
We need to stop masking passwords - koudi
http://www.zdnet.com/we-need-to-stop-masking-passwords-7000020894/
======
jtheory
Oh, please no one do this!

Two main points -- masked passwords are a very standardized UI convention, so
everyone has a strong assumption that passwords will be masked, even in
situations that the author hasn't considered (when yes, in fact lots of people
will unavoidably see your password), and second, there are common situations
the author hasn't considered.

Most of the meetings I'm in nowadays use screen sharing in some way; that
means my screen is intentionally large & visible enough that plenty of other
people can see exactly what I type. I do need to occasionally sign into
something, which gives away my password lengths but that's it (and that's not
too serious; I use a password manager so they're long & random).

Pair programming? A manager authorizing some action for an employee? Any kind
of demo, or giving technical support? Training?

There are lots of reasons why someone else would be legitimately closely
watching what I type. Masked passwords are not an archaic holdover from
mainframe days.

That said, the _option_ to show password text is useful, for all the reasons
mentioned -- this should not be site-specific (ugh, I can imagine the "show
password text" being just to the right of the password field, so username-tab-
password-tab-enter will show the password...), but a button in the toolbar
would be nice.

~~~
BWStearns
I personally would prefer the option to mask password vice option to show. In
all of my office environments I've had to log onto things in front of people.
Universally they look away as a courtesy, and this is with passwords masked.
If I was presenting on the overhead I would click the mask button. The pros
probably outweigh the cons on this one as long as the option to mask was
presented.

Also, below: gweinberg had a good point: the people who you should fear
shoulder surfing from are not the ones who you would want to type a password
in front of even if it was masked.

~~~
plorkyeran
If you present things on a projector on a daily basis, you would probably do a
good job of remembering to click the mask button (but having to click the mask
button would probably outweigh the occasional convenience of not having to
click the reveal button), but people who present things on a projector only
occasionally and log in entirely by reflex will frequently not.

~~~
BWStearns
Computers like most other things in life offer opportunities to screw up and
engineering things requires a tradeoff between babysitting and general
utility. I think the potential damage in the case above (the occasional
presenter has to change a password afterwards) is less damaging than enabling
most people to choose better passwords. Your coworker is unlikely to misuse
that information. More likely: you have a shitty password and someone breaks a
stolen hash because 'Pa$$word' isn't really that creative. I view accidentally
showing your password briefly to coworkers as on par with accidentally having
an embarrassing email up when you flip on the projector: unlikely to cause
long term harm, slightly blush-inducing.

Edit: not implying that we should set up security procedures based on implicit
trust of those we work with, but if you're talking about a global internet
wide convention then likelihoods are more informative than exceptions.

~~~
tedunangst
Replace "change a password" with "change all your passwords" and it's a lot
less fun.

------
deckiedan
If passwords were not masked, I would now know most of the passwords of
everyone in the office, and all of my family.

I always look away when someone else is typing in a password, as my eyes are
drawn to the keyboard and I can pretty well read what they type just from the
keys. So out of respect, I turn my head. If the password were actually on
screen, it would be many times harder not to see it.

I don't think I'm unusual. I'm at computers with other people usually once or
twice a day when they enter a password. I don't _want_ to know their
passwords!

And as the system admin, I don't want them seeing the password when I have to
type it in to fix stuff for them.

It's not malicious people who might be installing keyloggers and all that that
masked passwords help against, it's simply day to day privacy and permissions.

I don't have a problem popping round to a team-mate's office to enter a
password to let them install some basic software package, or a hardware driver
update, or whatever. But if they saw the password, then soon they would know
it, and _for sure_ would use it once or twice, and more and more random crap
would get installed, and soon malware, and so on.

On the other hand, being able to turn on visibility occasionally is useful.
(Ah! No wonder it's not working... your keyboard is still in Korean mode...
Oh, right, British mode, the double-quote doesn't live there...)

~~~
gweinberg
Conversely, people who want to pick up passwords by shoulder-surfing can
probably do it whether the passwords are masked or not.

~~~
MLR
I don't know about you but I find it exceptionally hard to read passwords from
people typing, even slow typers, reading an experienced typists would be nigh
on impossible for me.

------
crystaln
While I see the point, I don't agree.

Entering passwords with people standing behind me would be slightly nerve
racking without password masking, and during a presentation would be
essentially impossible.

Password masking is a good default and greatly limits password exposure.

~~~
unethical_ban
At work, I make sure anyone around me isn't watching my hands, much less my
screen. I get what the guy is saying in the article, but I don't agree,
either.

~~~
jtheory
I suppose I type fast enough (and use a password manager widely enough) that I
haven't ever worried about keyboard passwords, but I do worry about bank card
PINs... I've gotten a habit of obscuring my pin by pressing with several
fingers on the keypad for each keypress -- so to someone looking, I'm
basically mashing several keys, but at each mash a different finger is
actually pushing a bit harder than the others.

~~~
bcbrown
I cover the keypad with my wallet.

