Two main points -- masked passwords are a very standardized UI convention, so everyone has a strong assumption that passwords will be masked, even in situations that the author hasn't considered (when yes, in fact lots of people will unavoidably see your password), and second, there are common situations the author hasn't considered.
Most of the meetings I'm in nowadays use screen sharing in some way; that means my screen is intentionally large & visible enough that plenty of other people can see exactly what I type. I do need to occasionally sign into something, which gives away my password lengths but that's it (and that's not too serious; I use a password manager so they're long & random).
Pair programming? A manager authorizing some action for an employee? Any kind of demo, or giving technical support? Training?
There are lots of reasons why someone else would be legitimately closely watching what I type. Masked passwords are not an archaic holdover from mainframe days.
That said, the option to show password text is useful, for all the reasons mentioned -- this should not be site-specific (ugh, I can imagine the "show password text" being just to the right of the password field, so username-tab-password-tab-enter will show the password...), but a button in the toolbar would be nice.
I personally would prefer the option to mask password vice option to show. In all of my office environments I've had to log onto things in front of people. Universally they look away as a courtesy, and this is with passwords masked. If I was presenting on the overhead I would click the mask button. The pros probably outweigh the cons on this one as long as the option to mask was presented.
Also, below: gweinberg had a good point: the people who you should fear shoulder surfing from are not the ones who you would want to type a password in front of even if it was masked.
If you present things on a projector on a daily basis, you would probably do a good job of remembering to click the mask button (but having to click the mask button would probably outweigh the occasional convenience of not having to click the reveal button), but people who present things on a projector only occasionally and log in entirely by reflex will frequently not.
Computers like most other things in life offer opportunities to screw up and engineering things requires a tradeoff between babysitting and general utility. I think the potential damage in the case above (the occasional presenter has to change a password afterwards) is less damaging than enabling most people to choose better passwords. Your coworker is unlikely to misuse that information. More likely: you have a shitty password and someone breaks a stolen hash because 'Pa$$word' isn't really that creative. I view accidentally showing your password briefly to coworkers as on par with accidentally having an embarrassing email up when you flip on the projector: unlikely to cause long term harm, slightly blush-inducing.
Edit: not implying that we should set up security procedures based on implicit trust of those we work with, but if you're talking about a global internet wide convention then likelihoods are more informative than exceptions.
I am willing to live with this case (some random person who is not used to presenting on a projector forgetting to mask his password) for MY personal utility.
This doesn't make sense -- why should the random person suffer at all? Your personal utility would be equally well-served by a browser plugin that made your password fields visible.
It's not technically difficult, so if it doesn't exist, it wouldn't take much to create.
My personal utility would not be equally well-served - because it would involve finding & installing said plugin.
Meanwhile that random person who can't be bothered to click on the 'mask password' checkbox is just someone I don't really care about. His 'suffering' is entirely avoidable.
On a more serious note - I believe the number of individuals who benefit from this change (everybody typing in a password) would receive sufficient benefit to outweigh the cost incurred by the few who would bear the burden (someone giving demonstration and forgetting to click 'mask pw' button).
As an aside, do most people do the "stare away from the screen and keyboard" shuffle when sitting with someone who is logging onto their computer?
I do it (make a point of not facing the keyboard & screen of someone typing in their password) as a point of politeness, however in retrospect I find it a little odd. I've noticed other people doing it too (and yet when there is a presenter logging into a machine, nobody cares as much).
Yep, definitely. In my opinion it confirms a very basic expectation of trust between you and whoever's at the keyboard, assuming they're astute enough to notice (and concerned enough to care). If nothing else, it's a simple expression of courtesy.
I agree that this is a horrible idea in certain contexts. But for choosing a password the first time this is an excellent idea and would have the same intended effect.
If passwords were not masked, I would now know most of the passwords of everyone in the office, and all of my family.
I always look away when someone else is typing in a password, as my eyes are drawn to the keyboard and I can pretty well read what they type just from the keys. So out of respect, I turn my head. If the password were actually on screen, it would be many times harder not to see it.
I don't think I'm unusual. I'm at computers with other people usually once or twice a day when they enter a password. I don't want to know their passwords!
And as the system admin, I don't want them seeing the password when I have to type it in to fix stuff for them.
It's not malicious people who might be installing keyloggers and all that that masked passwords help against, it's simply day to day privacy and permissions.
I don't have a problem popping round to a team-mate's office to enter a password to let them install some basic software package, or a hardware driver update, or whatever. But if they saw the password, then soon they would know it, and for sure would use it once or twice, and more and more random crap would get installed, and soon malware, and so on.
On the other hand, being able to turn on visibility occasionally is useful. (Ah! No wonder it's not working... your keyboard is still in Korean mode... Oh, right, British mode, the double-quote doesn't live there...)
