PaulDotCom mailing list archives
Stop Password Masking
From: lonervamp at gmail.com (Michael Dickey)
Date: Fri, 26 Jun 2009 10:00:58 -0500
Why to unmask? I can only think of two reasons: a. Visual cue that capslock is on b. Visual cue that our typing is f*[]cked A warning on capslock solves a, and taking your time after the third try should solve b. Why not unmask? 1. shoulder-surfing I don't know many people who use truly random-like passwords, even amongst security paranoids. Who wants an admin account like jeND592)(sd..e[RTGf? No, even we make passwords like LAClipp3rsS*ckAg4inThisY4ar! Sure, complex password. Sure, lots of combinations of letters and number substitution. But you reveal a lot in even the quickest glimpse and nearly immediate recognition of the phrase. It's already common courtesy to look away as someone types a password just in case I see them type qwerty123!@#. An unmasked password is worse for a computer screen. Mobile phones are typically far more discreet. As a final note, one of the important pieces of a masked password is the assurance that no one else knows it, effectively. If someone startles you from behind as you typed your password, do we still have the ability to irrefutably say it was you that deleted that file server share? Or do we have doubt that maybe that gaggle of gossipers behind you saw your password and did it?
On Fri, Jun 26, 2009 at 8:40 AM, Aaron <subdriven at gmail.com> wrote:I read an interesting article about removing the mask from passwords. For mobile devices I think it would be a great idea. For some desktops, I know it would cut down on support calls. In other instances I think they must stay masked. I was just wondering what the rest of the PDC list thought. I have links to the articles below. Summary: Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn't even increase security, but it does cost you business due to login failures. Main article here: (http://www.useit.com/alertbox/passwords.html) which was also posted to slashdot here ( http://it.slashdot.org/story/09/06/25/1856214/Nielsen-Recommends-Not-Masking-Passwords ) Regards, Aaron _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com-- Tim Krabec Kracomp 772-597-2349 smbminute.com kracomp.blogspot.com www.kracomp.com _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090626/b4f37a4b/attachment.htm
Current thread:
- Stop Password Masking Aaron (Jun 26)
- Stop Password Masking Tim Krabec (Jun 26)
- Stop Password Masking Michael Dickey (Jun 26)
- Stop Password Masking Dan Stadelman (Jun 26)
- Stop Password Masking Joel Esler (Jun 26)
- Stop Password Masking Mike Patterson (Jun 26)
- Stop Password Masking d4ncingd4n at gmail.com (Jun 26)
- Stop Password Masking Mike Patterson (Jun 26)
- Stop Password Masking Adrian Crenshaw (Jun 26)
- Stop Password Masking Matt Hillman (Jun 26)
- Stop Password Masking Tim Krabec (Jun 26)