Nielsen Recommends Not Masking Passwords

Mark writes "Usability expert and columnist Jakob Nielsen wants to abolish password masking: 'Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn't even increase security, but it does cost you business due to login failures.' I've never been impressed by the argument that 'I can't think why we need this (standard) security measure, so let's drop it.' It usually indicates a lack of imagination of the speaker. But in this case, does usability outweigh security?"

hunter2

[eldavojohn]

Usability expert and columnist Jakob Nielsen

Well, I'm glad they found such an unbiased and informed person to make such a statement about security versus usability. And for a second there I was afraid he was just doing this for attention.

Mr. Nielsen, could you send us screen shots of a working example? Perhaps show us how it looks like when you log into the administrative console now with your password entered in and then a screenshot of the way you think it would be more usable. I'll review them and let you know in a most interesting way [bash.org] what I think.

Perhaps you should read up on our friend Kevin Mitnick [wikipedia.org] and NASA "Hacker" Gary McKinnon [slashdot.org] both of whom are no strangers to the over-the-shoulder-attack. Really, I'm no security expert or pen tester but I'm going to speculate that these 'soft hacks' are some of the most dangerous vulnerabilities left. Your suggestion just makes them all the more easier. Me personally would like to see the standard bumped up to the level of the input box not even being masked ... no input is recorded in anyway on the screen. Now that's a usability nightmare when you can't even backspace to correct your errors. I don't think I've seen this since my days in a computer lab at college but I think sacrificing a few login attempts worth of time is worth the security.

Typically, masking passwords doesn't even increase security ...

[citation desperately needed]

I think back to the few times when I've entered my password accidentally into the username box because the tab key I hit didn't register or the site didn't support it and I just felt nervous and dirty and needed to change my password. Just knowing that there were photons and radiation [slashdot.org] everywhere in my cube belying my password to anyone who cared to capture them ... I mean it's bad enough that the sound waves of my keystrokes are floating around telling people my password [slashdot.org]. Sorry to go all tinfoil hat on you there.

Um, here's a thought.

[greenguy]

Howzabout we make it optional, so people can decide for themselves?

It's time!

[kurtmckee]

I agree, it's time to switch to the Unix password entry scheme. No feedback is good feedback!

Not to fanboi all over the place...

[Bemopolis]

...but the iPhone has a good compromise: as you type in your iTunes password, the letter you just typed in gets bulleted. This is especially important for those of us who have trouble with typos on a regular keyboard, never mind the phone's.

No, please do not do not make it a preference

[Anonymous Coward]

37signals on Avoiding Preferences [37signals.com]

Preferences are a way to avoid making tough decisions... It may seem like you're doing [your customers] a favor but you're just making busy work for them (and it's likely they're busy enough).

I hate preferences. Just let me sign in and move on.

Re:hunter2

[digitalgiblet]

Seriously, if you only evaluate software based on usability, then it is BAD to even require a password.

Requiring a password INSTANTLY makes software harder to use. Not requiring a password makes the user's life much easier and simpler.

Now if you care about more than just usability, then you may want to reconsider dropping or masking passwords.

Re:Two words

[rtfa-troll]

Sure, being the RTFA troll, I read the article. But that still doesn't convince me. The keyboard press is a brief instant on a device which is easy to place more or less out of line of sight. A visible password on a screen is present for a long time and there are a number [schneier.com] of interesting [newscientist.com] ways to capture this. Whilst keyboards are not perfect [itworld.com] I think that some protection is worthwhile. One thing is for sure. Nobody is going to remember to turn this on when they are in public and your password only needs to be captured once.

One thing that might be a possible compromise is the system the mail client on my Nokia phone uses. The most recent character entered in the password is displayed for a short time. I can see each individual character, but the entire password is not exposed. I worry on the subway, but since it's a personal device it's easier to make this difficult to see.

Re:hunter2

[mcgrew]

Well, I'm glad they found such an unbiased and informed person to make such a statement about security versus usability

He's not a security expert, but he IS a useability expert (even though I, a non-expert, often disagree with some of the things he writes). On the whole, though web developers would do well to read his columns.

Perhaps you should read up on our friend Kevin Mitnick and NASA "Hacker" Gary McKinnon both of whom are no strangers to the over-the-shoulder-attack.

That will work even WITH masked passwords, which I found out when a woman watched me use my debit card. Lot of good it did me for the numbers to not be displayed when she simply had to look at what keys I was pressing. In the case of ATMs, masking it "security theater". Lesson 1: don't use a debit card to get money for more booze. Lesson 2: just don't use debit cards!

