Password Masking

Slashdot asks if password masking -- replacing password characters with asterisks as you type them -- is on the way out. I don't know if that's true, but I would be happy to see it go. Shoulder surfing, the threat it defends against, is largely nonexistent. And it is becoming harder to type in passwords on small screens and annoying interfaces. The IoT will only exacerbate this problem, and when passwords are harder to type in, users choose weaker ones.

Posted on July 19, 2017 at 10:35 AM • 67 Comments

Comments

Bob Dylan's Twitching EyebrowJuly 19, 2017 10:42 AM

"Shoulder surfing, the threat is defends against, is largely nonexistent."

It is nonexistent precisely because of password masking. It is a bizarre claim to make that we no longer need a security strategy precisely because the strategy is working.

david in torontoJuly 19, 2017 10:49 AM

Huge difference between no masking and the ability to reveal (or delayed masking of individual characters).

PaulJuly 19, 2017 10:58 AM

I remember that you've covered this before and I recollect you changed your mind after a debate. Are you raising it again because of phones and IoT devices?
I do agree that it's harder on smaller devices but I've found that password vault apps do help here ...

Christian GoldenJuly 19, 2017 11:04 AM

"It is nonexistent precisely because of password masking. It is a bizarre claim to make that we no longer need a security strategy precisely because the strategy is working."

How can you say that definitively? He did not make that claim (that "we no longer need a security strategy precisely because the strategy is working").

Indeed, how easy it is to dismantle an argument when you are the one presenting both sides.

HackerJuly 19, 2017 11:16 AM

This is just embarrassing for you to say Bruce. What about risk? Threat non-existent in all circumstances? Are you saying that ATMs can start showing the PIN codes?

No, you aren't.

All security is relative to risk. Pronouncements like this without any reference to risk create as much difficulty as they try to solve. Is it too much to ask you to say that the control (password masking) is overused and more prudent risk based use would enhance the overall state of security?

AndrewJuly 19, 2017 11:22 AM

Usually this is done wrong because the text field contains the password. It should only offer input feedback and the password should be stored in a safe string.
Every time you press a key,a random number of asterisks should be filled in textbox. The drawback is that is a bit harder to edit a specific character but it far safer.

jojoJuly 19, 2017 11:26 AM

I disagree too. Password masking is very important depending on circumstance. Logging into a resource on the big screen during a presentation with a room full of people? I have enough of a problem worrying about people watching the keyboard as I type, let alone worrying about who can see my screen over my shoulder or through the window.

UthorJuly 19, 2017 11:49 AM

I never got masking on smartphones. If you can see the password, you can see the keyboard that is on the same screen.

fJuly 19, 2017 11:53 AM

I'm working on my laptop during my train commute to work. I'm already worried enough about people watching what I type on the keyboard while typing in my password, it would be way worse when my password is visible in plaintext on the screen while entering it!

Matthew EJuly 19, 2017 12:05 PM

I agree with Bruce, but only if the user has a choice. I think this should be handled at the OS level on devices, leaving the user to decide if and when they want to have masking turned on or off. It would be very easy to make this a user-friendly option.

ab praeceptisJuly 19, 2017 12:07 PM

Hacker

Uhm, Bruce Schneier didn't write that; he merely linked to it and made a remark about his view on one aspect of it.

I personally, btw. am somewhere in the middle. I see both arguments as valid; over the shoulder watching *is* a problem (occasionally at least) and at the same time hiding what one types is a problem, too (sometimes). My take is that using asterisks but showing the currently typed letter for half a second or so is probably the best spot between the two diverging camps.

catJuly 19, 2017 12:17 PM

There are times when you want password masking. When I enter my passcode on my cellphone, which happens quite frequently out in public, well it's short and easy to memorize. No password masking, and now anyone who shoulder-surfs for just a moment can swipe my cellphone and have access to all my email. Not so safe... Though just showing each character for a second would suffice to provide security.

Now my WIFI, the password is long and complex. Getting the capitalization, spacing, and punctuation right is non-trivial. Showing that password is a huge help. Really, what's someone shoulder-surfing going to do? Use my internet connection? And judging by past experience, it's going to take more than a few tries for them to get it right...

Ultimately it comes down to how simple/complex the passwords are, and how much they protect. Seems like the best option is to hardcode a password field into HTML et al and allow it to toggle show/show-for-a-moment/hide the password.

