
Investigating the impact removing password masking has on consumer trust (2014) - ingve
http://passwordmasking.com/
======
wrayjustin
I generally like the idea of providing users the choice to reveal their typed
password; many apps and sites have done so over the years. However, I have no
idea how the original idea of entirely removing the "password masking" passed
the "shower thoughts" phase, let alone made it into an academic research
project.

> How often is someone looking over your shoulder when you type a password?

When I'm in the privacy of my own home? Rarely. When I'm using a mobile device
(arguably where "unmasking" provides the most usability improvement) in
public? All the time. No, random strangers are most likely not paying
attention to your phone, but look around next time you go out there are
cameras _everywhere_.

Even the helpful mobile keyboard feature that shows you the last entered
character is a risk. Not to mention merely watching the interaction with the
onscreen keyboard. However, both of those require a moderate amount of
attention, versus just prominently displaying the full password unobstructed
all at once on the screen.

You may not think those cameras matter, but let's be honest, many people have
access to the data feed through those cameras. From the near-minimum-wage
"security" guard (or loss prevention) employee to the corporate security teams
storing the backed up footage.

Logging into your Hacker News account may present a low risk, but certainly,
this could be catastrophic when logging into your bank account. It's one of
the less acknowledged benefits of fingerprint readers and password managers
(combined). Unmasking that password entered by the password manager would
defeat this entirely.

Let it be an option, but don't do this by default.

~~~
joshvm
We got a laptop at work. It's an Acer gaming thing which we bought becuase it
was the cheapest thing we could find with a GPU in it. It also has an RGB
keyboard (which is terrible, half the keys stick). The default setting is to
flash a key when you press it, which then fades out over a second or two.

See the problem? Whenever you typed a password, you would see all the letters
you typed lit up on the keyboard conveniently in brightness order...

~~~
bluGill
If someone has an infrared camera they get the same information: the heat of
your fingers leaves traces on the keys you press.

~~~
arthur_pryor
like... i get that this is technically true, but you see how the addition of
an infrared camera to the mix makes things much more cumbersome? or rather, do
you see how obviating the need for an infrared camera makes discovering the
password much easier (because you don't have to acquire and place an infrared
camera, you're just handed the info via the visible spectrum)?

clever trick with the infra cam, but i don't think you've showed the
equivalence of the situations in any practical sense. maybe that wasn't your
point, and you were just offering a sorta-similar-but-not-really detection
technique?

~~~
bluGill
The infrared camera is not something exotic. Anyone who is interested in
discovering passwords will have one. Most people do not care - if I would post
my bank account password here most people wouldn't attempt to login to see if
it was real, and of those that do most wouldn't do anything bad. I still don't
post my bank info because of the tiny number of people who would abuse it:
they are mostly the same people as who would buy the infrared camera.

------
matt-attack
My biggest pet peeve regarding password masking is when it’s used on one-time
use MFA codes sent in texts. It’s completely preposterous that I need to be
protected against an eves-dropper while typing a one-time use code.

~~~
aitchnyu
My Indian bank even has two versions, one has cleartext, and is readable and
responsive. The other was designed for 90's desktops and is a password field.

------
karrotwaltz
Reminded me of NIST's digital policy guidelines (from 2017, so quite a while
after this page was published):

> In order to assist the claimant in successfully entering a memorized secret,
> the verifier SHOULD offer an option to display the secret — rather than a
> series of dots or asterisks — until it is entered. This allows the claimant
> to verify their entry if they are in a location where their screen is
> unlikely to be observed.

[https://pages.nist.gov/800-63-3/sp800-63b.html](https://pages.nist.gov/800-63-3/sp800-63b.html)

------
donalhunt
2 comments:

1) This needs a [2014] tag.

2) This encourages password re-use and the 2019 guidance really needs to focus
on generating unique passwords for each site / property and storing it
somewhere secure. The push to move to other forms of security has never been
stronger.

~~~
plibither8
Just wondering, how does this encourage password re-use?

~~~
jlmb
When using a password manager you don't need to ”check the input” or “correct
an error” or “see what characters have been typed" (the only ”usability
problems” mentioned in the article)

------
crave_
I regularly type in passwords in front of several people who could watch the
input on screen.

This should never be the default.

------
larrik
The most egregious example of this was the old Windows connect-to-WiFi
password box, which not only masked the password, but made you enter it
_twice_. Why you had to enter it twice (when connecting, not creating the
password) is totally beyond me.

------
steve_taylor
Any operating system-level measure to prevent keyloggers logging secure input
fields is bypassed when input masking is disabled in the browser, except where
the browser natively provides a _Show password_ feature.

~~~
explodingcamera
What low level measures? Afaik if you have untrusted software running that can
globally listen to your keyboard you're f'ed.

~~~
im3w1l
Would be pretty neat if we could establish a trusted path from the keyboard to
the server using crypto-magic. Like the keyboard could encrypt using the
servers public key or something.

~~~
ljcn
The keyboard itself could encrypt the keystrokes before sending them to the
OS? That could work. Moves the threat to attacking the keyboard firmware.

------
enriquto
What needs to be removed is the password system entirely. I cannot believe
that in the age of public-key cryptography we are still using passwords for
serious security.

~~~
nottorp
Passwords can be entered from any device, while getting your private keys on
something you need to use in a hurry can even be impossible...

It's the old dilemma of machine-only protocols vs protocols that can be spoken
by a human typing on a keyboard.

~~~
astazangasta
How often are you using a new device you need to enter your password in that
you can't plug a Yubikey into?

~~~
nottorp
I don't know, when I'm borrowing a trusted friend's phone for example?

Say, can you tell me what the recovery process is if your Yubikey croaks while
you're on a trip away from home?

Every option has drawbacks.

~~~
astazangasta
I haven't ever done this, not even with my wife's phone, so I'd consider this
an obscure case.

As for the yubikey croaking, easy: carry a backup.

------
arkades
A web page from 2014 summarizing an article not about the safety consequences
of removing password masking, but the effect of removing masking on _consumer
trust_. Performed and written by a UI guy. No link to the academic article
it's referring to, at least that I found.

Summary: removing masking doesn't erode consumer trust if it's optional, but
they get leery of you if it's off by default.

------
nottorp
Where I'd really like the password masking to be optional is on mobile, where
I'm never sure if i typed a complex password correctly.

On desktop, like other people, I do type passwords while not alone in front of
the screen, and masking is fine.

------
helloguillecl
Interesting. I have seen password masking being used for OTP SMS codes.
Correct me if I'm wrong, but the password field in this case, does not make it
more secure.

It is just about giving the impression of being secure?

