Comments on: Password Masking

By: LonerVamp

LonerVamp — Mon, 29 Jun 2009 13:37:16 +0000

I forgot to add that this is one of those grumpy-sounding posts by Schneier. A “get off my lawn!” sort of moment.

If we really want to get this ornery, then we should see a companion case against regular password changing/expiring because that degrades a customer experience when they forget they changed it yesterday and have to increase support calls to work the issue out.

All in all, a useful discussion, but some things just don’t need to be changed, really. :) The risk savings is low if not actually in the red…and the real risk of elaborate setups like reflections is admittedly exceedingly low for most. :)

By: LonerVamp

LonerVamp — Mon, 29 Jun 2009 13:29:48 +0000

Barnes & Noble AT&T Wifi access pages feature a non-masked password entry. I admit every time I type that in I feel like I’m pulling down my pants, standing up, and waddling around while the login processes. I hate it.

I saw thsi fly through the pauldotcom mailing list last week, and I’d restate one of my points about an unmasked password, depending on the circumstances: We lose the ability to effectively know no one else saw the password.

It’s tough to watch someone type a password and be able to reproduce it. But it is not tough to get the briefest of glimpses of a password and be able to reproduce it. Especially when so many passwords are, at their base, a word or easy phrase with a few char subs and/or numbers/non-alphas behind them.

I also am in regular position to see and be seen typing in my passwords.

By: Wesley McGrew

Wesley McGrew — Mon, 29 Jun 2009 01:51:08 +0000

The iPhone OS that runs on my iPod Touch and my wife’s iPhone does that, and I really think it’s great for a device where you’re likely to make typing errors, and small enough to easily move around and shield from prying eyes.

When implemented on a larger, stationary scree, though, I’m not sure if it’s much more secure than just showing the password unmasked. Anyone watching over-the-shoulder or with some camera rig as described above could catch the password easily, without the user having the recourse of being able to move or shield the display.

By: marc

marc — Sun, 28 Jun 2009 22:43:59 +0000

Don’t be so quick to throw this to the wayside. Perhaps we should employee the G1’s technique, and mask characters after a second of them being visible. Once you begin typing a subsequent character, it is masked. This allows people to see that they may have mistyped a character. It may further aide HCI without dramatically reducing security.

By: Mike

Mike — Fri, 26 Jun 2009 16:08:45 +0000

I agree. Also, if I see a website or application with an unmasked password, then I also assume that the people that created it have a lower level of security awareness. If it’s unmasked to the user, then it’s probably plaintext in a database somewhere too. I would probably end up using a less secure password and use the same one for every website/application. Same goes for websites/apps that email passwords in plaintext.