Richmond2000July 19, 2017 12:31 PM

I would say the environment the ioT device is used in is more of a deciding factor for password masking
IE a "smart" thermostat in hall only needing WI-FI password is different then VPN log in on a digital projector that might be in a presentation hall

BillJuly 19, 2017 12:34 PM

I'd be OK with the way Lotus Notes implements password masking when entering the password for your ID file:

you get a random number of masking characters (they use "X" instead of "*" for every password character you type,
AND
a changing hieroglyph is visible (an image of a key ring with various keys and dongles) that changes as you type. When your password is correct the hieroglyph will always be the same image for that password. The password itself cannot be guessed, even if somebody knows the hieroglyph image (at least that's what I was told in train the trainer class by IBM/Lotus). For example, the hieroglyph for my password might be the key ring with a blue key, a yellow key, a bottle opener, and a beach ball.

Peter GreenJuly 19, 2017 12:38 PM

What about screen capture? Surely that's an issue in some cases. It is certainly what stops me from wanting to see the password I am typing, and not seeing it keeps your mind clear and on the task at hand.

Clive RobinsonJuly 19, 2017 12:45 PM

There are several types of masking. Most simply use an asterix per charecter, which leaks the length of the password.

A very few use funny sized chatecters that also change as new key presses are made making it harder to count the password length.

The real problem however, is no form of masking works if an attacker can get access to the work environment to place a CCTV camera that can see both the keyboard and screen. Such cameras can be hodden in fake ceiling sensors that look like fire/smoke detectors, or they are hidden at the edges of ceiling tiles or light fittings. But even this need not be done if the organizations CCTV system can be accessed from the Internet.

So yes it's long past time to dump passwords and all the masking and other nonsense that goes with them.

The question thus is how to replace the passwords... But we have been here so many times before and passwords are still here...

RachelJuly 19, 2017 12:54 PM

this morning, in a european country, i stood in a line at a cafe whilst a young woman made a purchase with her card. the POS terminal looked just like an ipad in a vertical position facing outward twards the customers. The woman had no concept of covering her pin, but even if she did it would have made little difference. Her finger press into the very large keypad display was clearly visible to anyone within virtually 180 degrees. i am sure this is not uncommon

testicularJuly 19, 2017 1:01 PM

I love the lock screen on the BlackBerry 10 devices, called "Picture password". A grid of random numbers superimposed on an image of your choosing. Your "password" is a point on the screen and a number between 0 and 9. Drag your number to the secret spot and the device unlocks.

It's safe to do even if someone is watching your screen...

ProhiasJuly 19, 2017 1:13 PM

The ubiquity of cameras, only guaranteed to be even more ubiquitous in the future, suggests revealing characters typed by default isn't a good idea. I've personally fielded calls from people who have mentioned they accidentally entered passwords on a website accessed on their mobile phones, and later realized there was a camera. It would be good to A/B test if revealing passwords typed in instead of using masking asterisks causes people to use stronger passwords, to see if there is a valid tradeoff here.

John LevineJuly 19, 2017 1:29 PM

You're old enough to remember where this came from: password entries on Model 33 Teletypes and other printing terminals, where the masking characters blotted out the printed password on the paper.
Since we switched to screens, it's become cargo cult security, just like "change your password every N days" which comes from an old password cracker on Unix systems where the hashed passwords were in a file visible to all the users and the change time was slightly less than the time it took to run a crack program on a PDP-11.

Matthias UJuly 19, 2017 1:47 PM

Not masking a password strongly suggests to the user that this password is either unprotected server-side, or useless. Personally I'd assume that cleartext passwords end up being *weaker* than masked ones, for that very reason.

Worse, a password agent may not even recognize an unprotected field as something it should insert the password to.

Just Passin' ThruJuly 19, 2017 2:08 PM

I'd think a good design would have a button that toggles between displaying password characters and asterisks (or even other chars), giving the user more control over device security depending on the environment (which can change as potential shoulder surfers come by).

Bruce SchneierJuly 19, 2017 2:50 PM

"This is just embarrassing for you to say Bruce. What about risk? Threat non-existent in all circumstances? Are you saying that ATMs can start showing the PIN codes?"

Of course not. I'm thinking primarily of smart phones and small IoT devices.

Bruce SchneierJuly 19, 2017 2:53 PM

"Password masking is very important depending on circumstance. Logging into a resource on the big screen during a presentation with a room full of people? I have enough of a problem worrying about people watching the keyboard as I type, let alone worrying about who can see my screen over my shoulder or through the window."

I agree with this. And if people -- cameras, really -- can watch your keyboard as you type, masking is irrelevant. I find that mobile devices are much easier to secure from other watchers, and -- because their input devices are sub-optimal -- it has changed the trade-off between password masking and giving people the ability to see their password as they type it.

