back to article Masked passwords must go

Websites should stop masking passwords as users type because it does not improve security and makes websites harder to use, according to two of the technology world's leading thinkers. Usability expert Jakob Nielsen and security expert Bruce Schneier both think websites should stop blanking out passwords as users type them in …


This topic is closed for new posts.
  1. Richard Austin 1
    Thumb Down

    Absolute Garbage

    I for one would much prefer my password to be masked out, having friends, colleagues and children around definately makes this important. Although I work in IT support and know people are a nightmare with their paswords, they universally accept that passwords are masked and it increases their feeling of security.

    These people are talking rubbish.

  2. Anonymous Coward
    Thumb Down

    Dont agree

    Shoulder surfing is not a largely phantom problem at all, masking passwords I believe is essential, just think of the potential fallout from a compromised system as opposed to locking yourself out because your so hungover you have the DT's

  3. Richard 31
    Paris Hilton


    On my G1 (and presumably all android based phones) there is an option in the settings for password masking. The default is to show the last character typed onscreen and then change it to dots when you enter the next character.

    Would this not be a better solution for those who are still paranoid about shoulder surfing? It should still allow all the other things mentioned in the article.

  4. Anonymous Coward

    No No No and again No!

    bearing in mind, most people reuse the same password for pretty much everything, the chnace are, if someone see then typing in their say, work password, it could well be the same as their banking one, their email one etc etc etc.

    The real problem is inconstancy. Where


    may be ok on one site, it may have to be


    on a another

    another it may need to be


    on another and


    on another.

    And another may say No to & \ / @ _ or -'s

    We need constancy more than clear type.

  5. hikaricore


    Well I wanted to post a comment about this but The Register masked my password and I couldn't login.

  6. Andrew Moore


    This has to be the most stupid suggestion I've ever seen. Password masking is so prevalent that any user that cannot handle it should be banned from using a computer altogether- Simply making sure that Windows prompts for a password at switch-on would be enough to weed out these sheep.

  7. BS


    "The more uncertain users feel about typing passwords, the more likely they are to (a) ... and/or (b) copy-paste passwords from a file on their computer. Both behaviors lead to a true loss of security," he said.

    Copy-and-pasting from a file on your computer leads to greater security! Clearly Nielsen has not heard of MyPasswordSafe.

  8. Hornswoggler

    Is this April 1st?

    Amazing. For once in my life I am speechless.

  9. eJ2095


    Them annoying sodding Image verication things drive me nuts.

  10. Anonymous Coward


    I thought that Bruce is some kind of security 'guru', but I guess all that time consulting for BT took its toll.

    I'm baffled by this assertion. Just consider how easy it would be to steal passwords if they were not masked!

  11. Jon Brunson

    Sounds to me like

    "waa waa waa waa, I can't type my password on my mobile phone properly, change your website to make life easier for me"

    This man should be fired for suggesting such stupid advise.

  12. Chris Harden


    *banging head against desk* stupid stupid stupid stupid.

    Great idea there....if shoulder surfing is such a non-issue why dont we just make password boxes automatically wrap themselves in a <marquee>, <blink> and <font color="#FF0000">???

    "bank accounts, you might even check this box by default"


  13. Mike Dolan


    Sometimes common sense seem to desert researchers.

    Would they also be happy if chip and PIN terminals put your numbers on display for all to see? Why not? After all, shielding your PIN is obviously a hassle and nobody would should-surf?

    Have they ever heard of "public kiosks"? Schools? I assume they are also in favour of people writing down their passwords and sticking them to the monitor.

    Beggars belief.

  14. James Hughes 1


    Are these security 'guru's' completely bonkers?

    I am stunned that anyone could think that reducing security to make something more usable could EVER be a good idea.

    What the hell have they been smoking?

  15. Mike Peachey

    Security Fail

    I always though Nielsen was a bit of a moron. Now it has been made clear.

    I am an office Sys Admin. I have the admin passwords. I need to keep those admin passwords from those that would abuse them.

    When I have people in my office demanding that I fix the file server, I do not want the moron standing behind me to know how to get in to the file server with root privileges. It is as simple as that.

    If we are to make any change it should be to drop stars and blobs for no echo. But that would just make it harder for users and therefore harder on me.

  16. Anonymous Coward
    Thumb Down

    For phones yes... not for desktops/laptops

    A phone is easy to cover up if you're with someone. If you're surfing a shopping account with your other half or kids, your boss asks you to get his email working, then you're not going to want to see the password, and covering up the screen or walking away is too much.

