Password Masking: The Debate Goes On
You might remember that about a week back Jacob Nielsen, one of the world’s leading experts on web usability, announced that the practice of password masking is detrimental to the overall user experience and is detrimental to security as well. As Nielsen put it, turning characters into bullets in the password field discourages the user from logging in, encourages the user to pick overly simple passwords, and is incredibly annoying when you make a mistake and have to retype the whole thing again because you can’t see where the error is.
Jacob Nielsen also proposed that offering a checkbox would be a good idea for those situations when you really need to conceal your passwords, like when you are in an internet café, or working in an open plan office environment. Just tick the checkbox and your password is concealed. When there’s no one around and you feel safe about revealing your password, un-check the box.
As you would imagine, Jacob Nielsen’s words spurred much controversy amongst security experts – like for example Sophos’ Senior Technology Consultant Graham Cluley and Trend Micro’s Advanced Threat Researcher Ben April. They argued against Nielsen’s proposal, saying that dropping the practice of password masking would not be a good idea security-wise, would put you in socially awkward situations at times, and would send a bad message to the regular user. Graham Cluley also pointed out an essential flaw in Jacob Nielsen’s thinking: it is not the web page that masks passwords, it is the browser that does so.
At the time, the only one to support Jacob Nielsen was internationally renowned security technologist and author, Bruce Schneier. He agreed that since most times when you use the computer you are alone, then masking passwords is really nothing more than a nuisance and revealing them would prevent the user from making any mistakes. There are times when someone close to you will try to sneak a peak at your password, but shoulder surfing is not very common, added Schneier.
Now it seems that Bruce Schneier is taking back his words of support for dropping password masking: “So was I wrong? Maybe. Okay, probably. Password masking definitely improves security; many readers pointed out that they regularly use their computer in crowded environments, and rely on password masking to protect their passwords. On the other hand, password masking reduces accuracy and makes it less likely that users will choose secure and hard-to-remember passwords, I will concede that the password masking trade-off is more beneficial than I thought in my snap reaction, but also that the answer is not nearly as obvious as we have historically assumed.”
Previous articles on the subject:
Time to Drop Password Masking Expert Says
Security Experts Argue over Dropping Password Masking Proposal
Jacob Nielsen also proposed that offering a checkbox would be a good idea for those situations when you really need to conceal your passwords, like when you are in an internet café, or working in an open plan office environment. Just tick the checkbox and your password is concealed. When there’s no one around and you feel safe about revealing your password, un-check the box.
As you would imagine, Jacob Nielsen’s words spurred much controversy amongst security experts – like for example Sophos’ Senior Technology Consultant Graham Cluley and Trend Micro’s Advanced Threat Researcher Ben April. They argued against Nielsen’s proposal, saying that dropping the practice of password masking would not be a good idea security-wise, would put you in socially awkward situations at times, and would send a bad message to the regular user. Graham Cluley also pointed out an essential flaw in Jacob Nielsen’s thinking: it is not the web page that masks passwords, it is the browser that does so.
At the time, the only one to support Jacob Nielsen was internationally renowned security technologist and author, Bruce Schneier. He agreed that since most times when you use the computer you are alone, then masking passwords is really nothing more than a nuisance and revealing them would prevent the user from making any mistakes. There are times when someone close to you will try to sneak a peak at your password, but shoulder surfing is not very common, added Schneier.
Now it seems that Bruce Schneier is taking back his words of support for dropping password masking: “So was I wrong? Maybe. Okay, probably. Password masking definitely improves security; many readers pointed out that they regularly use their computer in crowded environments, and rely on password masking to protect their passwords. On the other hand, password masking reduces accuracy and makes it less likely that users will choose secure and hard-to-remember passwords, I will concede that the password masking trade-off is more beneficial than I thought in my snap reaction, but also that the answer is not nearly as obvious as we have historically assumed.”
Previous articles on the subject:
Time to Drop Password Masking Expert Says
Security Experts Argue over Dropping Password Masking Proposal