However, Nielson adds

Yes, users are sometimes truly at risk of having bystanders spy on their passwords, such as when they're using an Internet cafe. It's therefore worth offering them a checkbox to have their passwords masked; for high-risk applications, such as bank accounts, you might even check this box by default. In cases where there's a tension between security and usability, sometimes security should win.

Sounds like a good idea to me. Why do I need password masking alone in my own living room? Logging on to my work computer, yes, especially in a cube setting. But not on most internet sites.

I have to applaud what he says about reset buttons on forms, especially long ones. They have no use whatever except to make you retype everything if you hit the stupid thing by mistake.

I think sacrificing a few login attempts worth of time is worth the security.

Good security involves locking out the user after a certain number of attempts in order to stop a "dictionary attack". I just had to reset a users PW twice this afternoon because she locked herself out of her account. Sure, it's extra hassle but the security is worth it.

[citation desperately needed]

If Stephen Hawking says something about physics, do you require a citation from him? Nielson is recognized as one of the leading experts in his field.

People are a problem

[bky1701]

On my old website, I had for a while password fields with no bullets. I had assumed, that given the low-importance nature of the site and all, no one would really care, and it did make it easier.

A few weeks after opening, I had found out that a few people had not created accounts, because they had the strange idea that not having bullets somehow made the site less secure. That somehow, *I* would be able to see their password, more than if there were bullets.

Needless to say, I changed over my password fields to bulleted, because I didn't want to lose any possible members to such a stupid problem. I still think that plain text is better, but it has become mandatory security theater. Much like an SSL cert makes even the most questionable site legitimate, lacking bulleted passwords makes people think you're being sneaky somehow. It is sad, but it's reality.

Re:hunter2

[NeverVotedBush]

Not entirely. A telescope and photomultiplier or phototube aimed at someone's office window will get you everything on their screen if they are using an older CRT monitor - regardless of if it is visible from the window or not. If they have their monitor visible through a window then just a telescope will do it for you.

I agree with eldavojohn and everyone else who has the various examples/anecdotes/satirical comments. Showing passwords to anyone nearby or with binoculars, telescopes, or cameras is not very bright.

What is the value of the data you are trying to protect? Is it worth the few seconds required to re-type a password?

Re:Making my point with humor

[bhagwad]

He's crazy.

I've never even seen my password in plain text. I don't want to either. Ever.

Also, what if your kid sees the password you use at home and decides to play around? I know I would have when I was a kid and my instructor used to login to his DOS account with a password (where the cursor never moved let alone display the number of characters with dots).

Irreparable damage

Re:Lotus Notes

[lgw]

As long as your glyph matched what you remembered, you knew that you'd typed the password correctly.

So anyone could just remember your heiroglyphs and then try passwords until they got a match? Nice. I don't think it actually worked that way.

Re:Four words

[__aagmrb7289]

Good for you. Have you ever considered that you aren't in the majority? If not, I'd suggest that you start considering that question EVERY SINGLE TIME you start thinking to yourself something that starts with "But I..."

Re:Two words

[hey!]

Well, that's the crux isn't it?

To a usability expert, expectations are your friends. You trust them. You believe in them.

To a security expert, expectations are your enemies. You distrust them. You try to figure out what they're hiding from you.

Of course, everyone agrees that what is expected and what happens *should* be the same, but I think here the securities guys have the more legitimate concern. Mr. Nielson doesn't even considers the possibility that his expectations might be violated. He assumes they are benign as long as they are "usually" right.

What does "usually" mean? *You the user* may "usually" type the password where you can't be watched (although how Nielson knows this applies to me I have no idea). But the usual case for the *criminal* is the situation where *some* user is being vulnerable. He doesn't care about the legions of users who are not exposed to a problem. He cares about the sufficient number of users to his purpose that are. He *seeks* what we consider negligible and makes his home there.

Suppose I design a web site with ten thousand users a day. Suppose a certain situation comes up only 1/10 of one percent. of the time for any given user on any given day. To a usability expert that's negligible. To a security expert, that means I'll be guaranteeing ten exposures to vulnerabilities per day. That's great for attackers. They don't care that *most* users aren't exposed to this problem *most* of the time. They only care that *some* users will be exposed to this problem nearly *all* of the time.

All engineering is about balancing costs and benefits. But you've got to know the probabilities, and to do that right you've got to determine the right population to calculate them with. Once we've established that the "unusual" user case is the "usual" attacker case, we have to recalculate our cost estimates. Where an attack is extremely unlikely, Mr. Nielson is correct in saying that the increment of security that masking gives is small. We're talking about very, very small probabilities, so the only increment we might rationally care about is dropping the probability to zero. Since some criminals can read keystrokes from a keyboard (although by no means many), we don't achieve that. Therefore masking is useless.