Peter BoughtonJuly 19, 2017 3:10 PM

"I'm thinking primarily of smart phones and small IoT devices."

Primarily, or solely?

Either way it would be a lot clearer if the blog title was suffixed with "on Portable Devices".

DavidJuly 19, 2017 3:30 PM

Personally I would like the option to either see what I entered or have it obscured, so that I could make the choice appropriate to the situation. There are some devices that I find it difficult to enter complex passwords on, so unless I have some way of seeing what I have entered and correcting mistakes I use easy to enter passwords.

WaldoJuly 19, 2017 3:40 PM

I know Bruce made it (more) clear that this is more of a comment regarding IoT and mobile devices, and there I tend to agree, however for PCs password masking is crucial especially for remote access. Every day I access someone's system remotely and need them to type their password to grant access / allow some action - I do not want to know their password, if password masking was not in effect this would never have worked.

Citizen9879July 19, 2017 4:26 PM

Have you seen the film CiticenFour?
How Ed hid under a blanket when he typed his password?

A towel is the most important item a hitchhiker can have!

USBkillJuly 19, 2017 5:01 PM

Yeah funny how times change. Now the basic security provision is mousejiggler countermeasures to stop arbitrary government privacy interference. Shoulder surfers were always fake, like terrorists. People realize that the real threat is lawless government internal security staff.

Clive RobinsonJuly 19, 2017 5:52 PM

@ Citizen9879,

As I've mentioned before I prefer an umbrella, it's almost always acceptable to have one with you.

And if you think about it being "ham fisted" with an umbrella such that it drops realy low over you is quite acceptable when fafing around trying to unlock a phone, because you have to use to hands...

As for the blanket idea I think you will find it has been discussed on this blog a while before any one hear had heard of Ed Snowden.

As I've mentioned before a blanket, a three gate drying rack, a tray with a cushion/bean bag under it with a casset recorder or similar playing noisy music and an oscilating desk fan with metal blades to muck up any RF imaging should enable you to use an old (pre WiFi) laptop reasonably securely against "End point end run attacks" by CCTV and various forms of microphone and other sensors. All of those things you would expect to find in a flat / apartment / house or other domestic dwelling.

David WilsonJuly 19, 2017 7:04 PM

As a person with a neurological disorder (and very shaky hands), having the option to see the dots/asterisks is a great benefit. The tiny screens of iPhones are practically unusable now for me. I can only use computers and junk phones.

10 years from now, as my disorder progresses... forget it. No way that I would even think about using an iPhone.

Attila SJuly 19, 2017 8:23 PM

"The IoT will only exacerbate this problem, and when passwords are harder to type in, users choose weaker ones."

Unless there is a password complexity check in-place to filter out weaker ones.

B. D. JohnsonJuly 19, 2017 8:44 PM

While we're at it, can start ditching the various places that don't let you paste a password? That offers pretty much no enhanced security since, if something's installed that can monitor you clipboard, capturing keystrokes is trivial. Same goes for the people going on about using masking to evade screen captures: if they can install something to capture your screen to get your passwords, they're certainly able to capture your keystrokes.

ThothJuly 20, 2017 1:08 AM

About time to migrate away from passwords to hardware tokens with PIN and biometric which forms a Three Factor authentication since the hardware would use a cryotographic Challenge-Response. This will handle the issue of passwords being predictable and with low entropy since cryptographic challenges would use much higher entropy than passwords

This means that the PIN entry can be a short 8 digit PIN and masking wouldn't be too troublesome. Of course to prevent brute force, hardware backed retry counters have to be used as well. Even if someone were to choose a PIN with low entropy (i.e. 99999999), a retry counter (i.e. 3 retries) would limit the retry and make up for the low entropy of PIN. A PIN Unlocking Key (typically a 3DES, AES or HMAC MAC key) would be used to reset the PIN and it has a longer bit length and entropy to be suitable for a cryptokey.

Thus, the issue to mask PIN/Password entry will not be an issue if short PINs are paired with tokens for authentication into critical systems. Entering 8 digit PIN on tiny screens will also not be an issue since it is only 8 numbers.

Clive RobinsonJuly 20, 2017 2:08 AM

@ Thoth,

About time to migrate away from passwords...

Yup it's long long overdue. Passwords were known to be a bad idea back in the 1960's, but due to resource issues were the only viable solution back then.

But as you note there are many other options these days, even a TAN printed list is better than paswords.

However as history shows any replacment solution will be for "convenience" not security. Thus it will probably be less secure in most respects.

