Comments on: Comic Update: The Dangers of Intentional Vulnerability (AKA Password Unmasking)

By: Graham

Graham — Fri, 07 Aug 2009 19:45:36 +0000

I’m actually going to (partially) disagree. I don’t think passwords should be unmasked by default, but I think having a “mask password” checkbox that’s checked by default (as Nielsen suggests for high-security applications) is a good idea. I’ve certainly fat-fingered a password enough times to be frustrated with having no other option.

I think having it unprotected by default is a lousy idea, though, mostly because people are so used to seeing it masked that they’ll probably have heart attacks if they start keying in a password and it comes out unmasked. And it’s also iffy security-wise, of course.

By: Scott savage

Scott savage — Tue, 30 Jun 2009 14:03:35 +0000

I’d just like to see Mr.Nielsen substantiate the claims that he made on this particular post. I’m usually a pretty big fan of what he advocates but in this particular instance I think he needs to back it up with hard numbers.

By: Kyle Weems

Kyle Weems — Mon, 29 Jun 2009 23:31:50 +0000

To those that mentioned the iPhone last-character method, that does seem like the “safest feeling” of an alternative to full masking. Granted, that would almost certainly require user-agent support unless you had a clever coder carefully program in that (which is doable, but probably time-consuming and thus costly).

@Tkincher – I think the problems at hand are (1) People feel less safe with no masking, contrary to Jakob’s assertions. So regardless of the actual effectiveness, making people feel safe enough to use a site or application is an important consideration for a developer’s commercial success. And (2) Even if it’s not the best layer of security, masking provides enough to help protect against casual password-theft; and as Elaine mentioned, as rare as some may think it is, shoulder-surfing does occur. Yes, people can watch the keyboard, but it requires a bit more effort and is easier to physically block.

Ultimately I object to Jakob claiming that unmasking increases security and improves user trust when in fact it accomplishes the reverse.

By: {scottAsavage} » Blog Archive » Just because Jakob says it doesn’t make it right (or smart)

Mon, 29 Jun 2009 19:04:48 +0000

[...] at one of the best responses to Mr. Nielsen’s Alertbox post, which came from Kyle Weems at CSSquirrel. He also posted a hilarious comic to go with his response. Both are totally worth reading. [...]

By: tkincher

tkincher — Mon, 29 Jun 2009 17:40:07 +0000

How long are you going to sit at a password prompt with the password fully typed out where others can view it? Do you just hang out at login screens? Sure, if you stay logged in to something, someone can take advantage of cached credentials, but this isn’t new. And if someone can shoulder-surf a pin pad, they can surely do the same with the keyboard, hunchbacks notwithstanding.

If it’s a given that displaying this information is bad, should more extreme measures be taken, such as not showing even a bullet for the characters typed (like a Unix prompt)? After all, if someone knows the number of characters in a password, a brute force attack suddenly becomes much easier. So if we’re advocating obfuscation, why not take it all the way?

Part of the problem is that people associate bulleted characters with a secure password, even if the thing is passed plaintext via HTTP and stored unencrypted in a database. At least displaying the password (or even having an option to) causes people to (hopefully) think more critically about the security involved.

No, I don’t work alone in an office, I work in a cubicle “pod” with my monitors all exposed to whomever can sneak up behind me. Personally, I like the iPhone compromise of just displaying the last character typed, because then you get your interface feedback as well as your warm fuzzies.

By: Scott savage

Scott savage — Mon, 29 Jun 2009 17:16:18 +0000

You know, I’m relieved that I wasn’t the only one who disagreed with Mr.Nielsen when I read his latest article on useit.com. As I finished the article I was squinting a bit as I tried to go through all of the possible positives and negatives of unmasking password. Still, in the end, I came out feeling like unmasking isn’t the answer.

For me my main concern about unmasking passwords was this: Even if I’m in a “secure” location such as my home or have the door shut in my office, what happens when I walk away from my desk and, say, either forget to log out of my account or forget to lock the screen? If someone walks by and I’ve left gmail open and it has my username and password saved, all they have to do is look at the monitor and see all the information they need to access my private data.

And let’s not forget the unfortunate people who use only one password for everything and never change it. Once they’ve left their workstations unsecure, that’s it, they’re a hair away from being hacked.

Anyhow, great post, great comic!

By: Tobias

Tobias — Mon, 29 Jun 2009 17:10:31 +0000

In the comic: I’m not sure a shield would have saved them from the lions.
Personally I love the option to have my password shown to me whenever I “feel safe” (some OSX dialogs already have this option—just bring it to the web as well)

By: Elaine

Elaine — Mon, 29 Jun 2009 17:03:35 +0000

You said almost exactly what I was trying to get my brain together to say. I just have three additions, two of which come from experience as a web person at a financial institution:

1) Customers of my org would FREAK OUT if we did something like this. For a while, we had our online banking login on a non-SSL page, and even though it went through SSL to the actual online banking, a number of people were quite upset. (This was before my time.)

2) I imagine our security folks, and probably our auditors, would just nix the idea out of hand w/out another word. None of this “opt-in/out” checkbox stuff, just “no.” I think the phrase “head would asplode” was the first thing that came to mind.

3) I have some personal experience with someone I’m close to stealing an ATM PIN by the looking-over-the-shoulder method. Just because big baddies can’t look over your shoulder, doesn’t mean there aren’t people with bad intentions who can.

(BTW, you’re missing a #3 in there.)

By: Gaia

Gaia — Mon, 29 Jun 2009 16:58:55 +0000

I couldn’t agree more with your views. Whenever I access the web through my phone I give furtive looks around to check that no-one is looking at the very tiny screen to pick up on my almost invisible passwords.. ^_~
A thought on the discussion topic, though: if the unmasking was to come to web-life, I would suggest that the box is to be ticked by those who want the password unmasked, whereas everyone else just blind types as they have been doing since the internet has reached the world wide population and no-one is hurt :)

By: Dave S.

Dave S. — Mon, 29 Jun 2009 16:28:07 +0000

Aside from the fact I’m in the comic (and purple is really my colour, who knew?) I really like the arguments you fleshed out above. They seem immediately obvious to me, as someone who fairly frequently has to login in public places. I can’t shake the feeling that anyone taking the counter argument usually uses a computer in a room by themselves.

Schneier’s response was particularly baffling, as he’s usually so good at thinking through unintended consequences.