[letsdothisagain]

I'm honestly seeing little value in asterisks with WFH and the move to passphrases. Feedback is important when you're typing a long phrase with complete precision. Plus shoulder surfing is simply not a thing when my physical security profile now involves a locked front door and a call to the police.

[autoexec]

WFH also means Working From my backyard, the coffee shop around the corner, the library, a friend's house, a hotel room, etc.

Even for people who only work at home while working remotely, private homes can see a lot of traffic. I wouldn't assume all screens are kept and used in totally secure environments so we should probably still stick with masked passwords and telling users not to keep passwords written on a post-it note stuck to their monitor.

[aeternum]

And now employees simply leave their laptop open with the SSH window up while getting their coffee because it's now so annoying to close the lid and correctly type the password.

>USB Rubber Ducky has entered the chat

[matt-attack]

If they can see the screen wouldn’t they be better off just looking at the keyboard to directly observe what’s being typed?

[jgalt212]

> the coffee shop around the corner

I would hope people in high leverage job roles would just avoid such behavior.

[froggit]

> I would hope people in high leverage job roles would just avoid such behavior.

I used to hope that as well. Then I met people and lost that hope. It's truly impressive how much stupid shit gets pulled by people that "should know better."

[koheripbal]

Plenty of value in confirming that you are hitting each key exactly once.

[EGreg]

Why not just mutate a specific fixed-length line with every keypress?

[wizofaus]

You've never typed a password in while screen sharing?

[maccard]

I don't type passwords. My password manager fills them for me, or I paste them.

[jamedjo]

Unlocking the password manager means I need to type a master password in while in a public place. Feels higher risk when it is an unimportant website but potentially gives access to all websites. Still better than the passwords being accessible on disk but having individual passwords would reduce the impact of any password leak.

[fluidcruft]

I have this InputStick USB [1] dohicky that I keep with my keys shows up as a generic USB keyboard when plugged in but is also an encrypted Bluetooth dongle (part of pairing allows you to configure a shared encryption key so that only devices that know the key can use the stick, and only sticks with the key are recognized by the client apps). There's a plugin to Keepass2Android that I use to type passwords from my phone. I use that to unlock my password manager (using a giant untypable passphrase). So entering mosterous passphrases is very easy... bot only if you can unlock my phone and use biometrics to open Keepass2Android.

It really is dumb that phones can just generically play USB HID (without running custom kernels)

[1] http://inputstick.com/

[2] http://inputstick.com/kp2a-plugin/

[maccard]

1password uses biometrics on my 7 year old MacBook Pro, so even if I'm out and about I still don't need to type it.

[riffraff]

1p works great on my mac but still asks for a password from time to time, I'm not sure of the exact mechanic.

OTOH even Chrome's password manager now integrates with the Mac fingerprint auth.

[maccard]

It's every two weeks. If your threat model involves being spied on over the shoulder for your master password while in a cafe you "just" need to ensure you enter your password in a safe location every two weeks.

[kelnos]

Oh god no, absolutely not. Always stop sharing for the duration of the password entry.

[wizofaus]

What if you're demonstrating a problem with a login screen? And yes, I've had to do exactly that more than once. I wouldn't do it with a particularly sensitive password (online banking etc) but there are enough passwords I use regularly for work purposes where it wouldn't be a significant risk for others to watch me type it in, certainly if the characters aren't revealed at all while typing. Though having password fields be able to detect your screen is being shared automatically and obscure what pixels are relayed would be nice.

[jrockway]

Why use a good password while testing your login screen? I use "iamroot" and "password".

[wizofaus]

They're typically passwords that are only for testing accounts anyway, and that are known to the team members I'm sharing with. But...it's easy to slip up now and then and forget you're actually putting in a password while screen sharing that it's probably best not to have your co-workers know! Obviously the worst is your actual O/S password, as knowing that could potentially allow a co-worker access to other passwords that are quite sensitive, but I'm not sure it's even possible to screen share your O/S login screen - probably shouldn't be! It is a good argument for not re-using that password for any browser-based logins, but SSO policies tend to make that impossible unfortunately. Mind you I use a pin for my O/S login screen, whereas for browser-based logins you can't.

[axus]

Sadly I think security systems will have to accommodate the possibility that someone else can see your screen. And hope that they can't see your keyboard.

[paulddraper]

I'm going to suggest that is correct and also unusual behavior.

[iknowstuff]

Are you describing your experience or implying that the industry should change this because you can WFH?

[froggit]

The latter. They seemingly meant "I can WFH, so asterisks are meaningless to everyone. F@&# asterisks!"

[glaucon]

> I'm honestly seeing little value in asterisks

They're essential ! How else would we encourage the average user to use as short and and as simple a password as they can get away with ?