Forgot your password?
typodupeerror
GUI Software Security Technology

Nielsen Recommends Not Masking Passwords 849

Posted by timothy
from the *****-****-**-******** dept.
Mark writes "Usability expert and columnist Jakob Nielsen wants to abolish password masking: 'Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn't even increase security, but it does cost you business due to login failures.' I've never been impressed by the argument that 'I can't think why we need this (standard) security measure, so let's drop it.' It usually indicates a lack of imagination of the speaker. But in this case, does usability outweigh security?"
This discussion has been archived. No new comments can be posted.

Nielsen Recommends Not Masking Passwords

Comments Filter:
  • by suso (153703) * on Thursday June 25, 2009 @03:47PM (#28470817) Homepage Journal

    Usability? What the hell is he talking about? The user doesn't see the dots, only other people see those. The user should see their own password when they type it. Maybe he should check his glasses because those characters must be so blurry to him that they look like dots.

    • That comment is 99.99999% funny. It's 0.00001% true in the case of an all asterix passwd.
      • by gdshaw (1015745) on Thursday June 25, 2009 @05:56PM (#28473159) Homepage

        Actually, the comment is (perhaps unintentionally) insightful. According to the current (25th June 2009) draft of the HTML 5 spec:

        "The user agent should obscure the value so that people other than the user cannot see it."

        • Re: (Score:3, Informative)

          by jc42 (318812)

          According to the current (25th June 2009) draft of the HTML 5 spec:

          "The user agent should obscure the value so that people other than the user cannot see it."

          But if you read that carefully, you'll note that it does not say that the user can see it. It allows for implementations that totally obscure the password, and implementations that let the user see the password (as long as others can't). And it doesn't suggest how the latter might be done.

          I think it was very carefully worded. Or maybe it was just an

    • by religious freak (1005821) on Thursday June 25, 2009 @04:12PM (#28471295)
      Dots? Who the hell has dots? My unix login prompt cursor doesn't even move when I type the password in; I'd love to have some dots!
      • by doti (966971) on Thursday June 25, 2009 @04:22PM (#28471491) Homepage

        That's because knowing the number of characters in a password greatly eases the password guessing.

        The masking is indeed a bad idea. Your unix login prompt does the right thing.

        • by marcus (1916) on Thursday June 25, 2009 @04:42PM (#28471849) Journal

          In a secure environment, with no one looking over my shoulder why not leave the chars in the clear?

          Give 'em a checkbox: "Echo password []" which defaults to "unchecked" of course.

          • Re: (Score:3, Informative)

            by fooslacker (961470)
            Because a developer can't be sure you're in a secure environment when coding the app and he doesn't want to be held responsible for problems caused by your inattention or laziness especially when he expects you to be a danger to yourself. Assuming the royal "you" as in a user.
            • The developer can usually rely on the users being in an environment that's not secure enough for password to be displayed in the clear, though secure enough to assume nobody is video recording keypresses.

              With unmasked passwords, you'd have to change important passwords whenever someone walks past you just as you're typing them in. This scenario can be so common - office, starbucks, etc.

              Nielsen talks about usability, so how usable is that?

              In contrast if someone was _standing_ close by and you suspect him of
          • Re: (Score:3, Insightful)

            by Hurricane78 (562437)

            Do you really expect users, to know if their environment is secure?

            On the other hand, it's a great idea. More cracked accounts, more retards hurt, less retards being successful, less retards reproducing, and the global IQ rises.

            Seriously, I miss the intelligence boost that harsh times give humanity. :/

            • by Rei (128717) on Thursday June 25, 2009 @05:33PM (#28472783) Homepage

              For what it's worth, I've had a password compromised before by someone looking over my shoulder at what *keys* I typed. I'd rather not make it even easier for people by letting them just look at the screen, thanks. As you note, you never know whether your environment is secure. In my case, back in TAMS, I had a "friend" who was chatting with me as an excuse to stand close enough / above me to see the keyboard; he then set up a porn site on my university account as a prank.

              Strangely enough, the last I heard from him, he was becoming a Mormon missionary...

          • Re: (Score:3, Informative)

            by PReDiToR (687141)
            Password Hasher [mozilla.org] has that facility.

            With this extension built into every web browser security would improve in leaps and bounds.
            For lazy people you can mix it with Secure Login [mozilla.org] or the Opera Wand.