However, from the perspective of the attacker and site owner, a situation where some users are exposed to this kind of attack is quite common. It literally happens all the time for a large site. Therefore if masking repulsed, say, 50% of attacks (being very, very conservative), it's still worth doing if you want to keep your site secure, or care about possible violations of user privacy.

Re:hunter2

[Anonymous Coward]

There are many situations where "over the shoulder" attacks are simply not possible

A whole host of screen-grabbing malware says hi.

Re:Two words

[Americano]

From Dictionary.com [reference.com]:

genius (noun) - an exceptional natural capacity of intellect, especially as shown in creative and original work in science, art, music, etc.

expert (noun) - a person who has special skill or knowledge in some particular field; specialist; authority.

Now here's a list of Mr. Nielsen's publications in the field of usability. [interaction-design.org] Also a short biography [wikipedia.org] of the man on wikipedia, listing some of his educational background & contributions.

Given all this, two points:

• Nobody referred to Mr. Nielsen as a "genius" except you. They did refer to him as an "expert" in the field of usability, which it's quite clear that he is, if you read his biography, list of publications, and other credentials. You may not agree with his opinions on usability, but he certainly qualifies as "someone with special skill and knowledge" in that field.
• If your definition of genius requires some level of renown, then the word you should be using is "celebrity," not "genius." Ability, intellect, and creative capacity need not be well-known to the public to be exceptional.

Re:Indeed lack of imagination

[SloppyElvis]

4) How difficult is it to create a script that takes screenshots - how difficult is it to create a script that captures keyboard entry as well. Answer: the first can be done in userspace (and in the hands of an experienced script kiddie would be unnoticed), the latter usually has to go as a request to a driver, kernel or other layer that requires admin rights. This is true for Windows, Mac and (depending on your GUI) Linux

hmm...

SetWindowsHookEx()

...I don't believe this requires admin rights. Windows is designed for usability! I could write an Internet Explorer browser add-on that superimposes over password editboxes and displays your password so you (and I) can see it!

Re:You could always let the user choose

[Rei]

For what it's worth, I've had a password compromised before by someone looking over my shoulder at what *keys* I typed. I'd rather not make it even easier for people by letting them just look at the screen, thanks. As you note, you never know whether your environment is secure. In my case, back in TAMS, I had a "friend" who was chatting with me as an excuse to stand close enough / above me to see the keyboard; he then set up a porn site on my university account as a prank.

Strangely enough, the last I heard from him, he was becoming a Mormon missionary...

Re:Making my point with humor

[gdshaw]

Actually, the comment is (perhaps unintentionally) insightful. According to the current (25th June 2009) draft of the HTML 5 spec:

"The user agent should obscure the value so that people other than the user cannot see it."

Re:hunter2

[macslut]

I'm so disappointed as I was hoping to find an answer here. I've been wondering about the whole entering the password twice for Microsoft on a wireless network for years now. I have a Mac, and every time a Windows user asks me to repeat the password, I ask them why...they tell me they need to enter it twice, so I ask *why*. Nobody has ever offered me an answer. That would drive me friggin nuts as a Windows user...not just doing it, but knowing there was no valid reason as to why. Now email addresses on online forms are a different story, they're just trying to make sure you did it correctly by making sure the addresses match. For the wireless network login this makes no sense because if you did get it wrong, then no loss, just that's when you'd have to enter it the second time. I think someone really screwed up at Microsoft on this, but why was it left this way after numerous patches? Apple does allow you to hide or reveal your password for the wireless network, which is funny because this option is a bit more of a risk than just letting you see your password while entering it. By allowing you to reveal the password after it's been entered, they're allowing anyone to walk up to a Mac that's connected and see the wireless password when the user is away.

Re:You could always let the user choose

[jaden]

How about just having the mouse over the password field causing plain text to be shown (maybe with a delay) ... mouse outside = dots.

It's only annoying when X login failures results in your account being locked & you're stuck wondering if you had a typo in your dots. Would';t mind a countdown on that too ( you have # more chances before you;re locked out for 24hrs ).

-J

Re:You could always let the user choose

[Andr0id_flaH]

The problem with that is you might not "see" someone looking over your shoulder; however, TEMPEST, although old, is still used and people can see anything echoed to your screen from a distance or even through windows and walls. Also, by seeing your password, a users is more inclined to make it easier because they can visually see it with their eyes and not in their Mind's eye.