Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
GUI Software Security Technology

Nielsen Recommends Not Masking Passwords 849

Posted by timothy from the *****-****-**-******** dept.
Mark writes "Usability expert and columnist Jakob Nielsen wants to abolish password masking: 'Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn't even increase security, but it does cost you business due to login failures.' I've never been impressed by the argument that 'I can't think why we need this (standard) security measure, so let's drop it.' It usually indicates a lack of imagination of the speaker. But in this case, does usability outweigh security?"
This discussion has been archived. No new comments can be posted.

Nielsen Recommends Not Masking Passwords More

Nielsen Recommends Not Masking Passwords

Comments Filter:

  • Re:Not to fanboi all over the place... (Score:5, Informative)

    by IANAAC ( 692242 ) on Thursday June 25, 2009 @03:57PM (#28471023)
    Around long before the iPhone, but it was a nice try to attribute that to the iPhone.

  • That's a brilliant idea! (Score:2, Informative)

    by Estanislao Martínez ( 203477 ) on Thursday June 25, 2009 @04:03PM (#28471113) Homepage

    And, surprise, that's exactly what TFA recommends! Quote:

    Yes, users are sometimes truly at risk of having bystanders spy on their passwords, such as when they're using an Internet cafe. It's therefore worth offering them a checkbox to have their passwords masked; for high-risk applications, such as bank accounts, you might even check this box by default. In cases where there's a tension between security and usability, sometimes security should win.

  • Hidden department revealed! (Score:3, Informative)

    by gcnaddict ( 841664 ) on Thursday June 25, 2009 @04:03PM (#28471129)
    *****-****-**-********
    Don't_mask_my_password

    (I used my stealthy password exposer to find that out.)

  • Re:Um, here's a thought. (Score:3, Informative)

    by clone53421 ( 1310749 ) on Thursday June 25, 2009 @04:03PM (#28471131) Journal

    javascript:for(var a=document.getElementsByTagName("input"),i=0;i<a.length;i++)if(a[i].type=="password")void(a[i].type="text");

    Bookmark it if you want.

    For bonus points, set a timeout that restores all the fields you changed to their original password types after a few seconds.

  • I quite like the feature in OS X (Score:3, Informative)

    by NorthDude ( 560769 ) on Thursday June 25, 2009 @04:14PM (#28471337)
    In many places in OS X, there is a "display password" checkbox under password entry fields. So, by default the password is hidden, but if needed, you can click the checkbox and it will be displayed. best of both world I think.

  • Re:Ever typed a long WPA key into an iPhone? (Score:3, Informative)

    by AndrewNeo ( 979708 ) on Thursday June 25, 2009 @04:23PM (#28471519) Homepage

    And now that you bring that up, it made me curious. I just checked, and the iPhone OS 3.0 does support pasting into password fields, including the WPA passphrase field! You could now type it up in the Notes program (or any other text field, but whatever), copy and paste it, then delete the note. (Well, now you can, anyway)

  • Re:Another two words (Score:4, Informative)

    by clone53421 ( 1310749 ) on Thursday June 25, 2009 @04:25PM (#28471561) Journal

    Oh really? Even if your browser won't just show them to me [howtogeek.com] I can still get them easily if I have physical access to your browser and I am able to successfully guess which sites you frequent:

    javascript:for(var a=document.getElementsByTagName("input"),i=0;i<a.length;i++)if(a[i].type=="password")void(a[i].type="text");

    I'm not flaming Firefox for showing the passwords. What I am saying is simple... if your browser does save passwords, secure either the browser (Firefox has a master password) or the computer (via an account password, and don't leave the desktop logged in). The asterisks are a secure enough method of obscuring your password from someone looking over your shoulder, but they are not a secure method of obscuring your password from someone who's actually sitting at the computer keyboard.

  • Re:Masking passwords doesn't do much (Score:3, Informative)

    by grumbel ( 592662 ) <grumbel+slashdot@gmail.com> on Thursday June 25, 2009 @04:30PM (#28471631) Homepage

    than they can see your fingers type they characters of your password on the keyboard

    Have you ever tried that? Unless you practice it a good bit you are quite unlikely to succeed, you also have to have a good stare at the keyboard which could be easily noticed by the user. Having the password clearly readable on the screen is a whole different matter. People are trained to recognize words quite literally in the blink of an eye. So any non-trivial password is very easy to spot when its written to the screen, even from a distance when you are not actually trying to read it you could spot it just by accident, as you can't stop your brain from recognizing words.

    The argument with the keyboard logger really isn't a good one. Sure, obscuring the password won't stop all attacks, but it will stop a lot of attacks and raise the bar for attack much higher, as you have to actually plan the attack and not just look at the screen at the right moment by accident.

    That said, an option on the entry-box to de-obscure the password would be welcome, since some are just a chore to type without visual confirmation (long WLAN keys and such).

  • Re:Add smarts to browsers, not pages! (Score:3, Informative)

    by Nixoloco ( 675549 ) on Thursday June 25, 2009 @04:35PM (#28471727)

    On the other hand, we only post passwords over HTTPS which browsers don't cache anyways.

    Most all browsers will save form data entered on a page served over SSL just as they do over non-SSL.. ?

