PaulDotCom mailing list archives

Stop Password Masking

From: d4ncingd4n at gmail.com (d4ncingd4n at gmail.com)
Date: Fri, 26 Jun 2009 15:52:08 +0000

My approach to solving the shoulder surfer problem is to intentionally make typing mistakes, back space over the errors 
and screw up a few more times. Usually people will get bored watching a bad typist and look elsewhere. The ones that 
continue to watch are asked politely to turn their head. My $.02 

Bart 
Sent from my Verizon Wireless BlackBerry

-----Original Message-----
From: Mike Patterson <mike.patterson at unb.ca>

Date: Fri, 26 Jun 2009 10:51:47 
To: PaulDotCom Security Weekly Mailing List<pauldotcom at pdc-mail.pauldotcom.com>
Subject: Re: [Pauldotcom] Stop Password Masking


That's addressed in TFA.

You may disagree with his reasoning, but he didn't forget about it either.

I'm not sure I agree with him either.  That said, I won't type if
somebody's watching me, masked or not.  I wonder if it might almost be
safer - I work with sysadmins who will happily type passwords in with
users right there, but if their password showed up on the screen, they
might send the user out, or at least make them turn around.  Of course,
that's probably also the same kind of thinking that says people would be
safer drivers if we put a HUGE FREAKING SPIKE in the steering column and
banned seatbelts.

If I happen to be around when somebody's typing a password in, I make a
point of turning around.

Mike

Joel Esler wrote on 6/26/09 9:20 AM:

What about Shoulder surfing?  Haven't you ever watched "Hackers"?

J

On Fri, Jun 26, 2009 at 8:40 AM, Aaron<subdriven at gmail.com> wrote:

I read an interesting article about removing the mask from passwords.
For mobile devices I think it would be a great idea. For some
desktops, I know it would cut down on support calls. In other
instances I think they must stay masked. I was just wondering what the
rest of the PDC list thought. I have links to the articles below.

Summary:
Usability suffers when users type in passwords and the only feedback
they get is a row of bullets. Typically, masking passwords doesn't
even increase security, but it does cost you business due to login
failures.


Main article here: (http://www.useit.com/alertbox/passwords.html)

which was also posted to slashdot here
(http://it.slashdot.org/story/09/06/25/1856214/Nielsen-Recommends-Not-Masking-Passwords)

Regards,

Aaron
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com


_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Current thread:

Stop Password Masking Aaron (Jun 26)
- Stop Password Masking Tim Krabec (Jun 26)
  - Stop Password Masking Michael Dickey (Jun 26)
  - Stop Password Masking Dan Stadelman (Jun 26)
- Stop Password Masking Joel Esler (Jun 26)
  - Stop Password Masking Mike Patterson (Jun 26)
    - Stop Password Masking d4ncingd4n at gmail.com (Jun 26)
- Stop Password Masking Adrian Crenshaw (Jun 26)
- Stop Password Masking Matt Hillman (Jun 26)