
HalfMask - an Experiment in Password Masking - nirmal
http://lab.arc90.com/2009/07/halfmask.php
======
tptacek
Let me just say, as retarded as I think this whole masking kerfluffle is, play
with it or don't play with it, but if you don't mask passwords in your login
box, expect to spend $10,000-$20,000 extra to your PCI auditors (and then
restore password masking) when you decide to accept credit cards.

~~~
gojomo
I don't think anyone has suggested individual sites should override the
browser behavior.

The interesting question is whether client software (browsers/add-ons) should
offer another option. And if it did, would the Payment Card Industry auditors
demand a site override the user's choices, for example by simulating a masking
password field outside the default HTML widgets?

~~~
baxter
I agree, this should be a user choice rather than site-specific.

The HTML 4.01 spec doesn't dictate how passwords should be obscured, although
it does suggest asterisks. I think it would be reasonable for browser vendors
to provide an alternative means of obscuring passwords.

If the PCI auditors aren't happy with this, and given the leniency of the HTML
4.01 spec (I haven't checked any other specs), should they take this up with
the W3C?

------
umbrae
Hey guys, I'm the author of HalfMask - please let me know if you have any
feedback, or you can check out the source on google code:
<http://code.google.com/p/halfmask/>

Forking to try new things is heartily encouraged - I'd like to see new
approaches to password masking.

~~~
bcl
The masking characters need to be more similar to the characters being typed.
eg. ll is easily readable with letters like nrs, etc. in the background.

~~~
umbrae
This is a good thought - I had implemented character set matching (uppers to
uppers, numbers, etc) before, but I worried that it made it almost too hard to
read for the user.

You'll notice that I'm only using lowercase letters currently - that was an
intentional choice as it seemed too obscured when using a fuller character
set.

I'll give this another look though and see if there may be a good middle
ground.

------
jwecker
There is an argument in the whole masking argument that doesn't really have
anything to do with security- it is that filling out a box and having the
characters masked is a well known usability metaphor for users- implying the
content should be kept hidden and implying (though it's not always true) that
in the backend it is also kept secure. The metaphor comes from ATMs etc. All
security aside, when the vast, vast majority of casual computer users finally
have a computer metaphor nailed down it's usually very counterproductive to
try to change it. Like trying to move the "File" menu to the far right of the
menu bar for your next desktop app...

------
nirmal
I modified his code to do the iPhone style masking. It masks everything except
the last character. Demo page is unmodified. You can see it here:
<http://nirmalpatel.com/hacks/halfmask/demo.html> and a diff of the code:
[http://nirmalpatel.com/hacks/halfmask/jquery.halfmask.js.dif...](http://nirmalpatel.com/hacks/halfmask/jquery.halfmask.js.diff)

~~~
baxter
I like that, but it would make more sense if backspacing through a password
didn't reveal each letter.

------
jokull
My idea is the best: reveal on mouseover

~~~
Nwallins
How about having to select the (masked) text, to take it a step further?

~~~
blhack
If you highlight this, it pretty much reveals what the password is.

I know that isn't what you're talking about, but it is close. I know that I
couldn't read this even when I knew what I was typing until I highlighted it.

------
drcode
The demo actually works better than you would think: Easy to read for the
writer, hard to read for a shoulder surfer.

------
JBiserkov
I like the idea. But how about LCD screens where the angle changes everything?
Right now it's difficult to read from the side, but "a piece of cake" from
above.

------
chaosmachine
Nice try, but I think this is the worst of both worlds. Still insecure in many
situations (screencasts, presentations, or any time you might be recorded),
and it's harder to character count than normal asterisks.

------
vaksel
the whole point of masking is so that you don't give away your password when
you are using a projector(giving presentations etc)...this is no different
than not masking the thing at all

~~~
modoc
Well, that's certainly part of the point, but it's also to prevent casual
shoulder surfing/people walking by/etc...

I guess I'd prefer to see something like how the iPhone handles it, where each
char is shown for split second before being masked. It lets you see that you
haven't typo'ed, and yet ensures that your whole password is never sitting on
the screen.

------
TravisLS
My main issue with this solution is that it takes the decision out of the
user's hands. Granted, in some cases it is potentially beneficial to unmask
the password, but I would not want a site to assume that I'm okay with this
approach. Imagine if you have to type in a password presenting in front of a
crowd of 100 people. Do you feel secure with this solution?

Whatever solution you implement, it's important to give the user explicit
control to override the mask.

------
_giu
nice idea and nice realization, too! it works pretty good! if you can't read
the password after you've typed it in, try to mark it with _SHIFT +
LEFT-/RIGHT-ARROW_ or _SHIFT + HOME/END_ :)

by the way: the guys from arc90.com cook up pretty cool things in their labs,
like the greatly useful _Readability_ bookmarklet
<http://lab.arc90.com/experiments/readability/>

------
dylanz
I still like my idea: * * * * els

Where you mask every character up to the last N specified characters. I
started writing this up in JQuery, but... then I stopped ;)

~~~
kolya3
Same as the iPhone.

------
jcapote
I like what the wii and the android browser do, they show the last inputted
character for a second or so

------
ideamonk
well, the password can be copy pasted

------
ahoyhere
Very clever, and I love Readability, but I don't think this one's necessary.
:)

On our signup for our time tracking app, Freckle (<http://letsfreckle.com>),
we just left the password fields clear.

Number of signups: >4000\. Number of people who complained: 4. Number of
people who wrote nice things: 15.

Translation: people like it, but it's not really remarkable. (And we did it 6
mos before the Man Who Would Be King wrote about this idea.)

------
TweedHeads
In the comfort of my privacy I want to see what I am typing.

There is nobody shoulder surfing, no cameras recording me.

A check box for unmasking will suffice.

Cool hack nonetheless.

