is watching, and the mask/unmask choice is in the preferences window, which can't be accessed until you log in, you're out of luck. Thus, if the option is provided, it must be possible to change it before/during entering a password.

July 3, 2009 2:20 PM

iamleeg on The Pros and Cons of Password Masking:

I don't agree that mobile devices make shoulder-surfing harder. I base this opinion on experience:

http://www.sophos.com/blogs/gc/g/2009/06/09/guest-blog-eyephone/

Cheers!
Graham.

July 3, 2009 2:14 PM

Jere on The Pros and Cons of Password Masking:

When typing a password on my Nokia E70, it displays the most recent character for a second or two, before it changes into an asterisk (or I type the next character). I think this is a very sound compromise.

On the Web, this is something that should be left for the browser to implement, while websites continue to use the 'password' input field. The behavior should in fact be a user-configurable preference. There are other important reasons as well: Password values should not remain cached in the back/forward history, a password value should not be possible to copy to the clipboard, and password managers wouldn't be able to recognize a login form without a 'password' type field.

July 3, 2009 2:12 PM

sraun on The Pros and Cons of Password Masking:

I agreed with the thought, for one basic reason.

As part of my job, I have to help people who are not computerphiles (more like computerphobes) reset their passwords. Multiple times per day, on multiple systems. I wouldn't be surprised to find out I'm doing an average of 50 password resets per week.

And maybe 3 of those successfully get their password changed on the first try. I remember one person who was apparently incapable of typing in their new password the same way twice - their manager finally got on the phone to ask me what the problem was after we'd been at it for maybe ten minutes and more than a dozen tries. I explained, the manager said 'I'll take it from here', and I was done with the call.

I don't want to think about the things that we've done to get people's passwords successfully reset. It's scary.

July 3, 2009 2:00 PM

moo on The Pros and Cons of Password Masking:

Which is best?
(1) Never mask passwords.
(2) A checkbox to turn masking on and off. Default either way, depending on application.
(3) Always mask passwords.

I would say that (1) is unworkable for a lot of situations in which passwords have to get typed in. My example before was the person giving a presentation over a projector to a lot of people, who has to log in with their own credentials while the desktop is displayed over the projector. But anyone working a desk job, who doesn't have their own office, has to sometimes type in passwords while co-workers are wandering about near their screen.

(2) Is a usability nightmare. I wish Bruce and Nielson would stop asking for this, because its a bad, BAD idea. Some users won't know what the checkbox is meant for, and will then click on it and get scared when their password appears in plain text. Other users will not notice that the password is plain text until they start typing it in one of those situations. For 99% of situations where passwords are used, this is a stupid idea and should not be implemented. The only case (the ONLY case) where I'd support having this option, is for typing in long things like WEP keys or passphrases. Guess what, web forum accounts or whatever, do not count. And your bank should never offer this "feature". I don't want to ever, EVER see my banking password in clear text, anywhere. Not even on my own computer monitor.

So the only realistic option, for most uses of passwords, is (3): always mask them. Or even do the Lotus Notes thing where you get visual feedback as you type the password, but you don't get a row of stars telling you (and shoulder surfers) how many characters long it is.

July 3, 2009 1:54 PM

Tangerine Blue on The Insecurity of Secrecy:

@Carlo, DNC, Clive, Trichinosis -

I agree with you all.

Everybody's responsible.

Politicians, media, corporations, voters, non-voters. Them and Us. You and Me.

In the words of one Howard Ruff, "no individual raindrop ever felt responsible for the flood."

And now that I've pontificated, my own conscience is satisfied for today, and I'm going to go barbecue.

Happy Independence Day, fellow Americans. And to everyone, may we all live in a land that is free with a people that's brave.

July 3, 2009 1:41 PM

Spiny Norman on The Insecurity of Secrecy:

...btw, wtf is a boonedoggle?

July 3, 2009 1:39 PM

Spiny Norman on The Insecurity of Secrecy:

"Anything B. Boxer does is useless boonedoggle anyways."

God forbid that you should examine actual policies, instead of reflexively condemning them based on where they originate. There's a word for that mode of operation: reactionary.

July 3, 2009 1:31 PM

David Webb on Information Leakage from Keypads:

Fingerprint dust is also very useful for working out which 4/6 numbers make up the combination.

July 3, 2009 1:30 PM

Nomen Publicus on The Insecurity of Secrecy:

If you can't specify the threat you are protecting society from, you can spend vast amounts of money protecting the population from a fantasy.

The only useful change in security since 9/11 has been lockable, bullet proof cockpit doors. Nothing else has been worth a dime spent on it. All the money wasted on the TSA, the DHS etc should have been allocated to police, FBI, customs etc to further improve their investigations.

