
The Pros and Cons of Password Masking (follow-up from Schneier) - gthank
http://www.schneier.com/blog/archives/2009/07/the_pros_and_co.html
======
ErrantX
Where to begin :) Last time I pointed out that Nielson was out of his comfort
zone with security. This time, well, damn :P have to pick it apart much more
intelligently.

> I believe that shoulder surfing isn't nearly the problem it's made out to be

I dont agree with the the points one and three that he makes related to this.
Firstly yes people do use machines in private: but define private. I am sat at
a "private" machine right now at home. But my family could walk in at any
moment (it sucks, tip 101: never move home after university, it's cheap for a
reason :P) and see an important password. Now I trust them implicitly but a
Facebook password is just too tempting for my brother :D And if my friends
come over - I could well need passwords then, that is more of a risk. Plus of
course many many people don't use computers in this much privacy (i.e. my own
office). I check mail at work for example. People use cyber cafes all the
time.

Secondly his third point is wrong I think. Most people type slow enough for
easy reading of what's on screen. Another example: many people I know (normal
people, not tech literates) will stop typing, find the mouse and click
"login".

He talks about a non-alphanumeric string: Im err not sure what that means. But
anyway the human brain is usually quite quick at recalling visual scenes in
the short term. Especially if casually noticed. Quite long passwords could be
easily remembered for a few minutes after they are gone.

He also asserts that unmasking passwords will encourage people to choose
something longer and more secure. I'd like to see a study to prove that
because it is a BIG statement. Besides Schneier should know that any good
security system should make a persons password choice as immaterial as
possible! I honestly take the opposite view - that people will just use
passwords like they usually do (a memorable word and some numbers [and only
the latter if forced]). Asserting that clear-text might encourage them to use
capitals in their password doesn't make much sense to me.

Finally one huge issue he doesn't really address is expectation. people expect
passwords to be obscured. It's how they know it's a password and it gives them
silent assurance of the security of the site.

And another important point that got wholly overlooked: if we go with some
passwords hidden some not that is a BIG risk. People usually use the same or
similar passwords for all their services. So if "mysupersecretsite" hides the
password but "myotherneatsite" doesn't then it is a big break in the security
chain.

Now I am not at the core disagreeing with what he has to say about masking.
HOWEVER I do think the suggestion that it is the choice of the site is wrong.

In an ideal world the site should advise the browser - and the browser should
override it if told to by the user. But currently only one or the other is
really possible - and in such a scenario the browser should win. Simply
because on an issue like this it _should_ be user choice, not site admin
choice :)

That said nice to see Schneier weighing in on the issue: I still think he's
giving far too much value to some minor benefits/points but... :)

------
pj
I appreciate the thinking outside the box on the security issue, but I'm
really surprised anyone would even think for a second that it's a good idea
not to hide passwords from those looking over your shoulder.

Maybe an option to "show password as you type" would be okay, but leave it
unchecked by default.

~~~
Bjoern
"Show password as you type?"

I think that would be a bad idea. User normally go the way of least
resistance. If you allow this in the next iteration of the software the
default would be checked because of too many complaints etc.

------
ryanwaggoner
The real problem I see is that the majority of users would freak out if their
password wasn't masked, as if it's somehow an implication of lax security
overall. Users have been trained for the last twenty years to expect that when
they type in a password, it'll be masked. Even me: I'm a web developer and if
I hit a website where the password was unmasked, I would just assume they had
no idea what they were doing.

------
chollida1
I like the compromise that the iPhone has made in this regard.

The iPhone will show the last letter that you typed while masking out the
previous characters, so only one letter is visible at a time.

This way I get some confirmation that my password is correctly typed without
giving away the farm.

------
mhb
Why _does_ Windows make you type the WEP key twice? That's always annoyed me.

~~~
Bjoern
Please don't use WEP anymore. WEP is totally broken and with 5000-10000
packets you can easily guess the used keys.

Don't do it. Don't use WEP.

------
TweedHeads
A checkbox for mask/unmask will suffice, masked by default.

Fact: there is a lot people in the world that in the comfort of privacy would
like to see what is being typed.

Solution: give them the option to decide.

Everybody else can have their password masked anytime, no compromise.