~~~
kbenson
Especially useful against skimmers[1]! Oh, wait...

[1]: [https://krebsonsecurity.com/all-about-
skimmers/](https://krebsonsecurity.com/all-about-skimmers/)

~~~
bcbrown
I had always thought that was enough security against skimmers, thanks for
pointing that link out.

------
danellis
The author has an extreme imagination deficiency if he can't picture the
common scenarios where someone might see you entering your password. There are
many, many times when I'm working with another person sitting at my desk. It's
amazing that his whole article is predicated on his inability to look beyond
his own circumstance.

~~~
markdown
> There are many, many times when I'm working with another person sitting at
> my desk

And you can't check a 'mask password' checkbox before entering your password?

~~~
crystaln
And you can't check an unmask password checkbox if you get lost?

Seems the more secure default would certainly be preferable.

------
Raphmedia
I strongly disagree. Perhaps if you use your computer all alone in your
private office, that makes sense.

That's now how I use the computer, that's not how all my friends use their
computers and that seriously now how the next generation is using their
computer.

When I am on youtube, I have up to 5 friends behind me. I don't want them to
see my youtube password. When I log into steam, I most likely have someone
behind me. When I log into my Evernote account, it's most likely to show a
quote or some information to a friend. I don't want them to see the password.

To make it short, I believe that most young people use the computer as a
social activity. Showing the password by default makes NO SENSE.

I wouldn't want a client to see my password when I screenshare during a
presentation. Nor my coworker to see it on the big screen in the conference
room.

I very, very strongly disagree with that article.

------
niuzeta
> As humans we're very good at looking at something and taking a visual
> snapshot. If I actually see the Facebook login screen with my username and a
> long, passphrase like "correct horse battery staple", that's more likely to
> sink into my brain.

It is exactly because that we as humans can take the visual snapshots easily
that we still need the most basic masking. _Because we can take snapshots_. If
one of my coworker has a a long phrase password(high entrophy, but very
memorable and therefore the coworker has employed) and I happen to take a
glance at his screen, then notice his password as a tangible sentence, _I will
remember it_. Even if I don't _memorize it_ on spot, if it happens frequently
enough you'd be damn sure that I will.

> Masked passwords come from the age of mainframes. And when we're talking
> about mainframes, that makes sense -- they were secure, private systems,
> used by specialists.

Again, it still makes sense to have masked password, just as it made sense in
the mainframe age; we can take snapshots.

Having said that, I do see the merits of his point; an option to unmask would
be a vast improvement on UX, for which I laud Microsoft on.

It's especially difficult for me to type 30-character-long masked password,
from my native language layout, on top of English keyboard visuals. I can do
it with my eyes closed on keyboard, but it's not very easy to do it on
smartphone and much easier to screw it up.

------
snorkel
Most wifi password entry fields on various platforms now offer the sensible
approach: mask the password by default while offering the option to toggle the
masking in that field.

~~~
korg250
IE 10 offers that for any masked field.

------
susi22
We aren't even save from this:

[http://www.cs.berkeley.edu/~tygar/papers/Keyboard_Acoustic_E...](http://www.cs.berkeley.edu/~tygar/papers/Keyboard_Acoustic_Emanations_Revisited/preprint.pdf)

but then we should just show the passwords on the screen we enter? That's just
insane. Linux command line doesn't even show a * when entering a password.
That's how it should be.

We should be paranoid about passwords and not display them.

~~~
omonra
Did you read the part about 'mask my password' checkbox option?

~~~
korg250
Why not the other way around?|

------
hrkristian
Something bugged me about this, I don't know about iOS, but Android has the
"show password" feature already. Although I get his point that no-one really
gets passwords by sight, it does happen, but the most important part of
masking to me and the only reason I approve of it is because there will be
times when you stop in the process of logging in somewhere and leave.

------
snarfy
>Secondly, if people could see their own passwords rather than just dot-dot-
dot, etc they would choose better passwords, and be less likely to reuse the
same passwords.

This has nothing to do with being able to see the password and is entirely to
do with stupid password restrictions. It's ironic he uses 'correct horse
battery staple'.

~~~
crystaln
You're suggesting that users use better passwords on sites with no password
restrictions. I'm going to doubt that's true and presuming you have no data
say that it's likely far from true.

~~~
snarfy
Nope, I said stupid password restrictions. A good password restriction would
be one that only measures the entropy. The idea that we should use no more
than 8 letters, alphanumeric with symbols is stupid and demonstrates ignorance
with how hashing works.