July 3, 2009 1:08 PM

Clive Robinson on The Insecurity of Secrecy:

@ Roy,

"Perhaps the coal industry has bought a controlling interest in DHS."

Well since the credit crunch the US people can't afford to buy a share let alone a controlling interest...

July 3, 2009 1:08 PM

Miguel Farah on Information Leakage from Keypads:

@datagram: I took the left-hand picture. I can send you the high-res version if you need it.

July 3, 2009 1:03 PM

Clive Robinson on The Insecurity of Secrecy:

@ Carlo Graziani,

"Politicians don't create this race to the bottom. They merely adapt to it."

No I have to respectfully disagree with you there.

One or more politicos saught political milage in creating big scary bogy men.

One or two TV News and media networks in typical talking head style added more FUD to fuel the flames.

The flames where then abley fanned by other forms of media and other politicos jumping on the band waggon.

So within what was a releativly short time what was just blowing political smoke turned into flames then to an inferno. When a certain critical mass was acheived money became the object of every beltway bandit wannabee and they added more fuel and oxygen and turned up the heat.

It therfore inevatably and possibly unavoidably became a holocust in the minds of those who dared not to look but just listen.

In reality those first wiffs of smoke like that of a gamblers cheep cigar have long gone, leaving behind little but a stale tast and a faint smell of repugnance in the air. However the baise fabric of the table at which the game was played has been almost irrepairably damaged, and those who own it are left with the cost of cleaning up the mess.

July 3, 2009 12:30 PM

PackagedBlue on The Insecurity of Secrecy:

Good timely article.

Some forms of secrecy destroy the working mind and culture of adaptable changes.

July 3, 2009 12:12 PM

Roy on The Insecurity of Secrecy:

Perhaps the coal industry has bought a controlling interest in DHS.

July 3, 2009 12:01 PM

datagram on Information Leakage from Keypads:

Hi Bruce,

Great example of a problem with most keypad-based combination locks. Do you own the rights on these photos? If so, would you let me use them on my site (www.lockpickingforensics.com) ? They'd go in the Decoding section as a "visual decoding" type attack.

Let me know!

Thanks,
datagram

July 3, 2009 11:04 AM

Clive Robinson on Information Leakage from Keypads:

@ Bruce Clement,

'I think you'll find that the UK government considers NI to be part of the "United Kingdom of Great Britain and Northern Ireland"'

Yes but what is the overriding operator and why...

That is, is it,

(United Kingdom of Great Britain) and Northern Ireland

United Kingdom of (Great Britain and Northern Ireland)

You are saying the latter, whilst I'm saying the former which is the historical order it happened.

Also politicaly NI is in a very peculiar position as it is (supposadly) jointly governed under a power sharing agreement with what is now another sovrign nation which was once part of the greater whole.

Likewise people born in NI are the only people who are officialy have dual nationality and two passports (this minor little problem was the real nail in the ID card plans coffin)

July 3, 2009 11:02 AM

Stephanie on The Insecurity of Secrecy:

"The same secrecy that defends torturers."

Well written Mr. Schneier.

July 3, 2009 10:02 AM

Trichinosis USA on The Insecurity of Secrecy:

When corporations are treated by the legislature and government as individuals with the same rights as any other citizen; but not held to the same or greater level of responsibility based on their ability to affect hundreds or thousands of other individuals by their actions or inactions, this is the kind of insanity and abuse that results. Kudos to Barbara Boxer, we need MORE like her.

Meanwhile the Department of Hopeless Insecurity continues to prove that it's less than useless. With "protection" like this, who needs the mafia? I mean, really! Who's protecting us from THEM?

July 3, 2009 9:55 AM

Jonadab the Unsightly One on The Problem with Password Masking:

> The capslock key could unmask passwords imo.

IMO, the CAPSLOCK key is about twenty years overdue for being removed from the keyboard layout. It hasn't served a sufficiently useful purpose to justify a dedicated key on the keyboard since case-insensitivity logic was introduced (to software like BASIC interpreters and spreadsheets) in the 8-bit days. While we're at it, can we finally get rid of the Scroll Lock key as well, and maybe make the "Print Screen" keytop read "Screenshot"?

July 3, 2009 9:36 AM

withheld on Information Leakage from Keypads:

I encountered this type of lock when I worked as a government auditor. Our copy of the database of all medical records for 'the jurisdiction we were responsible for' (I won't name the jurisdiction but it encompassed millions of individuals) was protected by a lock I could, and did, bypass in minutes. Other controls were installed after my demonstration.