Thus we need to consider multiple security levels/matrix on the likes of mobile devices to stop the likes of "LEO Snatches". That is a user should have the equivalent of multiple data silos and application containers. Thus if the phone is grabbed when unlocked for a phone call etc all the snatcher gets is the phone app (and not of necessity even the directory).

Users should have not just the right, but the tools to set up their devices as secure as they wish even if it looks totally paranoid to most.

Lord BucketheadJuly 20, 2017 2:49 AM

I understand the frustration with password entry on small devices such as phones and tablets and the increased need to visually verify you got it right. I've seen a trend that many/most mobile apps include a checkbox to "Show password" right on the same screen, so since the option to show or not show one's password is there, it becomes a moot point. The best of both worlds is to have password masking as the default security but offer the option for the user to quickly disable masking. Win-win.

I think it would be a step backwards to outright stop the practice of password masking, since both shoulder surfing as well as malware/hacker screenshotting are very real threats.

WaelJuly 20, 2017 3:05 AM

It's a mistake to think something can replace passwords without degenerating the "factors of authentication". To protect methods of password entry and storing is a more rational approach. In my opinion, of course (goes without saying.)

Adam TrickettJuly 20, 2017 3:19 AM

A lot of Linux software now has show password as an option on password screens. In many settings, e.g. at home it's pointless and only leads to errors and frustration, and as Bruce says encourages people to select generic easy to type passwords that are also easy to crack.

Masking the password makes sense but only in some circumstances and it is counter productive to enforce it everywhere.

ab praeceptisJuly 20, 2017 4:24 AM

Thoth, Clive Robinson

I don't think that pass phrases will go away anytime soon. Pretty much all alternatives are not sth-you-know but sth-you-have or sth-you-are.

And don't you forget the most limiting factor of all: humans. You know, the bio-systems that can't be bothered to use somewhat longer pass phrases than 5 or 6 digits/chars.
Just look at the ATM abscess: 99,x% happily enter 4 digits and do not even listen when you try to tell them how insecure that is. Change PINs to 6 or, god forbid, 12) digits and you'll have their full attention - and lots of gasoline-soaked wood under yourself and them looking for lighters.

I agree with Thoth, however, wrt. to (the many) scenarios where not user comfort but security is the priority. Even there we will often need a sth-you-know element but there should be others, too.

And btw., I'm no fan of sth-you-are systems like scanners of all kinds. Looks cool in movies but: keep in mind that your control of all those scans of your retina are frighteningly limited.
Just imagine, for a terrifying example, that some metropolitan public transportation system switched to retina scanning and you get a glimpse of all the ugly monsters that rear heir heads.

The way that Thoth is walking along is much more reasonable but keep in mind that those super-duper-secure chips *can* be - and have been - hacked, sliced and diced and also that we have little reason to believe that the software stack is trustworthy (I personally trust nothing with any kind of java being used).

We will continue to need the sth-you-know element. We should work on implementing it better.

Example: There should be a good and seriously well engineered passphrase system service (a library) that takes into account whether any external screens are connected and that offer *very few* end user configurable settings with sensible default (e.g. milliseconds to show an entered passphrase char/digit where 0 means to not show them at all).

Dirk PraetJuly 20, 2017 5:09 AM

@ Thoth, @ Clive

About time to migrate away from passwords to hardware tokens with PIN and biometric which forms a Three Factor authentication since the hardware would use a cryotographic Challenge-Response.

Haven't we been saying this for quite a while know?

MFA + compartmentalization is the only correct way to go, adoption of which IMO unfortunately remains slow because of the usual security v ease of use dichotomy. Which is not to say that nothing is being done. Most COTS operating systems and services nowadays already allow it - either baked in or through 3rd party utilities - but it is still very much up to the end user or corporate BOFH to implement it.

Blue DevilJuly 20, 2017 6:51 AM

Bruce,

I see how it makes typin password very hard, and eleven harder in a phone with big thumbs on tiny screens. However, if you choose a very tough password to begin with, the shoulder surfers may not remember it even if they are watching.
Meanwhile, on a big screen computer where everything you type can be seen from farther away, this might not be a good choice, removing the masking. But if you have 2FA, may be you don't have to worry about it. Unless a secure 2FA is made compulsory, not he test or call the phone kind, I think passwords are still going to be taboo.