            After all, once an attacker has local access to your machine all bets are off right? Password Hasher makes guesses/brute forcing passwords as close to impossible as it needs to be. 26 characters should be enough for anyone, surely?
          • Re: (Score:3, Funny)

            by MichaelSmith (789609)
            Lets say my boss is hanging around, waiting for something important to him to get done. My password is a very rude word...
          • by noidentity (188756) on Friday June 26, 2009 @12:05AM (#28477261)
            Instead of bullets, the password could appear in one of those CAPTCHA fonts; anybody shoulder-surfing would have to stare at it for 10 minutes to decipher it.
        • by transporter_ii (986545) on Thursday June 25, 2009 @05:05PM (#28472335) Homepage

          I think passwords should spin, and any right characters you try should make that digit stop spinning, to let you know that character was right. That would put things more in line with the movies and make hacking a lot more fun.
          .

    • Re: (Score:3, Interesting)

      by bhagwad (1426855)
      He's crazy.

      I've never even seen my password in plain text. I don't want to either. Ever.

      Also, what if your kid sees the password you use at home and decides to play around? I know I would have when I was a kid and my instructor used to login to his DOS account with a password (where the cursor never moved let alone display the number of characters with dots).

      Irreparable damage
    • by mellon (7048) on Thursday June 25, 2009 @05:26PM (#28472701) Homepage

      Dude, I want *your* computer. Or your glasses. Or something.

      You have illustrated the point nicely. However, the fact is that there is a problem here. The average naive user thinks that when they type a password in, and it's hidden, that means that it's secure. They equate the dots with end-to-end security. And of course there is no end-to-end security. So actually the dots are a usability problem - just not the one Mr. Nielsen suggests.

      Fundamentally, the problem is that there is no security in the way passwords are done on the net. By this I mean that even though we do have security protocols like SSL, and we do have mechanisms for signing certs, the current security model assumes that the user will discriminate between situations where there is security, and situations where there is not. And nearly every single user of web services is incapable of discriminating in that way. There are maybe one or two thousand people in the world who really understand the security model well enough and are anal enough to actually validate the security of what they are doing when they enter passwords into web forms.

      So essentially Mr. Nielsen is right - you might as well not bother with the dots. Because they just give you a false sense of security.

  • hunter2 (Score:5, Funny)

    by beaviz (314065) * on Thursday June 25, 2009 @03:47PM (#28470827) Homepage Journal

    Nielsen is finally getting even for that old prank we pulled on him back in the day ;)

    http://bash.org/?244321 [bash.org]

  • hunter2 (Score:4, Interesting)

    by eldavojohn (898314) * <.moc.liamg. .ta. .nhojovadle.> on Thursday June 25, 2009 @03:48PM (#28470839) Journal

    Usability expert and columnist Jakob Nielsen

    Well, I'm glad they found such an unbiased and informed person to make such a statement about security versus usability. And for a second there I was afraid he was just doing this for attention.

    Mr. Nielsen, could you send us screen shots of a working example? Perhaps show us how it looks like when you log into the administrative console now with your password entered in and then a screenshot of the way you think it would be more usable. I'll review them and let you know in a most interesting way [bash.org] what I think.

    Perhaps you should read up on our friend Kevin Mitnick [wikipedia.org] and NASA "Hacker" Gary McKinnon [slashdot.org] both of whom are no strangers to the over-the-shoulder-attack. Really, I'm no security expert or pen tester but I'm going to speculate that these 'soft hacks' are some of the most dangerous vulnerabilities left. Your suggestion just makes them all the more easier. Me personally would like to see the standard bumped up to the level of the input box not even being masked ... no input is recorded in anyway on the screen. Now that's a usability nightmare when you can't even backspace to correct your errors. I don't think I've seen this since my days in a computer lab at college but I think sacrificing a few login attempts worth of time is worth the security.

    Typically, masking passwords doesn't even increase security ...

    [citation desperately needed]

    I think back to the few times when I've entered my password accidentally into the username box because the tab key I hit didn't register or the site didn't support it and I just felt nervous and dirty and needed to change my password. Just knowing that there were photons and radiation [slashdot.org] everywhere in my cube belying my password to anyone who cared to capture them ... I mean it's bad enough that the sound waves of my keystrokes are floating around telling people my password [slashdot.org]. Sorry to go all tinfoil hat on you there.

    • Re:hunter2 (Score:4, Interesting)

      by digitalgiblet (530309) on Thursday June 25, 2009 @04:02PM (#28471103) Homepage Journal

      Seriously, if you only evaluate software based on usability, then it is BAD to even require a password.

