Masked Passwords - really that *******?

stugster · 30-06-09, 08:19

Masked passwords must go ? The Register

Websites should stop masking passwords as users type because it does not improve security and makes websites harder to use, according to two of the technology world's leading thinkers.

Usability expert Jakob Nielsen and security expert Bruce Schneier both think websites should stop blanking out passwords as users type them in. They say the practice inconveniences users with no security benefit at all.

Most websites that require passwords allow a user to see the login name as it is typed in but replace the password with dots or asterisks as it is typed so that the password cannot be viewed either by another person looking at the screen or by the user.

What are your thoughts? As a heavy computer user, I don't get put off with my password being masked. I find it reassuring that I don't have to worry about people watching me as I type it.

Is this article touching on a point, or just a waste of Internet space?

Mike Lewis · 30-06-09, 12:11

Thanks for posting this, Stuart.

I totally agree with Neilsen. I have had this view for a long time, but have never said anything publicly for fear of being regarded as being lax on security (which I'm not).

Obvioiusly, there are situations where masked passwords are essential: public computers in Internet cafes and libraries; computers in busy offices or sited near external windows; etc.

But there are also many more cases where there is no risk of anyone seeing the password on the screen, or where users can easily take steps to avoid being overlooked. In those cases, a masked password is a nuisance.

The most ridiculous example I know is on my iPod Touch. This is a tiny device that can be held in one hand. It's the easiest thing in the world to hold it close to your body so that no-one can see the screen. In fact, it's more difficult to show the screen to someone than to hide it. And yet it forces you to type passwords on its minuscule touch keyboard with no way of checking that the password is correct.

Another stupid example is in software for administering databases, servers and the like. In SQL Server, for example, there is a feature to allow an administrator to manage passwords. But at no time is the password actually visible. You can never check that the user has been given the correct password, or whether the password is easily guessable, because nobody can ever see it. This is even more ridiculous given that this feature is normally only used by privilged administrators working in their own offices, away from public gaze.

In my own applications, I have adopted a different approach. For user login screens, I do mask the password. But for password admin functions, I default to showing it in clear. But I include a "hide password" checkbox for the benefit of users working in a public area (or those who can't cope with the idea of a password that's not a string of asterisks).

Be interesting to hear what others think.

Mike

TFGtv.com · 30-06-09, 16:07

At home or in my own office I find the masked password a damned pest.... But certainly in an open office or in public I'd like the (default) option to mask it ...

I like your idea Mike...

Gordon N · 02-07-09, 19:14

Quote:

Originally Posted by Mike Lewis

Obvioiusly, there are situations where masked passwords are essential: public computers in Internet cafes and libraries; computers in busy offices or sited near external windows; etc.

Even this isn't secure as Neilsen himself points out, if someone really wants your password and is staring over your shoulder they will be watching your keystrokes not your screen.

I think that masking provides confidence to some and frustration to others this will be one of those battles that will run and run. Ultimately until W3C change the specs for the <input type="password"> tag, as far as the web is concerned things are unlikely to change.

Mike Lewis · 02-07-09, 19:34

Quote:

Originally Posted by Gordon N

Even this isn't secure as Neilsen himself points out, if someone really wants your password and is staring over your shoulder they will be watching your keystrokes not your screen.

Good point, Gordon.

Quote:

Originally Posted by Gordon N

Ultimately until W3C change the specs for the <input type="password"> tag, as far as the web is concerned things are unlikely to change.

But web designers aren't obliged to use that tag. There's nothing stopping you using an ordinary input field for a password. I wonder how many of them use it either out of habit or because they assume it's the only thing to do.

Mike Lewis · 02-07-09, 19:41

Another thing that irritates me are websites that surround themselves with high security when there's nothing of any value to secure.

An example I have in mind is a property search site which I occasionally use to keep in touch with house prices. If you register with the site, you can save your search criteria, so that you don't have to enter them each time.

But in order to register, you not only have to give yourself a password, you have to answer all those silly questions about your pet's name and your favourite holiday destination. And if you lose your password, there's the usual rigmarole about getting a new one.

But with a site like that, what on earth is the use of that degree of security? If you lose your password, you can just register again. And if someone manages to discover your password, so what. The worst the can happen is that they will know what type of property you are interested in, but since they wouldn't have any personal details to connect that to -- not even your name -- I can't see how that would embarrass anyone.

Gordon N · 03-07-09, 07:46

Quote:

Originally Posted by Mike Lewis

But web designers aren't obliged to use that tag. There's nothing stopping you using an ordinary input field for a password. I wonder how many of them use it either out of habit or because they assume it's the only thing to do.

Your right we're not obliged to use it, but we are incouraged by W3C and our peers to create meaningful and semantic code. With there being a type specifically for password entry it is seen as the best option by many. It's a tricky one for sure, a text input named 'password' maybe be almost as semantic but thats where the habit element kicks in I suppose.

In the interest of being as professional a designer as possible I value very highly the ability to conform to web standards at the strictest levels. It's used as a measure of knowledge, understanding and skill by many inside and outside the industry.

Good point though Mike, and something for me to ponder on again!

Gordon N · 09-07-09, 19:22

Okay so this thread has been dead a couple of days now, but I just finished reading a tutorial on how to implement iphone/mobile password masking on websites. You probably know what I mean, but if not its when you see the character you have entered briefly before it is masked with a dot/star.

Would that kind of deal with both sides of the previous discussion?

Your thoughts....