A new and hardworking policeman came to a shady town full of crime. He worked hard to police the town and make it much safer. Now that the town is safer getting rid of the whole police station might not be the greatest ideas of all. Human beings are programmed to try easier shortcuts in life. And they will not disappoint you by creating easiest complex way swords that can be remembered by any shoulder surfers while you're on a bi screen. Remember privacy screens usually have about 20 degree of vulnerable viable angle. So that's a good solution but not the best one.

Just my 2 cents.

Clive RobinsonJuly 20, 2017 8:02 AM

@ ab praeceptis, Dirk Praet, Thoth, Wael,

We will continue to need the sth-you-know element. We should work on implementing it better.

This is something I discussed with @Wael a little while ago (can't remember the thread of the top of my head).

The point is that the most dangerous thing that the majority of people will come up against in the West is not a government thug with a rubber hose or soldering iron, but a judge.

It's becoming clear that increasing numbers of a certain type of employers will persue programers, marketing bods and others with vengeful and frequently baseless accusations through either the civil or criminal court.

Likewise LEO's are being given increasing powers to grab and keep assets for "crime prevention" where it's the officer who is judge, jury and beneficiary. The most recent example is one where if you have a void in your vehicle, an officer can assume it's there for drug smuggling with absolutly no other evidence... All vehicle's have voids built in as standard, and it's not possible to fill many of them up and still have a safe and usable vehicle.

Much of the judiciary are looking not to examin evidence to the level required these days because their case load is far to high.

Thus the only factor you have as protection against a system clearly loaded against the individual is "Something-you-know" as judgrs can and have repeatedly ruled against individuals on the "Something-you-have" and "Something-you-are".

But as has been pointed out since the 1960's humans and passwords are not a very strong combination. But what are humans better at knowing than passwords?

Amongst others are pictures, places and times. There are picture based authentication schemes and have been since graphics terminals of sufficient resolution became available. However picture systems are generally "not secret" or if theme based fairly easily deducable from a couple of sholder surfs, likewise the swip your finger in a pattern from dot to dot systems.

Time and place are not a lot of use for normal use as nobody wants to have that constraint on a regular basis.

However they are of use after a security incident. That is if your phone is snatched after a certain time it becomes inaccessable to biometrics / tokens / passwords even if they are correct. They only become valid at a certain time and place. These can also change with time or the number of false trys etc. Thus if say after ten false trys or 48hours the phone will not unlock no mater what is done "outside of correct time and place" then a judge is in effect stymied, and their only resort is to jail you for contempt that will achieve precisely nothing in accessing the data. Especially if you put the place outside of the jurisdiction.

The problem however is hardware bypass tricks. That is an LEO or other advisary with sufficient resources takes chips out and copies their contents. This was the problem with Apples solution that led to the deliberatly made public court case the DoJ instigated and hoped to profit by, only to withdraw the case on a technicality when it looked like they were going to lose.

The simple solution is in effect not to do the authentication on the phone it's self but outside of the jurisdiction. Likewise I've discussed ways to do this before on this blog with @Nick P amongst others. Put simply the phone has an embeded private key and a public key of an off shore service. It uses these to pass across the authentication daya in a secure way, and get in return a 256bit number which if the authentication was correct will produce the encryption key for one or more data silos or application containers.

On i

boomslangJuly 20, 2017 10:09 AM

The easiest and best solution is as follows. For each character in the password:

- If the ascii code of the character is even, insert a random number of *'s between 0 and the ascii code mod 7.
- If the ascii code of the character is odd, REMOVE a random number of *'s between 0 and the ascii code mod 12.
- If the ascii code of the chatacter is a prime number, insert a single 'X' or 'K', because a 'K' is just an 'X' that's flat on the left side. (If removing *'s, removal stops at an X, but not at a K).
- If the ascii code in hex ends in an F, insert three Y's.
- Finally, if the character is punctuation, toggle caps lock.

Well, either that, or just leave masking as it currently is. It seems to work well enough.

albertJuly 20, 2017 10:20 AM

The logical and rational solution is to allow the user to choose how passwords are handled. It's simple. Many commenters here seem to think that there should be only one solution. Why?

. .. . .. --- ....


Clive RobinsonJuly 20, 2017 11:38 AM

@ Albert,

Many commenters here seem to think that there should be only one solution. Why?

Long answer short,

1, Lazy users.
2, Support calls.

Whilst I'm pro choice, most users neither know nor appreciate security. They just want to get a job done and would use just hitting the enter key if they could.

For many years various gurus have pushed the principle of "least suprise" not just in the code but especialy the User Interface. If things can "work differently" certain situations such as "hot desking" can become fraught and generate lots of support calls for extended hand holding.