  17. Ben 10

    No thanks Jakob

    A better option is to display only the last character typed, but then to obscure previous characters as soon as a new one is entered. This way, somebody glancing briefly at your screen would not see your full password, but you would still get some visual feedback of the characters you type.

    Password entry boxes on some smartphones do this, because some visual feedback is essential for the typo-prone on-screen keyboard.

  18. ChrisInBelgium

    Utter rubbish

    What? Is there any point in having a password for anything if world+dog can simply look over your shoulder, read it while you type it and use it behind your back.

    The whole problem is different. At work, for instance, I have well over 40 passwords I have to remember, they all regularly change and they all use different rules for creating a password. You miss 3 times and your user account is locked out, what lobotomised piece of sh*t thought thàt was a good idea. I'd sure like to meet him/her once (although he/she wouldn't like it very much!).

    And yes, I DO keep all my passwords in a file on the shared fileserver here. But it is encrypted with a piece of self-written encryption software. Some of these passwords protect very sensitive information, I cannot take the risk of storing them in any other way. And NO, I do not want them written all over my screen in plain text. God! What a kakamimi idea!!

    I much prefer what Gmail does, show me the IP-numbers my account has been accessed from and when. That IS a good idea.

  19. The Commenter formally known as Matt


    Is this refering to having an password input on a form? In this case the masking is done by the browser, not the site.

    Either way the arguments presented are purely retarded

  20. Hmm

    Not websites, browsers

    Password masking is, and should be, a choice made by the browser makers, not the website authors. The browser defines how input boxes of type password are rendered.

    This article seems to be encouraging people to write their own password handling input boxes, a much worse idea.

  21. Anonymous Coward

    One thing I find more dangerous than masked passwords

    Username/Password pages with an onload method to set the focus to the username.

    Nothing more annoying than typing your username, getting to the password field and then realising that the focus has been shifted back to the username box because you didn't wait for the 15mb+ login page to load completely and you're typing your password into the username box in cleartext for anyone around you to see.

    Virgin Media's webmail used to/probably still does this along with quite a few other sites.

  22. Anonymous Coward

    I think Bruce's consultant status is going to his head

    I work in an office like most people (other than Bruce). I have a constant stream of people coming over to chat and/or discuss problems. I often need to log on to service with someone staring over my shoulder at my screen. Masking by default please.

  23. Jamie Kitson


    a) surely it's not websites that obfuscate passwords, but the browser?

    b) there have been plenty of times that I've had to login to sites while colleagues are watching. On the other hand it might make people choose non-dictionary passwords as these would be harder to remember.

  24. GettinSadda

    Websites do NOT mask passwords

    Websites do not mask passwords, browsers do!

    Websites simply use <input type="password" ...> and the browser decides how to handle this. If you want the passwords visible, that is a browser issue, not a website issue.

    Bruce, please report to HTML 101 for a very basic introduction to the way websites work!

  25. Anonymous Coward


    Just no. I'd sooner see people have to pass a stupidity test to get their PC licence. I work in an open-plan office, and I can see what's on four people's screens just glancing around. Admittedly my own monitors face into a corner (mwuhahaha), but there are only so many corners in an office.

  26. Daniel 1

    Better to take this up with the browser makers

    Websites do not actively do anything to mask passwords: they just use the 'password' input type (including this website, on the form I'm now using). The web browser does the blanking, because the input type in question is a password, and that's how the browser handles that data type. They don't have to do this, and this behaviour could be customisable at a global level within the browser, rather than obliging websites to use a less descriptive input type, and providing some sort of 'roll-your-own' functionality to switch password masking on and off against it.

    Surely the user is likely to have the same opinions about password display, wherever they are on the Web. Why make users wrestle with setting this on every single password-portected website that they use? And why ask all websites to store yet more metadata about user preferences?

    The fact that a user does or does not want to see their password is a matter between the user and their browser. Websites should continue to use the password input type, in my view, because it describes the fact that the value held there is a password. The data should describe itself, not how the user thinks the data should look. The principle is sound enough, but by saying "Most websites ... mask passwords", Nielsen is identifying the wrong culprit. We just need better web browsers than the broken grey rectangles we're being fobbed off with, at the moment.

  27. Jamie Kitson

    Re: Rubbish

    c) most browsers will remember passwords for you anyway, so it's a bit of a non-issue

  28. Anonymous Coward
    Anonymous Coward


    I suppose ATMs should display our PIN numbers too...

