The masking of passwords is one of those things that we don’t really think about — it’s safe to say that 99.99% of the time you enter passwords on a website the letters/numbers are blanked out with nice stars or circles – surely this helps to promote Internet safety and a way to Get Safe Online?
But isn’t this just common sense? Surely having it as a failsafe in case someone is looking over your shoulder isn’t such a bad idea? Well according to a couple of experts in the field not only are they pointless, but can also be counterproductive with regards to security and are calling for the end of them.
The ‘experts’ in question are Jakob Nielsen (pictured) whose specialty lies in the field of usability, and Bruce Schneier (a security expert) and they both concur that the practice of blanking out passwords offers no security benefits and merely inconveniences users.
The idea that it is inconvenient is an obvious one — unless you type the incorrect number of letters/numbers you can often be unsure as to whether you have typed in the correct password, Nielsen himself said:
“Providing feedback and visualizing the system’s status have always been among the most basic usability principles. Showing undifferentiated bullets while users enter complex codes definitely fails to comply.”
This is a problem that is becoming increasingly apparent as people start using phones and other mobile devices more and more with smaller and smaller keyboards. This means that the problem of mistyping is becoming more widespread, and is inconveniencing more people more often. So it’s inconvenient, but so is having a password in the first place and one would have thought that the security benefits outweigh the problem of having to retype it every so often. Well Bruce Schneier disagrees:
“Shoulder surfing [i.e. when you look over someone’s shoulder to see what is on their screen — especially for passwords] is largely a phantom problem, and people know to be alert when others are nearby, but mistyping a long password happens all the time.”
Whilst you would have a case to argue that Bruce is just confusing cause and effect (shoulder surfing isn’t a problem because people know they won’t be able to see the password anyway) the other points put forward are much more convincing.
They both say that there are two main causes towards two effects which are ultimately compromising security more than if you just showed passwords. They argue that by not allowing people to see what they are typing, and the fact that they (as a result) often mistype it is leading to people to “feel less confident”.
This means that people will either not bother log on (which will end up with businesses losing out) or they make it easy for themselves by choosing really simple passwords (like ‘qwertyuiop’) or copy-and-pasting it from another document both of which could have even more worrying implications.
So could this be something else on the list of security conscious campaigner’s agendas? I doubt it. For a start the ‘experts’ themselves do not suggest that, rather that you should have an option to blank it out if you are feeling particularly vulnerable (such as in an internet cafÃ©) and that it would be automatically checked for high security sites (like banks).
I also think that if anything people would feel less confident if they felt people could easily see what they are typing, even if it meant people resorted to passwords that weren’t easy to read (like random letters). So I don’t think that we will see this coming any time in the future, but it does give a useful insight into how the minds behind the internet work, and how safe you’re information really is.
Via – The Register