I think having it unprotected by default is a lousy idea, though, mostly because people are so used to seeing it masked that they’ll probably have heart attacks if they start keying in a password and it comes out unmasked. And it’s also iffy security-wise, of course.

@Tkincher – I think the problems at hand are (1) People feel less safe with no masking, contrary to Jakob’s assertions. So regardless of the actual effectiveness, making people feel safe enough to use a site or application is an important consideration for a developer’s commercial success. And (2) Even if it’s not the best layer of security, masking provides enough to help protect against casual password-theft; and as Elaine mentioned, as rare as some may think it is, shoulder-surfing does occur. Yes, people can watch the keyboard, but it requires a bit more effort and is easier to physically block.

Ultimately I object to Jakob claiming that unmasking increases security and improves user trust when in fact it accomplishes the reverse.

If it’s a given that displaying this information is bad, should more extreme measures be taken, such as not showing even a bullet for the characters typed (like a Unix prompt)? After all, if someone knows the number of characters in a password, a brute force attack suddenly becomes much easier. So if we’re advocating obfuscation, why not take it all the way?

Part of the problem is that people associate bulleted characters with a secure password, even if the thing is passed plaintext via HTTP and stored unencrypted in a database. At least displaying the password (or even having an option to) causes people to (hopefully) think more critically about the security involved.

No, I don’t work alone in an office, I work in a cubicle “pod” with my monitors all exposed to whomever can sneak up behind me. Personally, I like the iPhone compromise of just displaying the last character typed, because then you get your interface feedback as well as your warm fuzzies.

For me my main concern about unmasking passwords was this: Even if I’m in a “secure” location such as my home or have the door shut in my office, what happens when I walk away from my desk and, say, either forget to log out of my account or forget to lock the screen? If someone walks by and I’ve left gmail open and it has my username and password saved, all they have to do is look at the monitor and see all the information they need to access my private data.

And let’s not forget the unfortunate people who use only one password for everything and never change it. Once they’ve left their workstations unsecure, that’s it, they’re a hair away from being hacked.

Anyhow, great post, great comic!

1) Customers of my org would FREAK OUT if we did something like this. For a while, we had our online banking login on a non-SSL page, and even though it went through SSL to the actual online banking, a number of people were quite upset. (This was before my time.)

2) I imagine our security folks, and probably our auditors, would just nix the idea out of hand w/out another word. None of this “opt-in/out” checkbox stuff, just “no.” I think the phrase “head would asplode” was the first thing that came to mind.

3) I have some personal experience with someone I’m close to stealing an ATM PIN by the looking-over-the-shoulder method. Just because big baddies can’t look over your shoulder, doesn’t mean there aren’t people with bad intentions who can.

(BTW, you’re missing a #3 in there.)

Schneier’s response was particularly baffling, as he’s usually so good at thinking through unintended consequences.