[http://security.stackexchange.com/questions/33470/what-
techn...](http://security.stackexchange.com/questions/33470/what-technical-
reasons-are-there-to-have-low-maximum-password-lengths)

------
Ryoku
This is idea makes my shoulder surfing senses wet. Seriously, it might sound
like a good UX idea in theory, but lets go to practice: People are not going
to use that button in the safety of their homes. Why? Because they don't care.
It is not a secret that the average user doesn't give priority over commodity
to security; that's the basic principle behind no-tech hacking.

The best UX experience collides with the best security experience, we need to
find the middle point. This is not the middle point. Passwords are now broken
from concept, that's why we are evolving into two factor authentication.
Making a broken security method easier to crack (even if it may only happen
when certain circumstances are met, like doing it in an airport of coffee
shop) is not the way to go.

------
josephers
I really appreciated when I was trying to log into a website on my phone and
kept getting the password wrong. After a few tries, it said "we know typing on
a phone sucks, would you like to unmask the password field?".

Nowadays, just looking at the last character briefly before it gets masked is
enough for me to correctly type in my more complicated passwords.

I'd like arbitrary password restrictions to disappear before things like
default masked password fields. I can never remember whether this unfrequented
site required 6-8 characters, or a special character, or no more than three
alphanumeric characters, etc. in the password. I just usually reset the
password each time I need to log in, in such cases.

------
_Adam
The point to takeaway from this article is that remote attacks are a greater
threat than local attacks, so password entry should be optimized for
protecting against the former rather than the latter.

For many of us, the point is invalid because we know how to choose good
passwords, and we don't need to see them in order to do so.

So instead, think about this from the perspective of the average consumer. A
unobfuscated password field makes it a lot easier to use a long and complex
password. If the field is hidden, users are more likely to choose something
short and easy to remember, making their password vulnerable to dictionary
attacks.

~~~
vacri
Unmasked password fields would only make social engineering an easier way to
get at passwords. A toggle, sure, but not as default behaviour.

------
vacri
_Firstly, no one is going to see your password. I 'll come onto that, but they
just won't. Ever._

I feel sorry that the author is so socially isolated that he never shows
anyone else anything on his computers. Instead he invokes papparazo and cold-
war imagery with telephoto snoopers hiding to get snapshots of small tablets
(ipad mini - not even a full ipad) and yet never thinks of "hey, check this
out"

~~~
Widdershin
Did you really have to phrase this in such an impolite way? Couldn't you have
simply stated your point instead of calling the author socially isolated. The
author might simply have a different workflow than what you are accustomed to.

~~~
vacri
The author had zero qualms in stacking the deck himself, and I was merely
responding in kind. Someone wants to see your password? Then they must be
hiding in the bushes in the parking lot with a telephoto lens. No-one will see
you enter a password? Then you must be socially isolated.

This isn't about having a different workflow, it's about the author having a
pain point and engaging on a rant instead of bothering to think it through
properly.

------
cynwoody
I absolutely agree that there should be a "show typing" override. Ideally, it
should be built into the entry widget as a clickable or touchable area. There
should also be a key chord to toggle masking. There are lots of times when
there is absolutely no danger of shoulder surfing, and showing the typing
would have the advantages the author describes.

I note that PGP Desktop has a checkbox to disable masking. I always tick it.
It helps me to get the pass phrase right and to burn it into memory.

But the default should be mask!! (OK, maybe the default should be
configurable. But the default default should still be to mask.) In public
situations, it would be too much to have to remember to turn on masking.

------
dromidas
I think the author just wants a kiddy version of Windows :P Maybe we can name
it Windows Portal (after the M:TG Portal expansion for new players). One that
is not meant to be used in a professional environment and does not have any
security things. It's actually not a bad idea. Just keep it very far away from
me.

------
gweinberg
I would very much like to have an option to always display passwords. I would
turn it on for this machine, because I only use it at home, and I'm pretty
much always alone here.

But of course it would be no good for a machine I use in a public place.

------
swinglock
This is garbage. If I disabled password masking on my workstation the only
thing it would accomplish would be me eventually getting fired.

------
nfoz
Stop masking passwords for nonsense usages like WiFi networks. Keep them for
things that actually matter.

------
Millennium
hunter2

~~~
MichaelGG
Please, keep the jokes to Reddit.

~~~
Millennium
I was using humor to make a point, yes, but it was not intended to be only a
joke.

Password-masking has its flaws, but one major UI benefit is that it
unambiguously distinguishes password fields from other text inputs. Breaking
that convention invites people typing passwords into the wrong field by
mistake, which creates a greater security problem than unmasking passwords
would solve.

------
nnnnni
That guy is a complete idiot.

~~~
nnnnni
Yay, downvotes.

Now let's wait a couple of months for someone to post the same thing and then
have everyone agree that not masking passwords is indeed a horrible idea!