If the BOFHs fix everything from the receptionist to the CEO to all work the same way, things will be more secure, support calls will be less and the cost of each support call will be lower...

Dirk PraetJuly 20, 2017 1:01 PM

@ albert

The logical and rational solution is to allow the user to choose how passwords are handled.

I would expand that to letting the user, or in a corporate context BOFH, decide on the authentication method or readily available MFA combination thereof, with the OS or application default set to moderately secure. Then it's up to the security conscious and paranoid to raise the bar and up to the careless to shoot themselves in the foot by lowering the same.

albertJuly 20, 2017 2:29 PM

@Clive, @Dirk,
Actually my question was kind of rhetorical, but I appreciate your replies nonetheless.

I've fat-fingered my banks p/w* on a full-sized keyboard, so I can imagine how it would be to try the same thing on my 2.25" x 4.5" iFone. Fortunately, I only use it for talking, or, if forced, texting.

I'm all for MFA, especially in banking. That's the only thing I really -have- to do online. Of course the problem now is that -every- BS website needs a user name and password, so we almost have to use password managers (my PM is a small spiral bound notebook, locked in the safe:).

Individuals are personally responsible for their own security, which is as it should be. I'm not fond of laws that protect people from themselves (things like motorcycle helmets and seat belts being the exception)

Corporations are at least morally responsible for protecting their customer/user data. I would make a terrible corporate security manager. 'Draconian' wouldn't even begin to describe my policies.
...

Clive, you mentioned: "...That is an LEO or other advisary with sufficient resources takes chips out and copies their contents...."

Our company used to use 2-part conformal coatings on both sides of the board. They were clear, but also available in black:)

--------
* My banks draconian p/w lockout is to be avoided at all costs, but kudos to them for enforcing it.
. .. . .. --- ....

trsm.mckayJuly 20, 2017 2:38 PM

To Bruce's specific point, I agree that as cameras become ubiquitous where mobile devices are used, password masking has much less value. Still has value against people, as it avoids giving away too much info to a quick glance; requiring the attacker to pay close attention for the seconds it takes to enter the password and subjecting them to a better chance of being caught. But totally agree that when entering complex passwords on a small multi-mode keyboard, a "reveal" password button is a nice feature.

On the larger topic, I am firmly in the multi-factor camp. I won't go into details on my past rants (why the "3 factors" is conceptually too limiting, that factors are not interchangeable, and how trusted is the "trusted device"). The important part is I believe the future of authentication is having a trusted device attest that it performed multiple biometric and other authentication checks on your behalf (as far as I am aware, the iPhone finger-print reader was the first wide-spread commercial implementation of this paradigm).

There are multiple reasons to rely upon trusted-devices, including privacy (your biometrics, or their hashes, don't travel outside of the device), biometric flexibility (how long would it take Google or Facebook to acquire a new type of biometric reference for their roster of users), better use of biometric fusion (where multiple methods are used to cross-check each other, as opposed to typical multi-factor where each factor is fairly isolated and can be attacked with little concern of being detected by the other factors), and finally the potential to reduce the hassle factor of authentication (my example is something like HoloLenses that does continuous retina scans {needed for mixed-AR anyway} and heart-beat pattern analysis, and occasional samples of others like voice, gait, etc.).

Of course that is placing a whole lot of trust in the device; both by the user, and to a lesser extent the relying parties depending upon its attestations. Further complicated by the amount of off-device processing needed by the next generation or 3 of these devices (the size/power constraints of wearables vs. the considerable amount of algorithm calculations needed for mixed-AR). If these obstacles can be overcome (homomorphic encryption has some real promise for the off-device calculations), than I think we could have low-hassle and high-quality authentication. Until you forget your HoloLenses at home, or they get run over by your new teen driver :-)

Damn, I think they just revoked my utopian society membership card.

rickJuly 20, 2017 2:54 PM

Optional and sure for small devices it's ok.
But don't take it out of my conference room projection system!

MikeAJuly 20, 2017 3:17 PM

@John Levine : While I remember masking on TTYs, it was done before the password was entered, and only for systems that were half-duplex with no option for echo-suppress. Were there systems that did it even with reliable full-duplex?

@Clive: Carrying an umbrella in Hong Kong may be considered far from "acceptable".
I know, you said "almost".

About ATMs. Only one of the banks I use _allows_ more than four-digit PINs. Sigh.

SnarkSideJuly 20, 2017 6:28 PM

Masking helps when you need to share your screen via WexEx and the like. Without the masking your passwords would be typed in plain view.