  • Re:You could always let the user choose (Score:0, Informative)

    by moj0e ( 812361 ) on Thursday June 25, 2009 @04:49PM (#28472045) Journal
    I believe a good compromise would be to do what the iPod does. It shows the last typed character for a short period of time and then switches over to an asterisk. That way, one one can "easily" look over my shoulder and I can see which letter that I typed. It might be more fun just to do away w/ password in general and use some other security scheme, like a tongue print. :) -- This post is in need of a good sig. Suggestions welcome!

  • Re:Making my point with humor (Score:4, Informative)

    by Gordonjcp ( 186804 ) on Thursday June 25, 2009 @04:58PM (#28472201) Homepage

    Lotus Notes had (has?) a login dialog that addressed this by showing a random number of X's for each character rather than a 1-to-1 mapping.
    ... and bloody awful it was too. What the hell was the point of showing the dots at all? At least with one dot per character you've got visual feedback of how many characters you've typed. Seeing six dots in the password field when you've only typed three characters is confusing and jarring.

  • Re:You could always let the user choose (Score:3, Informative)

    by fooslacker ( 961470 ) on Thursday June 25, 2009 @04:59PM (#28472215)
    Because a developer can't be sure you're in a secure environment when coding the app and he doesn't want to be held responsible for problems caused by your inattention or laziness especially when he expects you to be a danger to yourself. Assuming the royal "you" as in a user.

  • Re:Lotus Notes (Score:2, Informative)

    by fluffernutter ( 1411889 ) on Thursday June 25, 2009 @05:01PM (#28472249)
    There are a very limited number of symbols. Something in the order of 24 or 32 I think. So sure, out of the millions of possible passwords it divides the possibilities by 32 I guess, but in the grand scheme of things it doesn't really help anyone guess your password. In fact, the last two passwords I've had generated to the same symbols. Lotus notes still does this and I use it every day. I've often wondered why no one else does it because it seems brilliant.

  • Re:Not to fanboi all over the place... (Score:3, Informative)

    by xlotlu ( 1395639 ) on Thursday June 25, 2009 @05:21PM (#28472613)

    I first saw it on Nokias S60 3rd edition, some 4 years ago; never had the occasion to try it on earlier S60s. It really is an extraordinary usability improvement, especially for keypads.

    Note however, the Nokias don't enable the feature when you enter a numeric password (e.g. the PIN), so I don't think they meant it as a usability feature in the sense Nielsen wants, but simply to overcome the frustration of entering masked letters on a numeric keypad.

    And it's quite obvious Apple didn't come up with the idea: they didn't patent it. Call it cynicism or my minute of Apple hate, but i prefer to call it pragmatism.

  • Re:You could always let the user choose (Score:5, Informative)

    by speculatrix ( 678524 ) on Thursday June 25, 2009 @05:34PM (#28472805)
    S60 has been doing this before the iPhone/iPodTouch was even a rumour within apple.

  • Re:Another two words (Score:2, Informative)

    by Gnom3 ( 1323451 ) on Thursday June 25, 2009 @06:12PM (#28473347)
    You still need to be ware of the saved password features in some browser (Firefox & Chrome at least.) There are ways that your saved password could potentially be viewed in plain text by anyone that has a few seconds of access to your browser.

    You can read more about it HERE [blogspot.com] and HERE [blogspot.com]

  • Re:Microsoft wep key (Score:5, Informative)

    by iPhr0stByt3 ( 1278060 ) on Thursday June 25, 2009 @06:13PM (#28473365)
    If you mis-type the password to a wireless network, the AP won't even tell you it's wrong. That is because the AP will hopefully act as if it was correct in order to significantly slow down brute force password attempts. Windows will try to get a DHCP address and eventually come up with "limited or no connectivity". Therefore, using a double-check might save a few minutes if you can correct your typo immediately. I'm not saying that I prefer this. I'd personally rather have just one box and type it carefully, but that is a valid and good reason for this behavior.

  • Re:You could always let the user choose (Score:3, Informative)

    by PReDiToR ( 687141 ) on Thursday June 25, 2009 @06:16PM (#28473391) Homepage Journal
    Password Hasher [mozilla.org] has that facility.

    With this extension built into every web browser security would improve in leaps and bounds.
    For lazy people you can mix it with Secure Login [mozilla.org] or the Opera Wand.

    After all, once an attacker has local access to your machine all bets are off right? Password Hasher makes guesses/brute forcing passwords as close to impossible as it needs to be. 26 characters should be enough for anyone, surely?

  • Re:Making my point with humor (Score:3, Informative)

    by jc42 ( 318812 ) on Thursday June 25, 2009 @11:27PM (#28476933) Homepage Journal

    According to the current (25th June 2009) draft of the HTML 5 spec:

    "The user agent should obscure the value so that people other than the user cannot see it."

    But if you read that carefully, you'll note that it does not say that the user can see it. It allows for implementations that totally obscure the password, and implementations that let the user see the password (as long as others can't). And it doesn't suggest how the latter might be done.

    I think it was very carefully worded. Or maybe it was just an accident.

Slashdot Top Deals

He has not acquired a fortune; the fortune has acquired him. -- Bion

Close