Security Experts Argue over Dropping Password Masking Proposal
We recently reported that the practice of replacing characters with bullets when the user types in his password has a negative impact on the overall user experience and does not provide much in terms of security. The one to argue this point of view is Jakob Nielsen, one of the world’s leading experts on web usability, who said that masking passwords has two direct effects: it makes the user more prone to make a mistake while typing the password and it makes the user pick an overly simple password.
According to Jakob Nielsen, the practice of masking passwords by default should be dropped and replaced with something else – like a checkbox. “It's time to show most passwords in clear text as users type them. Providing feedback and visualizing the system's status have always been among the most basic usability principles. Showing undifferentiated bullets while users enter complex codes definitely fails to comply. Users are sometimes truly at risk of having bystanders spy on their passwords, such as when they're using an Internet café. It's therefore worth offering them a checkbox to have their passwords masked; for high-risk applications, such as bank accounts, you might even check this box by default,” said Nielsen.
At the time Nielsen said this, the only one to agree with him was internationally renowned security technologist and author, Bruce Schneier (and me, for the simple reason that typing in stuff that you do not see is terribly annoying and I have to keep my eyes on the keyboard to make sure I do not make a mistake). According to Schneier, passwords should be made visible on your personal computer since almost every time you use it you are alone. There is of course the chance that someone might look over your shoulder when you type in your password, but this means password masking is compromised (said Nielsen), not to mention that it is something that rarely happens (said Schneier).
Senior Technology Consultant with Sophos, Graham Cluley does not agree with dropping password masking, nor does he agree with Schneier’s claim that “shoulder surfing” (the practice of looking over someone’s shoulder to see what he’s typing) is very rare. Graham Cluley argues that in an open plan work environment, anyone could snoop on your password. On top of that, when you want to quickly access your email account from a friend’s house, ticking a mask password checkbox would create social friction.
“What happens when I am at a friend's house and I want to quickly log in to my web email account to forward him something I have been discussing with him? Sure, he's my friend and I trust that he's not going to misbehave - but I really don't think I should be sharing my password with him. Equally I don't want to be put in the awkward social position of going to the extra effort of ticking a box to obscure my password from him. Much better that I had no option to see the password at all,” says Graham Cluley.
Cluley goes on to say that Nielsen and Schneier are both wrong about one thing: it is not “most websites” that hide passwords, it is the browser that does so. It is the browser that interprets the HTML of the site and obscures the password field. “If there were an option to display password input fields as cleartext rather than asterisks, then that should be set in the user's browser not decided by individual websites,” added Cluley. “Even then, I can't imagine many situations when it wouldn't actually be more of an inconvenience (asking friends and colleagues to turn around or wear a bucket over their head for the next ten seconds) than the masking of passwords we have at the moment.”
Trend Micro’s Advanced Threat Researcher Ben April, while agreeing that shoulder surfing compromises password security and password masking has a negative impact on usability, says that dropping the practice would not benefit the user, security-wise. According to Ben April, password masking has “zero value” if you are dealing with a seasoned attacker, but when you are dealing with a newbie wrongdoer he “will be looking at the screen when you start entering your password” and “by the time they realize their mistake, they will only see *** and have already missed a good portion of your password.” There is one other advantage that password masking brings to the table, April says; it gets you to remember passwords. When you type in the same password day in and day out you will get so proficient that your fingers will type in incredibly fast.
“My main objection to the demise of password masking is the message that it sends to casual users. We enter a case of do-as-I-say-not-as-I-do. How can we ask our users to secure their password reminders if the entire password appears clear as day on the screen every time they enter it? Masking a password sends the message to the user that it is important that they not share their passwords, that they should not even show these to you, reinforcing the never-give-out-your-password tenet. In many cases, masking discourages copying and pasting passwords though only through naïveté,” says Ben April.
According to Jakob Nielsen, the practice of masking passwords by default should be dropped and replaced with something else – like a checkbox. “It's time to show most passwords in clear text as users type them. Providing feedback and visualizing the system's status have always been among the most basic usability principles. Showing undifferentiated bullets while users enter complex codes definitely fails to comply. Users are sometimes truly at risk of having bystanders spy on their passwords, such as when they're using an Internet café. It's therefore worth offering them a checkbox to have their passwords masked; for high-risk applications, such as bank accounts, you might even check this box by default,” said Nielsen.
At the time Nielsen said this, the only one to agree with him was internationally renowned security technologist and author, Bruce Schneier (and me, for the simple reason that typing in stuff that you do not see is terribly annoying and I have to keep my eyes on the keyboard to make sure I do not make a mistake). According to Schneier, passwords should be made visible on your personal computer since almost every time you use it you are alone. There is of course the chance that someone might look over your shoulder when you type in your password, but this means password masking is compromised (said Nielsen), not to mention that it is something that rarely happens (said Schneier).
Senior Technology Consultant with Sophos, Graham Cluley does not agree with dropping password masking, nor does he agree with Schneier’s claim that “shoulder surfing” (the practice of looking over someone’s shoulder to see what he’s typing) is very rare. Graham Cluley argues that in an open plan work environment, anyone could snoop on your password. On top of that, when you want to quickly access your email account from a friend’s house, ticking a mask password checkbox would create social friction.
“What happens when I am at a friend's house and I want to quickly log in to my web email account to forward him something I have been discussing with him? Sure, he's my friend and I trust that he's not going to misbehave - but I really don't think I should be sharing my password with him. Equally I don't want to be put in the awkward social position of going to the extra effort of ticking a box to obscure my password from him. Much better that I had no option to see the password at all,” says Graham Cluley.
Cluley goes on to say that Nielsen and Schneier are both wrong about one thing: it is not “most websites” that hide passwords, it is the browser that does so. It is the browser that interprets the HTML of the site and obscures the password field. “If there were an option to display password input fields as cleartext rather than asterisks, then that should be set in the user's browser not decided by individual websites,” added Cluley. “Even then, I can't imagine many situations when it wouldn't actually be more of an inconvenience (asking friends and colleagues to turn around or wear a bucket over their head for the next ten seconds) than the masking of passwords we have at the moment.”
Trend Micro’s Advanced Threat Researcher Ben April, while agreeing that shoulder surfing compromises password security and password masking has a negative impact on usability, says that dropping the practice would not benefit the user, security-wise. According to Ben April, password masking has “zero value” if you are dealing with a seasoned attacker, but when you are dealing with a newbie wrongdoer he “will be looking at the screen when you start entering your password” and “by the time they realize their mistake, they will only see *** and have already missed a good portion of your password.” There is one other advantage that password masking brings to the table, April says; it gets you to remember passwords. When you type in the same password day in and day out you will get so proficient that your fingers will type in incredibly fast.
“My main objection to the demise of password masking is the message that it sends to casual users. We enter a case of do-as-I-say-not-as-I-do. How can we ask our users to secure their password reminders if the entire password appears clear as day on the screen every time they enter it? Masking a password sends the message to the user that it is important that they not share their passwords, that they should not even show these to you, reinforcing the never-give-out-your-password tenet. In many cases, masking discourages copying and pasting passwords though only through naïveté,” says Ben April.