  29. Tim O'Tay

    Security Fail

    Type your comment here — plain text only, no HTML

  30. Tony S

    Security theatre

    Looks like I'm an odd one out.

    I agree with the point that Schneier and Neilsen are making - which way will be the least secure? Masking a password which then encourages the user to use a simpler phrase in order to reduce the chance of typing it wrong or show the text and risk someone looking over their shoulder.

    Bear in mind that if someone is watching, that person could just as easily watch what keys they press, so the screen could be irrelevant.

    We use a system that fills the logon box with asterisks - you don't even know how many letters you have typed. There is no question that this has resulted in people making mistakes and we have to reset their passwords about 3 times more frequently than was the case previously.

    We also seen them start to write the passowrd on post it notes - I go around the offices and have removed some 25-30 of these at various times, so people now hide the post-it somewhere - I've a found a couple in drawers.

  31. Gilbert George
    Thumb Up

    What's the fuss?

    I am amazed at all the negative comments, just because you think (or have been told) that it makes it more secure doesn't mean it really does make it more secure.

    Masking passwords is about as secure as changing your passwords every 30 days, don't tell me you still do that?

    For those that want to live on the edge there is a FF plugin "Show my Password" that unmasks passwords

  32. Anonymous Coward

    Didn't the BOFH do this already?

    Something about replacing someone's password with ILikeToSuckDonkeys and hacking the system to display their password as they typed.

  33. Tim Hale 1

    I agree entirely

    That is all.

  34. Frostbite
    Paris Hilton


    Who is this Nielson noob? Must have the brain power of Paris Hilton. Obviously I don't agree.

  35. Anonymous Coward

    for the sake of useability...

    ...why bother with a password at all? Hell, why we are at it, lets show PIN numbers on ATM's and Chip and Pin terminals.

    Surely the whole point of a password is to make something secure? I agree that there are a lot of places where password blanking is not so important but as stated in other posts, most people use the same passwords or variations of passwords. Therefore the minor inconvienience of the blanking is much less of an issue than the security risk if it were to be removed.

  36. Jon 52

    at least have a tick box option to mask password

    There are times when I definatly don't want my password to appear on screen.

    1. When at college a common cyber bullying techneque was to log in to a "friends" email account and send dodgy emails. A school pc lab is easy to glance over someone shoulder and learn their password (probably for evreything).

    2. When I have my mates over to show them something on youtube say I would rather they did not know my password. Come on admit who hasn't tried to watch their mates fingers to get their password to have shifty at their email or know at least one person of the 'oh so funny' practical joke type who probably use those phone jokes in the back of lad mags would love to get their hands on your email account.

    3. As mentioned above who wants their child (or perhaps PC illiterate mother) to know the unblock password for the antivirus or admin account?

    4. I suppose it will make cheating harder for some rogues. It is a lot eaiser to quickly type your password and log in to your personal email than to tell the girlfriend to turn around while you log in (knowing some emails go straight to a low level folder)

    Also copying and pasting a random string from a password safe program is the prefered method I thought, then you have a different unguessable password for each site?

    However I do think on mobile phones there is no need for ****** especially as you are entering the password.

    Lay out the welcome mat

  37. Anonymous Coward
    Anonymous Coward

    Show a single letter then mask

    The iPhone OS method is a good compromise.

  38. Periquet dels Palots
    Paris Hilton

    Shoulder surfing?

    Oh, please, the risk is not only unknown passersby peering over your shoulders. There are many, many, many occasions when you're sitting at a table with your boss, a coworker, a friend or your boyfriend and you just do not want them to see what your password is.

    It is true that password obscuring is often overdone -- like when being forced to type in blind a 50 character long Wifi password, TWICE, when most likely you're alone and not only there is no need to get the password right two times, but getting it wrong once invalidates it.

    What should be standard is a button (or key combination) to switch to clear password mode. Obscured should be the default, of course, because it would be rude and or embarrasing to switch to obscured when you are sitting with your boss or coworker... or boyfriend!

    (Paris because she surely has in her email many things to hide)

  39. matt 49

    The icon in Lotus Notes

    Pretty much the only thing I like about lotus notes is the icon that changes as you enter your password. Makes it instantly obvious if you've entered an incorrect password before hitting OK

  40. Ben 10


    Yes, unmasked password boxes should be an _optional_ accessibility feature on browsers. Website authors should not be encouraged to replace their <input type="password"> with <input type="text">!!!

