14 DAY TRIAL // Cryptography guru Bruce Schneier admits that he was probably wrong when agreeing that password masking should be abolished. He acknowledges shoulder surfing as a threat, but insists that its risks are being overstated.
Last month, Jakob Nielsen, a renowned Web usability expert, expressed his views on the old practice of masking passwords when being entered into login forms, by replacing their characters with dots or asterisks. He encouraged website owners to abandon this convention, claiming that it raised unnecessary usability problems.
Mr. Nielsen also argued that password masking might actually reduce security instead of increasing it, as it indirectly encouraged users to choose weaker passwords that were easier to type. Bruce Schneier subsequently posted on his blog that he agreed with Nielsen and that, "Cleartext passwords would greatly reduce errors."
His opinion was not received very well by fellow security experts, who brought forth arguments on why password masking was actually beneficial. After weighing in all of the aspects, Schneier changed his mind and concluded that, "Password masking definitely improves security."
"I was certainly too glib. Like any security countermeasure, password masking has value," the father of the Blowfish encryption algorithm wrote. "I will concede that the password masking trade-off is more beneficial than I thought in my snap reaction, but also that the answer is not nearly as obvious as we have historically assumed," he added.
The security specialist remains faithful to his original assessment that "shoulder surfing" (a stranger peeking at your monitor) is not such a major issue. To back up this claim, he provides three arguments: much of the time, people are alone when using computers; it is very hard to do for handheld devices; it's hard for someone to remember long strings of random, non-alphanumeric characters, even if they do see them.
"So was I wrong? Maybe. Okay, probably," Schneier, who considers the password masking implementation on the BlackBerry to be an excellent compromise, shared. These popular devices display each character briefly before masking them, as the password is being entered.