
Response to Nielsen’s “Stop Password Masking” - asmosoinio
https://blogs.sans.org/appsecstreetfighter/2009/06/28/response-to-nielsens-stop-password-masking/
======
lacker
Often I am in meetings or talks where someone is giving a presentation with
their computer screen hooked to a projector and wants to log in to some site
to demonstrate something. Without password masking that would be pretty
unsafe. The usability concerns seem pretty silly to me in comparison.

~~~
wglb
But doesn't the checkbox suggestion take care of that situation?

------
staunch
I think not using password masking is actually a new usability problem in
itself. People think your site isn't secure, or their password isn't secret,
without masking.

I suppose if you mask it after they type it in, that would probably mitigate
the problem. The way the iPhone does it, one character at a time, is probably
the best compromise.

~~~
gojomo
I would prefer the iPhone did passwords all-clear, at least as an option.

The small repositionable screen makes shoulder-surfing more difficult, more
obvious, and easier to shield manually. And if someone has video trained on
the screen/keyboard, no masking is enough to help.

------
wglb
Neilsen's article makes good points, as does the sans.org article reviewing
it.

But isn't any security solution a little invasive?

------
TweedHeads
Those who say password unmasking is retarded have never entered a WPA Wifi
password...

Twice.

~~~
bhousel
doesn't everybody else just copy-paste those?

