Homepage tabWindows tabGames tabDrivers tabMac tabLinux tabScripts buttonMobile tabHandheld tabGadgets tabNews tab


NEWS CATEGORIES:



NEWS ARCHIVE >>
SOFTPEDIA REVIEWS >>
MEET THE EDITORS >>
Home / News / Security

Security

Masking Passwords: Good or Bad Debate

Computer experts argue over the pros and cons of the practice

By Lucian Constantin, Web News Editor

1st of July 2009, 08:56 GMT

Adjust text size:


The necessity of password field masking placed under doubt
Enlarge picture
Various experts in areas such as usability, cryptography and security entered a debate over the necessity of masking passwords, a standard practice dating back to the beginning of the Internet. People on both sides of the barricade bring compelling arguments to the table.

The practice of masking passwords is so common and dates so far back, that many users might not even realize what it means or that there is an alternative to it. It involves replacing passwords, or, better said, access codes, with a string of asterisks or bullets.

The issue of whether passwords should continue to be hidden in web forms or not was brought up by world-renowned web usability expert Jakob Nielsen, who considers it an unnecessary legacy design. "Password masking has become common for no reasons other than (a) it's easy to do, and (b) it was the default in the Web's early days," he claims.

Mr. Nielsen argues that, "There's usually nobody looking over your shoulder when you log in to a website. It's just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue." According to him, this outdated convention raises several problems.

First of all, he explains that, by not being able to see what is being typed in a form field, the chance of errors occurring increases, which ultimately leaves users frustrated. Furthermore, this decrease in confidence causes users to choose overly simple passwords or resort to copy-pasting them from a file, both actions reflecting "a true loss of security."

Cryptography guru Bruce Schneier agrees with Nielsen and maintains that, "Shoulder surfing isn't very common, and cleartext passwords greatly reduces [sic.] errors. It has long annoyed me when I can't see what I type: in Windows logins, in PGP, and so on." In order to clarify, he stresses that, "I'm not talking about PIN masking on public terminals like ATMs. I'm talking about password masking on personal computers."

Jakob Nielsen has also considered scenarios where users are exposed to the prying eyes of bystanders, such as in Internet cafes. His solution to this is "offering them a checkbox to have their passwords masked." He goes on to note that, "For high-risk applications, such as bank accounts, you might even check this box by default."

Graham Cluley, senior technology consultant at Sophos, joins the discussion, saying that, "I'm afraid that wise as these two gents are, I have to disagree with them." The security expert notes that the additional checkbox might lead to "awkward social positions," like when logging in from a friend's computer, without wanting them to see your password.

Mr. Cluley also brings forth other scenarios where password masking should be a must, like when an IT staffer needs to log in on your work computer with an admin password in order to fix something with you being present. "I bet I'm not the only one to be sitting in a completely open plan building – anyone could be passing by and looking over my shoulder," he also points out.

Additionally, the security researcher notes that the masking of password fields is actually performed by browsers and not websites. "If there were an option to display password input fields as cleartext rather than asterisks, then that should be set in the user's browser not decided by individual websites," he concludes.

Trend Micro's Solutions Architect, Rik Ferguson, feels the same as Mr. Cluley about this. "The vast majority of the global office population are definitely not fortunate enough to be sitting secure in their own private office," he writes. "Even if it were true that shoulder-surfing is not common, isn’t that partly because it serves little purpose when passwords are masked? Chicken or egg Mr. Schneier, Mr. Nielsen?" the researcher rhetorically asks.

Mr. Ferguson goes on to point out that, "Password masking is also an effective method of defeating malware, which is designed to take snapshots of the users screen, which has long been a way that banking Trojans have overcome virtual or on-screen keyboards."

Both sides made good points, however, so far one thing is clear – this is a sensitive issue that should be carefully analyzed. Even Mr. Nielsen is aware that security should outweigh comfort. "In cases where there's a tension between security and usability, sometimes security should win," he writes.

As usual, we encourage you to comment on subjects of significant public interest, such as this one.

TAGS:

 password masking | password protection | web usability | form field | authentication
Read by 706 user(s) | Add comment | Link to this article TWEET THIS


Article rating:
NOT RATED 0 vote(s)    

Subscribe to news | Print article | Send to friend

© Copyright 2001-2009 Softpedia
Contact:

 

 

SEARCH THE NEWS ARCHIVE :




Today's News | Yesterday's News | News Archive


MORE RELATED ARTICLES:


D-Link's CAPTCHA Turns Out to Be a Security Risk

Twitter Admin Account Hacked via Social Engineering

Disgruntled IT Consultant Almost Causes Environmental Hazard

Drunk IT Consultant Trashes Data on Government System

Twitter Celebrity Accounts Hacker Used Dictionary Attack

Keystrokes Can Be Sniffed Without the PC Being Compromised

User opinions:


Comment #1 by: anonymous on 01 Jul 2009, 12:47 GMT reply to this comment

Having pros and cons too, the easiest thing to do would be to implement password fields in browsers having a key assigned for masking passwords... for example, with scroll lock on, the passwords in password fields would be masked, while with scroll lock off, they would be unmasked. This way both sides would be happy. (Until they would discover, that somebody has to press one more key, than somebody from the other camp)


Comment #2 by: Eric on 01 Jul 2009, 20:13 GMT reply to this comment

Yes, password masking is around because it is so old and has become a standard. That's exactly why it should stay around. Sure, it can be frustrating when you make errors, but most users would make errors regardless, since they tend to type usernames and passwords very quickly.

It isn't common to have people watching your computer? That's simply not true; businesses or schools are constantly using projectors to show their computer screens, or IT professionals using remote access to view a desktop.

No one is complaining about password masking. It really doesn't make things that difficult, and there's no doubt unmasking passwords would result in an amount of compromised credentials for users that forget to check the masking box when they should.

Let's remember that people are trying to log in very quickly most of the time specifically because logging in is such a repetitive action. Because of this, at least some users aren't going to take the time to check the appropriate masking box, compromising passwords. Also, would showing passwords clear-text really reduce the amount of mistakes? How many of the typos are a result of not being able to see the password field, and how many are a result of typing way to fast to log in quickly?

Unmasking passwords would result in a lot more pain and trouble than its worth!

Share your opinion:

Your Name:
Your Email Address:
(will not be used for commercial purposes)
Solve this to prove you're not a bot: =
Your review/opinion:

 




Windows tabGames tabDrivers tabMac tabLinux tabScripts tabMobile tabHandheld tabGadgets tabNews tab

SUBMIT PROGRAM   |   ADVERTISE   |   GET HELP   |   SEND US FEEDBACK   |   RSS FEEDS   |   ENTER NEWS SITE   |   ENGLISH BOARD   |   ROMANIAN FORUM
© 2001 - 2009 Softpedia. All rights reserved.
Softpedia® and the Softpedia® logo are registered trademarks of SoftNews NET SRL.		 Copyright Information | Privacy Policy | Terms of Use | Update your software | Archive