Google Password SnifferJuly 21, 2017 4:01 AM

Shoulder surfing, the threat is defends against, is largely nonexistent.

WRONG.

Password masking was designed to GIVE YOU THE ILLUSION that the computer programmer doesn't know what you typed into that password field.

Password masking is a fraud upon users.

vas pupJuly 21, 2017 8:55 AM

http://www.bbc.com/future/story/20170720-the-hidden-ways-your-language-betrays-your-character
"Of course, these days we also spend our days sending emails, blogging and posting updates to Twitter. And – you guessed it – it seems we betray our personalities in these digital forums too.
By analyzing the content of nearly 700 blogs comprising hundreds of thousands of words, researchers at the University of Texas at Austin found that the words people used matched up to the way they reported their own personality: for instance, those who viewed themselves as more agreeable used fewer swear words.
But the team went further, even pinning personality traits down to the use of specific words. High scorers on “openness to experience” were more likely to use the word “ink” and – predictably – extroverts are more likely to say the word "drink".

It’s a similar story on Twitter. Other research has found that extroverts tend to refer to positive emotions and social situations more frequently, while high scorers in neuroticism (or emotional instability) tend to use more first-person singular pronouns, like “I” and “me”. The latter fits with the finding that those experiencing emotional turmoil use these words more liberally.
In fact, it seems we can’t help trying to decipher the personalities of the people we meet from the language they use. We’re constantly judging – right down to a person’s digital labels. Those with more numbers in their email address, for example, are seen as less conscientious. Meanwhile we tend to think that humorous addresses are more likely to belong to extroverts (though this isn’t true)."
I guess password selected is mapping your character as well.

DuncanJuly 21, 2017 10:06 AM

With complex passwords on a phone, masking is pretty much a denial of service. So I type the password in another app (usually Notes) and then cut and paste it into the password field. All kinds of security problems with doing that. So yeah, password masking weakens security.

In general, any security measure that is so troublesome that it results in users looking for ways to circumvent it is a bad idea.

JonKnowsNothingJuly 21, 2017 10:25 AM

Password Masking works and then it doesn't work. Sort of like Crypto works but it doesn't work... right?

There are a whole load of flaws in the design and implementation. Many of which have already been pointed out.

Small Type/Tiny Input Boxes: It maybe just perfect for those with youthful eyes and nibble fingers but a whole pile of folks can't even see the input box chars because the fonts are too small and the input line is too tiny.

One solution is to zoom the size so its readable/typeable but those tiny devices are not designed this way. So.. back to bad design specs.

Shoulder Surfing I: It happens all the time. I have to shoulder surf and I ask others to shoulder surf for me too.

# Am I in the right input box? Your password is trash if you type in the wrong lines.

# Did I type the right sequences? ****** doesn't help me figure out if I get a typo in there and as many systems barf completely if you get it wrong 3 times. You end up in a round robin trying to get a decently long password typed correctly. So .... back to Is this the BEST we can do?

If your device is compromised (who's isn't either legally or illegally) then all those ***** are just window dressing (ahem). The real password was keylogged on the press and the **** are just for show. So.. back to Security by Obscurity.

Password Managers: the BEST method for compromising everything. One Password to Rule Them All, In the Hands of Crooks where the Spooks and Grifters Are. So... back to One Key At A Time

Shoulder Surfing II: You might think no one is watching. You might think no one will see. You might very well think that but... Nearly everywhere you go, nearly every location has a crapton of surveillance: videos, audio, tracking, signal-jacking. Having a cuppa? There's a surveillance video.

Visiting your MD and having a private chat (or so you might think)? There's video and audio of that too. The GlassHoles are back. Your MD is going to be wearing one while recording your entire medical visit. It's faster than typing up medical notes so it saves time and money (really??) and its just as easily forged in case the Front Falls Off(a).

Think you are safe at home? SIRI and her Cohorts are there just for you. Your home video security IDIOT device is Watching.. mostly watching you.

So while many consider shoulder surfing is something that happens when you stand in line at an ATM machine, it's EVERYWHERE. So back to... What were we TRYING to accomplish?

iirc: There was a story that Snowden covers himself and his devices completely when entering anything sensitive. Because WHY??? Well, I think he shows what he knows.

There's every sort of biometric capture and evaluation now. They don't have to see what you type, they can capture your typing rhythm, they can watch where your eyes move. They can capture the reflections from your glasses.

We are going to need to be wearing burqas... Except in some places it's illegal to wear them because it interferes with shoulder surfing.

It's not about the security... It's about the stupidity.