  41. Anonymous Coward
    Thumb Down


    "Websites should stop masking passwords as users type because it does not improve security"

    Are these guys for real?

  42. Anonymous Coward

    Lets see...

    How long it takes the Spelling and Grammar Nazi's to spew!

  43. Lex 2

    What a load of tripe

    I cannot disagree with these idiots strongly enough. On top of 'shoulder surfing' all you would need was some virus or something with screen grabbing capability now, whenever it sees a password box and the enter key is pressed.

    Perhaps these guys were once 'security gurus' but it would appear a little time at the top and the thin air has got to their heads. I seriously hope no one out there listens to them and thinks "Yeah...well, they must know what they are talking about"!

    I'm glad to see so many people having the same obvious and sensible reaction against this junk. I hope the register follows these people up with calls and mention how many people think they are idiots.

    I think the anonymous poster of "No no no and again no", commenting on inconsistency of websites that require a capital letter and a number and a symbol character in the password (or any variable combination [inc none] of those rules, cause the most problems. This commenter has a good point in that mark, and consistency should be considered for this area.

  44. Greg 10

    Doesn't the truth lie in the middle?

    From what is said, the real problem is on the phones and small handheld devices where typing is not very easy.

    Why then remove the blanking out from the computers?

    And for the devices where it's a problem, it means the keyboard is very small; this usually means the screen is also very small, and that in turn means noone can look over your shoulder unless they're so close to you you can't help notice they're watching.

    As a consequence, it is probably indeed useless to blank out the passwords on hand-held devices.

    Conclusion should be clear: the blanking out should be browser-based and not site-based. The site should just indicate with a tag that this or that field is meant to receive sensitive information, and it is not the site's problem what YOU want to do it with.

    Then, everyone could choose his own settings as they see fit: the dumbasses who can't type a password would un-blank it, and the security paranoids would blank it.

    Of course, since most people wouldn't even understand what it's all about, a sensible default would be provided: on PC browsers, default would be to blank the sensitive info out, and on handheld devices' browsers, the default would be to display.

    and that way, there's no need for a debate on whether one or the other is good: what's good is what people want, specifically adpated to each person and each usage.

  45. Psymon


    My ghast is well and truly flabbered!

    Surely this can't be real? Go on, then. I'll bite.

    If there was any website that displayed passwords in plain text, they'd be automatically added to the blocklist on my network.

  46. Anonymous Coward

    Can't believe this!

    "Shoulder surfing is largely a phantom problem"

    Really! I used to work in a large college where "Sholder surfing" was the main method of gaining passwords by looking at the keys the person typed, if this is displayed on the screen as well then it will just make it easier for them!

    Also, if you tell a web browser to remember your password, then authentication may pop up at an inappropriate time when someone else is looking at the page with you, then you loose your password.

    Got to love these so called experts.

  47. Hmm
    Thumb Down


    Umm, also, perhaps shoulder surfing is a non-problem due to the decades old practice of masking passwords?

  48. Michael Baldry 1


    This idea is about as good as when hitlers parents decided to keep it

  49. Roger Stenning

    What HAVE these blokes been smoking?

    Messers Nielsen and Schneier need to wake up and smell the coffee writ massive.

    Picture this... You're in a crowded internet café, you're logging into your email account, where there's all manner of personal information, and, because it's a crowded shop, you haven't a blasted clue who's looking over your shoulder.

    The password you enter is shown in-clear on the screen where anyone with half a brain and apair of glasses can see it.

    A few days later, you find all your bank accounts have been emptied, and your personally identifiable data has been used to draw loans of impossiblly silly amounts, forge a passport application, and so on. All because someone was able to see your unmasked username/password combination.

    Never happen, you say? Wrong. This has, and will continue to happen too, whether we have masked or unmasked passwords.

    However, continuing to mask passwords on a computer monitor WILL help to keep it a challenging task to access such data.

    So, Messers Nielsen and Schneier, wakey bloody wakey *slap* *slap*

  50. Amonynous

    Shoulder surfing is for wimps...

    Worth bearing in mind that password masking has been the norm since long before the web came along.

    Back in the day the true test was being able to pick up someone's password by watching their hands as they touch typed it at 70WPM** (the two finger hunt and peck brigade were no challenge at all).

    ** Ahem, purely in the interests of not having to spend half an hour of every helpdesk call chasing them around the building despite having said "This will take 30 seconds to fix, so please don't wander off as I'll need you to log back in and test it".