I don't know about you but I find it exceptionally hard to read passwords from people typing, even slow typers, reading an experienced typists would be nigh on impossible for me.
That still leaves a large number of people with absolutely no intention of shoulder-surfing who can't help realizing the screen they've been asked to watch is displaying something that might come in handy in future
Entering passwords with people standing behind me would be slightly nerve racking without password masking, and during a presentation would be essentially impossible.
Password masking is a good default and greatly limits password exposure.
At work, I make sure anyone around me isn't watching my hands, much less my screen. I get what the guy is saying in the article, but I don't agree, either.
I suppose I type fast enough (and use a password manager widely enough) that I haven't ever worried about keyboard passwords, but I do worry about bank card PINs... I've gotten a habit of obscuring my pin by pressing with several fingers on the keypad for each keypress -- so to someone looking, I'm basically mashing several keys, but at each mash a different finger is actually pushing a bit harder than the others.
The author has an extreme imagination deficiency if he can't picture the common scenarios where someone might see you entering your password. There are many, many times when I'm working with another person sitting at my desk. It's amazing that his whole article is predicated on his inability to look beyond his own circumstance.
I strongly disagree. Perhaps if you use your computer all alone in your private office, that makes sense.
That's now how I use the computer, that's not how all my friends use their computers and that seriously now how the next generation is using their computer.
When I am on youtube, I have up to 5 friends behind me. I don't want them to see my youtube password. When I log into steam, I most likely have someone behind me. When I log into my Evernote account, it's most likely to show a quote or some information to a friend. I don't want them to see the password.
To make it short, I believe that most young people use the computer as a social activity. Showing the password by default makes NO SENSE.
I wouldn't want a client to see my password when I screenshare during a presentation. Nor my coworker to see it on the big screen in the conference room.
> As humans we're very good at looking at something and taking a visual snapshot. If I actually see the Facebook login screen with my username and a long, passphrase like "correct horse battery staple", that's more likely to sink into my brain.
It is exactly because that we as humans can take the visual snapshots easily that we still need the most basic masking. Because we can take snapshots. If one of my coworker has a a long phrase password(high entrophy, but very memorable and therefore the coworker has employed) and I happen to take a glance at his screen, then notice his password as a tangible sentence, I will remember it. Even if I don't memorize it on spot, if it happens frequently enough you'd be damn sure that I will.
> Masked passwords come from the age of mainframes. And when we're talking about mainframes, that makes sense -- they were secure, private systems, used by specialists.
Again, it still makes sense to have masked password, just as it made sense in the mainframe age; we can take snapshots.
Having said that, I do see the merits of his point; an option to unmask would be a vast improvement on UX, for which I laud Microsoft on.
It's especially difficult for me to type 30-character-long masked password, from my native language layout, on top of English keyboard visuals. I can do it with my eyes closed on keyboard, but it's not very easy to do it on smartphone and much easier to screw it up.
Most wifi password entry fields on various platforms now offer the sensible approach: mask the password by default while offering the option to toggle the masking in that field.
but then we should just show the passwords on the screen we enter? That's just insane. Linux command line doesn't even show a * when entering a password. That's how it should be.
We should be paranoid about passwords and not display them.
As much as I enjoy linux and its commandline, that is one thing that really annoys me. The number of characters is not that useful of information. For example, in the times it takes to brute force a password known to be N characters, you could have brute forced every password with fewer than N character; so hiding the length of the password is no better than adding one more character.
Furthermore, providing an indication that a key-press was registered prevents the two most common reasons for mis-entering a password: not pushing a key hard enough and pushing a second key while pushing one from your password.
Having said that, when I write a script that needs to be provided with a password, I just make it hide what I am typing. "read -s" is so much easier than whatever I would have to do to make it show * s.
Something bugged me about this, I don't know about iOS, but Android has the "show password" feature already.
Although I get his point that no-one really gets passwords by sight, it does happen, but the most important part of masking to me and the only reason I approve of it is because there will be times when you stop in the process of logging in somewhere and leave.
>Secondly, if people could see their own passwords rather than just dot-dot-dot, etc they would choose better passwords, and be less likely to reuse the same passwords.
This has nothing to do with being able to see the password and is entirely to do with stupid password restrictions. It's ironic he uses 'correct horse battery staple'.
You're suggesting that users use better passwords on sites with no password restrictions. I'm going to doubt that's true and presuming you have no data say that it's likely far from true.
Nope, I said stupid password restrictions. A good password restriction would be one that only measures the entropy. The idea that we should use no more than 8 letters, alphanumeric with symbols is stupid and demonstrates ignorance with how hashing works.
On the other hand, everybody knows they have to make up bullshit passwords to pass arbitrary restrictions, so they may never try an easy to remember but good password on the few sites that don't.
This is idea makes my shoulder surfing senses wet.
