

Terrible Password Security Advice From Jakob Nielsen - lucumo
http://www.chriskite.com/2009/06/23/terrible-password-security-advice-from-jakob-nielsen/

======
bonaldi
From Neilsen's article: _But password masking and Reset buttons are not
something users actively seek out._

Reset buttons might not be, but password masking sure is. There's nothing
quite as startling as seeing your password in plaintext. Not having the
bullets is just going to make you _look_ insecure, and appearances matter in
the psychology of security. You don't want your users feeling insecure.

Even if this wasn't a daft idea, he's beginning to contradict himself, anyway:

 _It's therefore worth offering them a checkbox to have their passwords
masked_

contradicts his claim on his "Reset buttons must die" piece:

 _The extra choice requires extra thinking, and the time saved by using an
optimal interaction technique is often smaller than the time wasted on having
to think instead of just moving ahead with a single interaction technique that
is always used._

So for all the time you save by seeing your password in the clear, you lose by
having to deal with the extra checkbox.

Also worth noting: browsers have autofill these days. Just loading a page on
one of these browsers would be enough to disclose your passwords. Forget
shoulder surfing, just create a diversion, browse to a few sites on the
victim's computer, and you've got the lot.

~~~
whatusername
Someone pointed out.. in FF 3.0.11 at least:

Edit > Preferences > Security > Saved Passwords > Show Passwords > Yes

Lists all my saved passwords in cleartext.

------
sanj
I'd like it both ways: I want a checkbox to show me my password if I chose.
Feel free to leave it off by default.

~~~
prodigal_erik
I'd like a typical GUI browser to let me right-click a password field and use
a "show secret text" option. But it should _never_ be the default, at least
not for people like me who present on laptops too infrequently to form
defensive habits around what my colleagues are about to see.

Why oh why can't we just carry around certs on USB fobs? Isn't it the future
yet?

~~~
jackowayed
I have that. Firefox web developer toolbar. It lets you do pretty much
anything, including "Forms->Show Passwords".

I'm pretty sure there's no easy way to make it the default behavior, but
you're just 2 clicks away from having it on the page you're viewing.

~~~
stcredzero
This is not appropriate for general consumers. They need a right-click "Show"
option.

------
Sam_Odio
I've found that novice users often associate hidden passwords with encryption.
They think that because they can't see the password nobody else can.

These users are often more likely to use a less secure password in visible
prompts out of fear of compromising their more secure ones.

~~~
psadauskas
Then maybe that's the solution. A browser in ssl mode hides the password by
default, while unencrypted connections get the visibly "unencrypted" password.
Would then also keep most people from using thier best passwords on unsecure
sites.

------
pkulak
The biggest problem is that if passwords are put in text boxes, I can just
hammer the back button after another user has been using the browser until I
get to a login form and see the password.

------
jsz0
It's a shame we don't have more sophisticated authentication systems for the
web yet. I don't believe any tweaking of password authentication is going to
make it safer or easier. The weak link is always the human choosing,
remembering, and entering the password. If we ever want to make the web more
secure we'll need something that is a mixture of smarter software complimented
by hardware (RFID, public keys stored on USB sticks, RSA key generators,
SmartCards, etc)

------
tlrobinson
Surprisingly Schneier agrees with Nielsen:
[http://www.schneier.com/blog/archives/2009/06/the_problem_wi...](http://www.schneier.com/blog/archives/2009/06/the_problem_wit_2.html)

------
nwjsmith
There has been a lot of hubbub about Nielsen's comments lately, but it isn't
the first time I've seen this. <http://letsfreckle.com/blog/2008/12/calamity-
howlers/> describes why the freckle team decided to show the password. I think
that it depends on the web app; if your customers are the type that would look
at this as a security risk, then mask the password. Just realize that password
masking really isn't protecting passwords.

------
dreish
Just out of curiosity, why aren't we using certificates for authentication
instead of passwords by now? They can't possibly be worse overall, can they?

~~~
randallsquared
Several reasons. First, that's only useful for a single browser (or if the OS
can manage the cert, a single computer or maybe domain account). Using certs,
there's no easy way to login from your friend's house, or from the internet
cafe.

Second, it would have to be supported at the browser level well enough to be
at least as easy as password usage, which is hard, since password usage is
super-easy, as long as you choose a weak one (and people avoid sites that
enforce good passwords, if they can). I'm using Safari, and I can't find
anything about client-side certificates in the prefs. I know IE and Firefox
support them fairly well, as I've used them for intranet sites in the past,
but I don't think it's easy. Basically, the first time a site demanded a cert,
the browser would have to walk someone through generating one, and it's hard
to see how that could be made easy enough for people to sit through it.

Third, any cert that has a password to unlock is going to be at least as
difficult for the user as just using a password, and any cert which _doesn't_
require a password will be vulnerable to being stolen by trojans, etc.

You can get all the good things about using a cert by just making your site
SSL-only and using a cookie, and this also avoids some of the bad things
(inconvenience), but not all (vulnerability to trojans).

------
rriepe
I tend to agree with the article here. There might be some immediate, apparent
benefits to just showing the password, but in the long run a hidden password
is helping the user more.

It's frustrating to mistype a password and not realize it, sure, but it's
much, much worse to have your password fall into the wrong hands just because
someone happened to look at your screen at the right moment.

------
dylanz
What about a feature for HTML that would allow a configurable amount of plain-
text "follow" when typing into a password field... for example:

<input type="password" follow="1"/>

Then, when I type in my password, it will show your password as stars, but
with the last 'follow' number of characters in plain-text... like:

Follow of 1: * * * * * * * a

Follow of 3: * * * * * tra

------
mdemare
Pfff. Show password technology is here today: type password, select all, cut,
type username, tab, paste, enter. But I want the _option_ to mask the
password.

I prefer the OSX wifi password dialog, with a checkbox to show the password
that's off by default.

------
known
Try this on Firefox. Go to <http://news.ycombinator.com>

    
    
       1.Right click
       2.View Page Info
       3.Click on Security Tab
       4.Click on View Saved Passwords

------
calcnerd256
The semantics of a password input say nothing of its presentation. It is up to
the browser to render the password field with clear text, stars, or whatever
style it is configured to use.