      Requiring a password INSTANTLY makes software harder to use. Not requiring a password makes the user's life much easier and simpler.

      Now if you care about more than just usability, then you may want to reconsider dropping or masking passwords.

    • Re: (Score:3, Insightful)

      You might want to RTFA before typing out such a long post. If you did, you'd notice a few things.

      1) He's specifically advocating this for login forms on the web
      2) He specifically says that security trumps usability in some instances
      3) He gives a very clear example of a way to enable/disable this feature

      With the proliferation of mobile devices with tiny, sometimes virtual, keyboards, typos are very common. When you can't even see that you've made a typo because it is obscured by dots, then you have no chan

  • Two words (Score:5, Insightful)

    by RollingThunder (88952) on Thursday June 25, 2009 @03:49PM (#28470865)

    Shoulder surfing.

    Seriously, is this guy is supposed to be an expert?

    This is like having a fuel efficiency expert tell you to turn the motor off on your car, stick it in neutral, and push it, since it'll get infinite MPG. Passwords are supposed to be secret. Usernames aren't as critical.

    • Re:Two words (Score:5, Insightful)

      by tomhudson (43916) <barbara DOT huds ... a-hudson DOT com> on Thursday June 25, 2009 @03:57PM (#28471013) Journal

      I'd rather have to retype the occasional password than have it visible to anyone shoulder surfing.

      Think about your bank card, your PIN, etc.

      FTFA:

      It's therefore worth offering them a checkbox to have their passwords masked; for high-risk applications, such as bank accounts, you might even check this box by default. In cases where there's a tension between security and usability, sometimes security should win.

      Retarded doesn't begin to cover this. Offering a default to turn OFF password masking for bank accounts? I'm sure the banks will just LOVE this one. We have enough problems with identity theft already.

      • Re:Two words (Score:5, Insightful)

        by radtea (464814) on Thursday June 25, 2009 @04:24PM (#28471541)

        Retarded doesn't begin to cover this.

        The best thing about the article, typical of an unfortunately large amount of usability literature, is the complete absence of empirical data. He simply asserts, for example, "users will not be confused by this" without offering a shred of empirical evidence for the claim. I'm not a typical user, but I'd sure as hell be confused if plaintext started to appear in the UI where a decade or two of experience has taught me to expect a line of bullets. I sure as hell wouldn't want to be on a helpdesk for a system that has just made this change.

        Usability is an important area of software design, but it is still in its infancy, and the lack of usability experts chiming in to call this guy a blithering idiot is depressing. All claims about usability of any feature should be considered nonsense until someone comes to you with empirical data from real users that tell you what they find usable. Otherwise you're arguing mythological hypotheticals--how many users can dance on a pinhead.

      • Re: (Score:3, Insightful)

        by Znork (31774)

        Offering a default to turn OFF password masking for bank accounts?

        As many banks use one time passwords, that might actually be one of the few places where unmasked passwords are acceptable.

        Otherwise, no way. For those with very bad keyboard skills there are workarounds like using keyboard patterns and with cellphones you can use longer passwords but without multiple-click use of buttons.

        Slightly easier input simply isn't worth it; not only don't I want to reveal my passwords to any furtive glance, I don't w

    • Re: (Score:3, Insightful)

      by dkleinsc (563838)

      expert(n): Someone who will charge you a large amount of money to state the obvious (possibly to someone else who needs to be convinced of something).

      The real geniuses of the world don't go around calling themselves "experts", they just do nifty things and solve interesting and difficult problems.

    • Another two words (Score:4, Insightful)

      by El Gigante de Justic (994299) on Thursday June 25, 2009 @04:05PM (#28471167)

      Saved Passwords.

      I typically have my web browser save my passwords for things I consider lower risk, but if masking is removed and the browser automatically loads the password into the form, then it's available to anyone. Considering that many users use the same or similar passwords for almost every application, and having it unmasked on one site could give up your info on any number of other sites.

      • Re:Another two words (Score:4, Informative)

        by clone53421 (1310749) on Thursday June 25, 2009 @04:25PM (#28471561) Journal

        Oh really? Even if your browser won't just show them to me [howtogeek.com] I can still get them easily if I have physical access to your browser and I am able to successfully guess which sites you frequent:

        javascript:for(var a=document.getElementsByTagName("input"),i=0;i<a.length;i++)if(a[i].type=="password")void(a[i].type="text");

        I'm not flaming Firefox for showing the passwords. What I am saying is simple... if your browser does save passwords, secure either the browser (Firefox has a master password) or the computer (via an account password, and don't leave the desktop logged in). The asterisks are a secure enough method of obscuring your password from someone looking over your shoulder, but they are not a secure method of obscuring your password from someone who's actually sitting at the computer keyboard.