July 3, 2009 9:31 AM

Jonadab the Unsightly One on Fake Receipts:

> my anecdotal experience is that the times I've
> let "assigned people" book hotel and travel when
> I travel on the job, they've put me in big-name
> chain hotels that cost on average twice the ones
> I can google up for myself in an hour

I can attest to that. The most opulent place I've ever stayed, by at least an order of magnitude, maybe two, was the Holiday Inn my boss booked me in, the time I spent a week in Syracuse on the employer's dime, for sysadmin and database-schema training for the line-of-business software we use. This hotel was like something out of a movie. It was so much more high-end than any place else I've ever been, it spooked me out a little. I would have been MUCH more comfortable in someplace a little more down to earth.

July 3, 2009 9:26 AM

DNC on The Insecurity of Secrecy:

If you want to see what happens when a government starts lying and denying just look at China's Tienanmen Square Massacre. No one outside of Beijing knew about it via any media sources and later on the Chinese government denied it ever happened, yet most westerners know about it.

Security is an incredibly slippery slope, we're already there, sliding into fascism (see the UK).

@Carlo, stop apologizing for the flatterers and politicians.

July 3, 2009 9:22 AM

Miguel Farah on Information Leakage from Keypads:

The first one is actually 9816. You can guess how I know that... :-)

July 3, 2009 9:12 AM

Carlo Graziani on The Insecurity of Secrecy:

Laying the blame on politicians still amounts to overlooking the real origin of the problem. What happens to a brave, principled, level-headed politician or civil servant who tries to moderate the panicked, ignorant demands for action of a voting (and campaign-contributing) public that believes it has an absolute right to be absolutely safe from absolutely any danger, no matter how far-fetched?

Politicians don't create this race to the bottom. They merely adapt to it.

July 3, 2009 9:07 AM

sharon on Open Source Laptop Tracking Service:

i had a computer stolen from work, it is less than a year old, i have heard it can be traced, can it be traced to the person that took it or how does this work. thinking it is an fellow employee.

July 3, 2009 8:52 AM

sooth sayer on The Insecurity of Secrecy:

Anything B. Boxer does is useless boonedoggle anyways ... what's the whole point of all this? Promote BB for another 6 years of do nothing or to tell me where all the ash is lying around -- geeze .. at least pick a real issue.

July 3, 2009 8:43 AM

Mark on Information Leakage from Keypads:

@Jonadab the Unsightly One

One of the BIG problems with this kind of lock is that the same combination is used by everyone who has access. If you're going to do that, you may as well hand out physical keys.

Actually you'd probably be better off handing out physical keys. Whilst it might be harder for someone to forget a short number than lose a physical object it's also a lot easier for this information to be copied. There is also no easy equivalent to taking a key away from someone. You'd need to change the number and ensure that everyone who needs to know is made aware of the change.

@Jonadab the Unsightly One

The *advantage* to a keypad system, in theory, is that you can give everyone a different password (possibly to be combined with swiping an ID card), and so this provides an audit capability: you can tell who came and went at what time; this protects against the "inside job", which is a significant value.

The latter is a "two factor" system. Effectivly the ID card is performing the function of a physical key. In this kind of setup a smart insider would need to both memorise someone's number and get hold of their card to leave a false trail.

July 3, 2009 8:37 AM

Nick on More Security Countermeasures from the Natural World:

Daniel Dennett's concept of the "intentional stance"* is an insightful rationale for the widespread use of anthropomorphism in understanding non-human things. We have huge chunks of our brain devoted to understanding other people since other people have been such of huge part of our environment for millennia. Leveraging that machinery in order to better understand other things is the kind of efficient repurposing of existing resources that Mother Nature loves.

* http://en.wikipedia.org/wiki/Intentional_stance

July 3, 2009 8:28 AM

SM on The Insecurity of Secrecy:

Somewhere lost in this debate is that the US, through the Feds, is rapidly creating a monoculture of defenses against perceived threats.

Being a monoculture, it actually diminishes the level of overall resistance because once a flaw is found, the attacker can presume it is the same everywhere.

July 3, 2009 7:16 AM

Jonadab the Unsightly One on Anti-Stab Knife:

> Knives are about the only implement of defense
> I'll use (I consider guns a sign of cowardice)

I consider using a knife as a weapon to be just as cowardly as using a gun as a weapon. Real courage means facing down machine-gun-wielding burglars with a stern glare, grabbing them by the ear, marching them into the den, and standing there, arms akimbo, while they write out a full confession.

July 3, 2009 7:09 AM

Jonadab the Unsightly One on Anti-Stab Knife:

And if 1% of the population thinks like my mom and wants one, it's a profitable business endeavor, particularly if he can get a patent.

July 3, 2009 7:08 AM

Jonadab the Unsightly One on Anti-Stab Knife:

> But I need a stabbing knife how else will I cut
> throught he plastic packaging on everything I buy.

With a good pair of scissors. HTH.HAND.

My mom would probably buy some of these, if they were at all cost-competitive with other knives, on the grounds that she could toss them into the dishwater and not worry about poking her fingers when she reaches her hands in. She's afraid of that with regular knives.