**** or 11111 or 99999 or 162984adsrafa124312dshakhfds .. it doesn't matter what you display.

The input box design is based on a flawed concept based on other flawed designs which are based on even worse designs.

Security isn't even an issue because it's not there at all.


(a)check out: The Front Fell Off video: Clarke and Dawe)

WaelJuly 21, 2017 10:30 AM

@vas pup,

for instance, those who viewed themselves as more agreeable used fewer swear words.

Holy crap, what a discovery. Damn it, vas pup! I fully freakin' agree with that.

I guess password selected is mapping your character as well.

In my case, it maps to my environment. Also some people lack character, which presents a null pointer dereference potential if not handled correctly :)

sandyJuly 21, 2017 11:49 AM

To not mask passwords is most idiotic thing I've read today.
When you have so many mobile & IOT devices that mistyping a password is a problem, then maybe you should rethink your life and the crap you surround yourself with.

MeJuly 21, 2017 12:29 PM

These fields should still default to masking.

I don't know how many times I've been on a WebEx meeting and the person signs in to a web page with their LDAP.

I will sometimes retort, "I see you use the same password I do," since the masking makes it all *s. Without masking on by default so many people would be broadcasting their passwords around the world.

WaelJuly 21, 2017 1:43 PM

@Bruce Schneier,

Of course not. I'm thinking primarily of smart phones and small IoT devices

In that case, there are at least a couple of solutions: work under the assumption that the password will be snooped. This marginalized password masking controls. Two example solutions are presented, the first one I mentioned more than once and revolves around the idea of "non-static-looking" passwords. It's called Securematrix -- the name actually in all caps, but I don't like caps. It does have a couple of weaknesses, but still much, much better than plain old password entry systems (I have no vested interest in this product or company.)

The second solution (that assumes the password will be captured) is to anchor or bind the password to specific devices. If the password is captured, it won't aid the "attacker" in any way, shape, or form as it's only valid on the IoT or mobile device. I won't talk about multi-entity authentication (as opposed to multi-factor authentication) as I spoke of that on several occasions somewhere in the not so deep bowls of this establishment.

There are other solutions, too. Go forth and innovate.

As for password masking... it's a good control to have. It, by itself isn't sufficient in some cases.

WaelJuly 21, 2017 2:08 PM

@Bruce Schneier, cc: @Rachel

Shoulder surfing, the threat is defends against, is largely nonexistent.

Hmmm! You typed this on a mobile device. You must have mistyped your password(s) a gazzillion times, hence the personal interest in the subject.

@Rachel,

I have good eyes, too. Too bad my eyes detect errors in other people's work and not in my own. But hey! I'm as close to perfection as they get. Ho hum!

Freezing_in_BrazilJuly 21, 2017 2:14 PM

I think we have to move to other data types than strings for passwords. Maybe images would do. I can think of something like entering a series of emoji-like images in a field. The server stitches these images together into one and stores it as blob. Easy to remember, hard to crack.

Or maybe I`m completely wrong.

TõnisJuly 21, 2017 6:43 PM

On my BlackBerry 10 smartphone I have a choice. I can display the password or the asterisks. I prefer to have the choice.

Clive RobinsonJuly 22, 2017 9:10 AM

@ Freezing_in_Brazil,

I can think of something like entering a series of emoji-like images in a field.

The characters used to make emojis form a very restricted alphabet. The emojis are in effect known two and three letter words which in turn form a very limited dictionary.

Whilst it might look random at a glance it is very far from that.

Worse humans being bad at memorising random word list will try to form a sentence with them or a story around them. To make this easier many will rearange the order of the words, which has the failing of reducing the entropy[1].

It is likely many users will do exactly the same with emojis.

[1] To see the problem, write the numbers from 00 to 99 as two digit numbers. Then order the digits in each number from low to high and remove duplicates you will find the list of numbers has shrunk a lot, and is somewhat biassed. Further then remove the repeated dogit numbers 00, 11... 99, because it's quite rare to have the same word twice in a sentence or story.

Clive RobinsonJuly 22, 2017 9:31 AM

@ MikeA,

Carrying an umbrella in Hong Kong may be considered far from "acceptable".

Or Riga, Latvia, where the first modern --and successful-- "Umbrella Revolution" happened.

It's funny how quickly we can forget some things, but not others like the briefcase in Tiananmen Square just over 28years ago.

GregoryJuly 24, 2017 5:06 PM

Masking passwords absolutely has to be required when they are auto-filled on a web browser. Even for a toggle allowing a person to turn on/off masking, one would have to be very careful about how it is implemented.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.