  51. Simon Neill


    unmask passwords! that way when I use the screen tracking software here I can see their logins for the game sites and steal all their game money! This idea has no drawbacks whatsoever!

  52. Anonymous Coward
    Anonymous Coward

    Splendid idea

    In only all sites would enable "remember my password" aswell so as to increese there uasbility.

  53. Code Monkey


    That shoulder surfing isn't an issue may be true but a big feature of usability is familiarity. I used to read Nielsen's column before he ran out of ideas and started coming out with daftness like this.

    There are several usability areas that Nielsen himself would say aren't ideal but are familiar enough to be classed as a standard (e.g. using HTML select boxes for navigation and having a window's scollbar on the right, away from most websites' main naivagation menu).

    Even if I believed that plain text was easier, there's no way I'd waste time arguing that my company's websites should use it. Our credibility would take a nosedive and we'd be fielding far too many support calls on it.

    It may or may not be a good idea but it'll never float!

  54. This post has been deleted by its author

  55. Peter Kay

    Utter crap

    Shoulder surfing is highly prevalent when doing IT support. I don't want users to see the admin password, and neither do I want to see their passwords.

    Additionally, due to the joys of less safety critical passwords and browser password caching they definitely shouldn't be displayed.Of course, there is a difference between what's displayed when initially entered, and when it's recalled.

  56. Ben 10

    3rd comment, as I'm so enraged by this stupidity

    What about people who work in pairs at computers? Pair programming is a very common methodology among software developers. I don't want to have to cover my eyes every time the other guy types his password for source control, SSH, FTP...

  57. Craig 12

    The guy above me beat me to it

    It's just a <input type-"password"> in the HTML, so any changes to how it looks should really come from the browser end.

    My phone does something pretty cool, where it shows you the character as you type it, and it disappears as soon as you move on.

    Overall, it is a bad idea. We're in an open plan office, and I'm typing my password in front of people quite a bit.

  58. Kevin Reader
    Paris Hilton

    Gaaaa - He does sound mad.

    So he says don't mask it except in certain sensitive cases -

    internet cafes - aka any public computer

    banking applications

    people with children

    I'd have thought office environments - salary file anyone?

    schools and universities.

    So basically if you are at home on your own you might be safe!

    Commenters: I quite like the idea of the show one character although that's no defense from someone right behind you - or a cafe ghosting your login screen.

    I remember at University it the early 1980s the great Russell Winder used to be able to type the root password while holding the keyboard upside down so students couldn't see it at all. Yeah echo the password - hacked in microseconds.

    Paris - cos even she has learned when to reveal and when to keep things private! Something this guru clearly has not.

  59. Seanmon

    Sorry, but

    I didn't read the whole article. When i saw the words "Neilson" and "Jacob" in close proximity, i knew it was a waste of my time. The guy has not been relevant since about 2001.

  60. Martin 71 Silver badge

    Yeah I know it's an <AOL> but....

    ME TOO... what the HELL have these people been smoking and/or drinking to come up with such a pile of excrement?

    The prevelance of mobile devices with cameras means that even a couple of seconds of having your password displayed in public areas (think libraries, internet cafés, etc.) could be fatal.

    Ditto what Mike Peachey said, administrators with *extremely* sensitive passwords do not need those passwords displayed to the users who are almost guaranteed to be shoulder surfing.

    Plus it would ruin all the "I know daddy's password, it's ********* " jokes.


  61. Anonymous Coward

    OMG wow.

    Usability expert Jakob Nielsen and security expert Bruce Schneier both think websites should stop blanking out passwords as users type them in. They say the practice inconveniences users and delivers no security benefits.

    Inconviences users? What happens when the account is comprimised?

    Also what if you have a strange password like "Ilovehorsesinaweirdsexualway"

    You wouldnt want tom dick and harry who walked past your computer seeing it. For multiple reasons.

    What about when your in the library. The person next to you can glance over and see your password.

    The password hiding is by the browser when a type="password" field is written.

    Sometimes websites use javascript to do it. But not usually.

    Also like people have said. Just show the last answer entered for phones. Im sure the PSP used this.

    Why dont we just publish our passwords online?

  62. Anonymous Coward
    Thumb Down

    This has to be....

    ...about the most stupid thing I've heard in ages!

    But, while we’re at it, as it can be terribly confusing all those password policies, why not standardize on 4 digit numeric passwords? After all it’s fine for securing our banking transactions!