Seriously, it might sound like a good UX idea in theory, but lets go to practice:
People are not going to use that button in the safety of their homes. Why? Because they don't care. It is not a secret that the average user doesn't give priority over commodity to security; that's the basic principle behind no-tech hacking.
The best UX experience collides with the best security experience, we need to find the middle point. This is not the middle point.
Passwords are now broken from concept, that's why we are evolving into two factor authentication. Making a broken security method easier to crack (even if it may only happen when certain circumstances are met, like doing it in an airport of coffee shop) is not the way to go.
I really appreciated when I was trying to log into a website on my phone and kept getting the password wrong. After a few tries, it said "we know typing on a phone sucks, would you like to unmask the password field?".
Nowadays, just looking at the last character briefly before it gets masked is enough for me to correctly type in my more complicated passwords.
I'd like arbitrary password restrictions to disappear before things like default masked password fields. I can never remember whether this unfrequented site required 6-8 characters, or a special character, or no more than three alphanumeric characters, etc. in the password. I just usually reset the password each time I need to log in, in such cases.
The point to takeaway from this article is that remote attacks are a greater threat than local attacks, so password entry should be optimized for protecting against the former rather than the latter.
For many of us, the point is invalid because we know how to choose good passwords, and we don't need to see them in order to do so.
So instead, think about this from the perspective of the average consumer. A unobfuscated password field makes it a lot easier to use a long and complex password. If the field is hidden, users are more likely to choose something short and easy to remember, making their password vulnerable to dictionary attacks.
But the default should be to mask (or not echo at all). The option to unmask should be easily available in the UI, but it would be foolhardy to make it the default.
Firstly, no one is going to see your password. I'll come onto that, but they just won't. Ever.
I feel sorry that the author is so socially isolated that he never shows anyone else anything on his computers. Instead he invokes papparazo and cold-war imagery with telephoto snoopers hiding to get snapshots of small tablets (ipad mini - not even a full ipad) and yet never thinks of "hey, check this out"
Did you really have to phrase this in such an impolite way? Couldn't you have simply stated your point instead of calling the author socially isolated. The author might simply have a different workflow than what you are accustomed to.
The author had zero qualms in stacking the deck himself, and I was merely responding in kind. Someone wants to see your password? Then they must be hiding in the bushes in the parking lot with a telephoto lens. No-one will see you enter a password? Then you must be socially isolated.
This isn't about having a different workflow, it's about the author having a pain point and engaging on a rant instead of bothering to think it through properly.
I absolutely agree that there should be a "show typing" override. Ideally, it should be built into the entry widget as a clickable or touchable area. There should also be a key chord to toggle masking. There are lots of times when there is absolutely no danger of shoulder surfing, and showing the typing would have the advantages the author describes.
I note that PGP Desktop has a checkbox to disable masking. I always tick it. It helps me to get the pass phrase right and to burn it into memory.
But the default should be mask!! (OK, maybe the default should be configurable. But the default default should still be to mask.) In public situations, it would be too much to have to remember to turn on masking.
I think the author just wants a kiddy version of Windows :P
Maybe we can name it Windows Portal (after the M:TG Portal expansion for new players). One that is not meant to be used in a professional environment and does not have any security things. It's actually not a bad idea. Just keep it very far away from me.
I would very much like to have an option to always display passwords. I would turn it on for this machine, because I only use it at home, and I'm pretty much always alone here.
But of course it would be no good for a machine I use in a public place.
I was using humor to make a point, yes, but it was not intended to be only a joke.
Password-masking has its flaws, but one major UI benefit is that it unambiguously distinguishes password fields from other text inputs. Breaking that convention invites people typing passwords into the wrong field by mistake, which creates a greater security problem than unmasking passwords would solve.
Now let's wait a couple of months for someone to post the same thing and then have everyone agree that not masking passwords is indeed a horrible idea!
Two main points -- masked passwords are a very standardized UI convention, so everyone has a strong assumption that passwords will be masked, even in situations that the author hasn't considered (when yes, in fact lots of people will unavoidably see your password), and second, there are common situations the author hasn't considered.
Most of the meetings I'm in nowadays use screen sharing in some way; that means my screen is intentionally large & visible enough that plenty of other people can see exactly what I type. I do need to occasionally sign into something, which gives away my password lengths but that's it (and that's not too serious; I use a password manager so they're long & random).
Pair programming? A manager authorizing some action for an employee? Any kind of demo, or giving technical support? Training?
There are lots of reasons why someone else would be legitimately closely watching what I type. Masked passwords are not an archaic holdover from mainframe days.
That said, the option to show password text is useful, for all the reasons mentioned -- this should not be site-specific (ugh, I can imagine the "show password text" being just to the right of the password field, so username-tab-password-tab-enter will show the password...), but a button in the toolbar would be nice.