  • by greenguy (162630) <estebandido.gmail@com> on Thursday June 25, 2009 @03:49PM (#28470875) Homepage Journal

    Howzabout we make it optional, so people can decide for themselves?

    • by Yetihehe (971185) on Thursday June 25, 2009 @03:54PM (#28470975)
      It's possible, the only problem is with browsers. Almost all of them remember what you put in normal text fields. Next time on page - just press down arrow and voila!
      • [browsers] remember what you put in normal text fields.

        Well, here's an easy fix: browsers add a checkbox-ish context menu item to password fields saying "don't hide text behind dots". Pages don't have to do anything, and browsers don't need to change caching behavior.

        On the other hand, we only post passwords over HTTPS which browsers don't cache anyways. Right, slashdot? Right? Harumph :(

        • Re: (Score:3, Informative)

          by Nixoloco (675549)

          On the other hand, we only post passwords over HTTPS which browsers don't cache anyways.

          Most all browsers will save form data entered on a page served over SSL just as they do over non-SSL.. ?

    • Re: (Score:3, Informative)

      by clone53421 (1310749)

      javascript:for(var a=document.getElementsByTagName("input"),i=0;i<a.length;i++)if(a[i].type=="password")void(a[i].type="text");

      Bookmark it if you want.

      For bonus points, set a timeout that restores all the fields you changed to their original password types after a few seconds.

  • by Verteiron (224042) on Thursday June 25, 2009 @03:51PM (#28470893) Homepage

    Personally, I rather like the way many cellphones handle this: show the letter that was typed for a moment and THEN mask it. This allows you to spot typos and correct them without having to blank the field and start over.

    • by Anonymous Coward on Thursday June 25, 2009 @04:04PM (#28471137)

      The cellphone method works great and has never bothered me until I had to enter a 63-character WPA key into an iPhone. This is something you can't do from memory, so you're moving your eyes back and forth between a plaintext copy, and trying to remember just where you left off. Agony.

      Basically, in a few situations like this, it would be really handy to turn off masking one-time-only.

      • Re: (Score:3, Informative)

        by AndrewNeo (979708)

        And now that you bring that up, it made me curious. I just checked, and the iPhone OS 3.0 does support pasting into password fields, including the WPA passphrase field! You could now type it up in the Notes program (or any other text field, but whatever), copy and paste it, then delete the note. (Well, now you can, anyway)

  • It's time! (Score:3, Interesting)

    by kurtmckee (870398) * <contactme@kurtmckee.org> on Thursday June 25, 2009 @03:51PM (#28470897) Homepage

    I agree, it's time to switch to the Unix password entry scheme. No feedback is good feedback!

  • Easy solution (Score:5, Insightful)

    by wjousts (1529427) on Thursday June 25, 2009 @03:54PM (#28470979)
    Change your password to **********
  • by tcsh(1) (683224) on Thursday June 25, 2009 @03:55PM (#28470993)
    Ever logged in to a computer connected to an LCD projector?
    • Re: (Score:3, Funny)

      by Archimonde (668883)

      I've seen it.

      There was this guy wanting to do a presentation in front of around 50 people on a ubuntu laptop and he typed his password in the "User" textedit of login window. Everyone erupted with laughter because his password was "jebenica_l01" (something like fuckery lol in english). I don't blame him too much, that login window has serious flaw with showing only one textedit at the time and both of them in the same place which can lead to situation like this when people are under pressure. Needless to sa

  • Security (Score:3, Insightful)

    by ucblockhead (63650) on Thursday June 25, 2009 @04:02PM (#28471093) Homepage Journal

    One of the most irritating things is the way many websites, especially financial websites, are designed with no thought to the difference between use in a public setting and use in a private setting. For instance, I only ever use my banking website from one place, my den, which is physically secure, yet I have to suffer through all sorts of crap designed to make sure my account doesn't get compromised in a public setting. (The most annoying being automatic log outs for non-use.)

    Masking passwords, logging off the user on non-use after ten minutes, and other such security methods do not actually decrease the chance of compromise significantly when the user has physical security. Websites should allow for this.