  63. Rosco

    Jakob Nielsen is a joke

    Among UI designers and usability professionals (at least, the ones I know) Jakob Nielsen is something of a joke. Once a pioneer of much needed usability on the web, he is now long past his sell-by-date. Take a look at his website ( and you'll see what I mean. Large blocks of hideous, clashing primary colours laid out in a not very readable style, circa 1992. Ughh.

  64. Anonymous Coward

    Shoulder surfing not common because of masked passwords

    Maybe shoulder surfing has become a 'phantom problem' *because of* masked passwords?

    Not a big fan of Mr. Nielson here.

  65. Jonas Taylor

    Common sense

    They're missing the obvious. Surely it would make more sense for most websites to simply not use passwords? Exposing passwords for everyone to see completely defeats the point in having them. Unmasking passwords is one of THE most ridiculous ideas I've ever heard. I frequently have to type in passwords when there are other people in the room and find it bad enough that they can overlook my keyboard, let alone if they were able to see my password on screen.

    Anyway, if websites supported secure biometrics it would save time, reduce user confusion (you know, the "which password or username did I use?") and improve security. Screw all this typing nonsense. I shouldn't have to remember which username, password or email address I used, which is especially problematic when restrictions are imposed ("username is too long", "password must contain a capital letter and a non-alphanumeric character", etc). I've had to resort to a passworded Excel document to keep track of website details even though I use the same details for most sites.

  66. SynnerCal
    Thumb Down

    What's the big deal

    @Configurable - the iPod Touch does something similar, although I'm pretty sure that it just leaves that character unbulleted for a period of time - certainly long enough to double check that you'd typed it right.

    Personally I think these guys are just so wrong - heck even El Reg password blanks! I can't comment on whether blanking makes a site incompatible with screen readers and hence not usable for the partially sighted (but aren't there tactile feedback keyboards).

    If they're that worried about it, why not either (a) allow the user to set a preference via the browser to blank or not; or (b) scrap passwords and move to challenge-answer type security.

    While I'm bitching about passwords, how about ditching websites and especially apps that _force_ you to type the darned things in. If, as many posting here do, you've got a encrypted password store then it means you can use longer passwords (more secure?) and it's not a total pain in the ass. I dread changing my WPA password on my iPod because I'm using max length phrases (63 characters) and typing those in a character at a time (and I've got numbers, case switches, and special characters - so that's lots of keyboard type switches needed) on the iPods in the house is a major hassle. On the other hand the laptops, and my Nokia N95 I can use a file with the new passphrase and just paste it into the appropriate field - easy, (and I think it's masked even then in most cases).

    I realise that the last paragraph kinda implies that I'm anti-password - quite the opposite - I'm just against the 'we know better than you do' attitude in some quarters.

  67. Dean_


    So why do banks keep telling us to cover up the keypad when we use ATM machines?

  68. Rolf Howarth

    On phones no masking please!

    The iPhone (and Android also I believe) displays the last character you type before turning it into a bullet but even that isn't very easy to use. Why not display the full password until I submit the form? On my computer keyboard it's much less of an issue because I touch type my password and don't need to see it.

    In the same article the authors also make a point about Reset buttons on web forms having no place in a modern web interface. Just because web browsers have a particular feature doesn't mean it's a good idea to use it.

    Reminds me of the story about the guy who reported a strange problem to IT support - he could only log on to the system when he was standing up! Sure enough, if he was sitting down the system wouldn't let him on, if he stood up it worked! Much scratching of heads and checking whether there was a cable caught under his chair or something. Turns out they'd recently changed his keyboard for one with a slightly different layout, so if he was sitting he'd touch type his password using the old layout, but when standing up he had to carefully choose each letter and got it right!

  69. Anonymous Coward

    Is there no humility any more?

    Perhaps I'm getting old, but when two seriously top notch experts (and not just talking heads, but people who really make a difference) dare to suggest that the default method for entering passwords is not all it's cracked up to be, I'd have to give the matter considerable thought before calling them "retards".

    Most of the comments are unnecessarily abusive - and most of the others appear to be written without having read Nielson's article.

    I'd list what I see as the positive points in the suggestion - but I doubt anyone would read it. After all, we've always masked passwords. So it must be a great idea.

  70. John Angelico

    mea contra mundo et canus

    To all you ravers saying "no way!" and "what are these guys smoking?" may I ask how often you mask your personal signature?


