Security Active Blog

I was reading today a page on Out-Law how Jakob Nielsen and Bruce Schneier say that the masking of password is actually leading to weaker security.

“It’s time to show most passwords in clear text as users type them,” said Nielsen in a post on his website. “Providing feedback and visualizing the system’s status have always been among the most basic usability principles. Showing undifferentiated bullets while users enter complex codes definitely fails to comply.

“Password masking has annoyed me for years,” Schneier told OUT-LAW.COM. “Shoulder surfing is largely a phantom problem, and people know to be alert when others are nearby, but mistyping a long password happens all the time.”

“The more uncertain users feel about typing passwords, the more likely they are to (a) employ overly simple passwords and/or (b) copy-paste passwords from a file on their computer. Both behaviors lead to a true loss of security,” he said.

Nielsen said that sites usually blank out type-in passwords out of force of habit rather than reason. “Password masking has become common for no reasons other than (a) it’s easy to do, and (b) it was the default in the web’s early days,” he said.

I can kind of see the reasoning used to come to this conclusion, but personally I think its not a good idea. I believe shoulder surfing is a reality, and there are masking technology options that allow the masking of a password but still shows the last character typed in an effort to show a user when they have gone wrong. I also find this interesting as Schneier spoke about users being encourage to write down passwords on a piece of paper. I believe that we could make better use of biometrics in the future, but the password still plays a key defence in security. With that in mind we really should take care to store these passwords securely, and I really dont think it makes sense to start showing passwords in clear text. We live in an age of technology, these things are not new, and if people really cant handle typing in a password without seeing it, perhaps we have other problems. Finally they believe Shoulder surfing is largely a phantom problem, which I dont agree is true, but I imagine if we moved to a standard where we dont mask password there would be a steep rise.

I know we need people to think out of the box, and yes we need to strike a balance of useability with security, but I really dont think this is the brightest thought of late, but we are all entitled to our own opinions.