    • Re: (Score:3, Insightful)

      by PitaBred (632671)
      See, now you're asking people to make critical decisions affecting their own security, with the vast majority of them having no way to realistically evaluate the actual security. You're intentionally calling forth the demons of being Unskilled and Unaware of It [damninteresting.com]. People will overestimate their security on their shitware ridden Windows machines, or check their bank accounts from home and work and the library... if the preferences are per-user, that's horribly insecure. If it's per user+IP, it will confuse nor
  • by guruevi (827432) <evi@smo k i n g c ube.be> on Thursday June 25, 2009 @04:02PM (#28471099) Homepage

    1) If I look outside my office window, I can see about 48 office windows (without standing up) and all of them have the lights on and it's dusk outside. Give me a dSLR and a decent set of long distance lenses and I'll prove you wrong.

    2) How many times have you typed in your password while somebody was looking at your screen eg. to show somebody something on a protected website. This happens a lot to tech people as we have to authenticate to solve an issue while somebody is standing next to me waiting for me to fix it.

    3) How many times have you given a presentation where your screen view (but not your keyboard input) goes worldwide (eg. teleconference) or over a set of wires that you know haven't been tampered with (conference room) - again, logging in to your webmail or so to find a copy of your presentation.

    4) How difficult is it to create a script that takes screenshots - how difficult is it to create a script that captures keyboard entry as well. Answer: the first can be done in userspace (and in the hands of an experienced script kiddie would be unnoticed), the latter usually has to go as a request to a driver, kernel or other layer that requires admin rights. This is true for Windows, Mac and (depending on your GUI) Linux

    • Re: (Score:3, Insightful)

      by BitZtream (692029)

      I can do it for linux and Windows pretty quickly, not sure about OS X, but I can do it on FreeBSD or any X server really.

      All I need is to get you running a process that does my dirty work in Windows, certainly not difficult. With an X server involved all I need to do is get an app that can connect to your X server and sniffing becomes easy. Failing that, in both Windows and most unix flavors I can always just futz with your user profile and use LD_PRELOAD to make sure I see all your stdio. Don't think it

    • Re: (Score:3, Interesting)

      by SloppyElvis (450156)

      4) How difficult is it to create a script that takes screenshots - how difficult is it to create a script that captures keyboard entry as well. Answer: the first can be done in userspace (and in the hands of an experienced script kiddie would be unnoticed), the latter usually has to go as a request to a driver, kernel or other layer that requires admin rights. This is true for Windows, Mac and (depending on your GUI) Linux

      hmm...

      SetWindowsHookEx()

      ...I don't believe this requires admin rights. Windows is designed for usability! I could write an Internet Explorer browser add-on that superimposes over password editboxes and displays your password so you (and I) can see it!

  • by gcnaddict (841664) on Thursday June 25, 2009 @04:03PM (#28471129)
    *****-****-**-********
    Don't_mask_my_password

    (I used my stealthy password exposer to find that out.)
  • by hoosbane (643500) on Thursday June 25, 2009 @04:05PM (#28471173)
    Just because you don't think someone is watching over your shoulder, doesn't mean someone isn't watching over your shoulder.
  • by NorthDude (560769) on Thursday June 25, 2009 @04:14PM (#28471337)
    In many places in OS X, there is a "display password" checkbox under password entry fields. So, by default the password is hidden, but if needed, you can click the checkbox and it will be displayed. best of both world I think.
  • i can type my password without even looking

    watch, i'll enter my bank account password without looking

    fluffybunnies

    see? i didn't even need to...

    oh crap...

    unsubmit

    where's the damn unsubmit!

  • People are a problem (Score:4, Interesting)

    by bky1701 (979071) on Thursday June 25, 2009 @04:14PM (#28471351) Homepage
    On my old website, I had for a while password fields with no bullets. I had assumed, that given the low-importance nature of the site and all, no one would really care, and it did make it easier.

    A few weeks after opening, I had found out that a few people had not created accounts, because they had the strange idea that not having bullets somehow made the site less secure. That somehow, *I* would be able to see their password, more than if there were bullets.

    Needless to say, I changed over my password fields to bulleted, because I didn't want to lose any possible members to such a stupid problem. I still think that plain text is better, but it has become mandatory security theater. Much like an SSL cert makes even the most questionable site legitimate, lacking bulleted passwords makes people think you're being sneaky somehow. It is sad, but it's reality.

"People should have access to the data which you have about them. There should be a process for them to challenge any inaccuracies." -- Arthur Miller

Working...