  71. Anonymous Coward

    Security theatre II

    What an incredibly sensible suggestion. For a readership that normally likes to challenge the status quo and preconceived opinions, I am amazed by the number of vitriolic, conservative "me too" comments.

    I agree that masking passwords (usually) only provides a bogus sense of security. How often is someone looking over your shoulder as you type? How often are they malicious? How easy is it for them to even read the screen at that distance? (OK, maybe I need new glasses) And will they be able to remember the arcane string of symbols that is your securely chosen password? And what is to stop them just watching what you type?

    For that last reason, when helping a colleague at work and you get to the bit where you say "and now type your password" it is normally considered polite to turn you head away from the keyboard.

    There are far easier ways for bad guys to harvest large numbers of passwords rather than wandering round offices looking over peoples shoulders and taking notes.

    And for all those morons who say "Websites do not mask passwords, browsers do". This is about as intelligent as saying "people don't kill people, guns do"[*]. The ONLY reason the website uses the password input type is because it will be masked. It doesn't provide any other functionality beyond a text box.

    Yes, it should be optional. And the default should be partly under the control of the application (e.g. for banking) but ultimately decided by the user.

    [*] obviously, it is the bullets that are the villains in this scenario but never mind.

  72. Xavier Serret

    Of course

    I fully agree!

    And not only on web sites, but also for all these security management applications (typically wi-fi) where it is often the case the user is copying a hard password from a piece of paper!. How many of us felt stupid missing it again and again!

    Moreover, this may have a secondary benefit as users will interiorize better the fact that passwords are not secret to the computer where they are typing it, and they may pay higher attention to the need to protect themselves from key-loggers et al.

    To THE REGISTER: Please start by unmasking the password for posting comments!!!!

  73. teacake


    How can they say that password masking does nothing for security, and then in the next breath recommend keeping it on by default for high-risk applications, because "sometimes security should win"?

    It either helps or it doesn't, and if it does help then it's a matter of weighing up the advantages against the disadvantages of password masking.

    Advantages: if every password box is always masked, it provides consistency for the user. It reminds them that the password is something they should be keeping to themselves. It largely deals with shoulder-surfing which, judging by the comments here, is still regarded as a problem by a lot of people. It's a lot harder to read keypresses on the keyboard than characters on the screen.

    Disadvantages: easier to mistype the password.

    I don't think unmasking the password makes it any more likely that the user will write it down or store it in a file. The sort of people who do this are the sort who have difficulty in remembering the password anyway. They'll still write it down.

  74. Anonymous Coward


    But I don't type in a PIN number if anybody is hovering too close, are you telling me that you depend on the masked characters for your security?

    While I accept that masked characters have their place on devices in public view but if you are relying upon it for security

    However in an office environment if you are relying on those masked characters then you are paying very little attention to your password security.

    I do not have have never (& never had) any problems telling people to bugger off when typing in a password (masked or not).

    I work in a secure environment and you simply DO NOT look in the direction the screen or keyboard when somebody is logging in, if you think somebody is watching then you don't type anything and you tell the offender (customer, co-worker, boss or director it doesn't matter) to look/go away. Funny thing is customers are usually happy as it shows you are paying attention to your security (therefore they believe you are concerned about their security.) In the case if users it's just nice to tell them to piss off.

    As for AC who said that he didn't want to see his bosses password, ever heard of looking away. If nothing else it's common politeness. Or are you the person who reads newspapers over other peoples shoulders?

    The comments here smell of "we have always done it this way and I don't care if it works or not."

    Think about your behaviour in the first place before criticizing because it sounds wrong.

  75. Anonymous Coward
    Anonymous Coward

    hardware tokens

    Give them all hardware tokens that generate nice simple 6 digit codes, integrate them with a smart card that does your access control / windows login too.

    The banks can give us all credit cards with OTP generators on them too, so there will be no more online or mail order fraud.

    Oh but they cost a few quid don't they - never mind, we'll just un-star the password for you to make life easier.

    Security isn't difficult, getting it past the bean counters is.

  76. Tom 9

    This still has me laughing.

    "And yes, I DO keep all my passwords in a file on the shared fileserver here. But it is encrypted with a piece of self-written encryption software."

  77. Real Ale is Best

    Its the browser, stupid!

    If you want to not mask your passwords, use Firefox and the "Show Password" extension.

    How do idiots like this become consultants?

  78. Steve Martins

    autocomplete becomes a hacker tool...

    yes! do it!, then i can go to anyone's computer put the cursor in the password field (assuming its been changed to a text input), then starting with 'a' enter every letter of the alphabet until the browser decides to autocomplete! yay, all your base belong etc...

    on a more sensible note, i have had the misfortune of not having the tab key register and to my horror revealed a password to someone as my hands speedily run through a habitual keystroke combo. I then immediately go and change the pass - not because i don't trust the person, but because the responsibility lies with me, and therefore I must be the only person who knows it. However i was so glad to find that the t9 input on my phone had a cleartext option, else that would have been very annoying!

  79. Toastan Buttar

    @Tim O'Tay

    "Type your comment here — plain text only, no HTML"

    Surely that should read..."Type your password here - plain text only" ?

  80. Admiral Grace Hopper
    Paris Hilton

    Shoulder surfing?

    Why bother? Lift keyboard, read password from Post-It note. Job jobbed.

    Paris, as she displays the same lvel of concern about security as most of my user population.

  81. Mostor Astrakan

    And another thing...

    There's websites where you have to type in your email address *twice*, and it complains if they're not identical, just like the standard way of changing passwords. For obscured passwords, it makes perfect sense, because you can't see what you're typing. By typing it in twice, you have some degree of certainty that the password you just put in its the one you think you typed. But for *email addresses*?

  82. iamapizza


    The real world called. That is all.

  83. Bernie 2

    @ AC 08:23

    "bearing in mind, most people reuse the same password for pretty much everything"

    Are people really that dumb?

    At least choose different log in details for different groups of sites (e.g. financial, social networking, forums etc) jeez

  84. Tim Bergel

    I was going to say

    what a completely stupid idea this was, but everyone else has got there first.

  85. Daniel Bennett



    That is all.

  86. Not That Andrew

    All aboard the failboat!

    This is a remarkably stupid idea. But everyone is acting like the idiots in question want it to to apply to all password inputs everywhere, not just websites. Either that or they use the same password as their admin password, online banking password and at the russian donkey pron website.

  87. Anonymous Coward

    The other reason for input type=password...

    If a form field is set as type=password, the web browser won't remember the contents of that field if you navigate back to the page via the browser history/back button. You also can't copy text out of these fields (you get a string of **** characters).

    If websites started using input type=text in place of password then it'd introduce more issues than shoulder-surfing...

  88. Anonymous Coward
    Anonymous Coward

    Not mutually exclusive...

    For the home user at least, this is a non-issue.

    I have several medical problems, including slight aphasia, after a small stroke some years ago. I find the typing of passwords a real problem. In Firefox I run an add-on called Unhide Passwords, which allows me to edit passwords as I go - a real bonus for me. There's no-one to look over my shoulder, so security in that respect isn't an issue. If I was sitting in a crowded office, then it might be another matter.

    So - horses for courses.

    Though I do take issue with those people who think that anyone who can't type in a password is too stupid to use a computer. Thanks for the sympathy bozos!! I can hardly wait for life to teach you a hard lesson, as it did me!

  89. Anonymous Coward
    Jobs Horns


    People here should RTFA.

  90. Steve Evans


    Honestly, if they're trying to get a reaction out of a large body of people they should just make a Michael Jackson joke in public. Not pretend to be some kind of techie expert.

    Only a couple of months ago a UK MP had to resign when a photographer managed to photograph and read a top secret document he decided to carry under his arm in the open as he walked the 5 paces from his car into #10 Downing street.

    Given the quality of photographic equipment available even to amateurs, you just don't know who is looking over your shoulder, they could be doing it from 50 feet away easily.

    The reason shoulder surfing is not a problem is precisely *because* passwords are replaced with stars.

  91. Colin Barfoot

    One Man and His Blog

    Before you can say "publicity" two experts are making the same suggestion. Now that's magic. Do they share the same agent?

    I've got the blog. I've got the media contacts. Now all I need is a job title. Expert, yes. But what? x86 assembler. hmm...too specific and I'd have to know details. Got it! World Expert. The World's Greatest World Expert. Catchy. And I need know bugger all; just spout a few platitudes now and then. Sorted. Hello Gravy Train.

    Rather than argue for fewer asterisks I'd argue for more. By replacing every blog writer's postings with asterisks the user's experience will be improved immeasurably. A more lenient me would suggest a checkbox to allow the user to mask the blogger's tedious warblings. hmm...I feel a Firefox add-on in the making.

    Personally I don't type my passwords visually. I just let my fingers do the work. We're not on speaking terms so I'm not even sure what my passwords are. As such there's no advantage in being able to see the characters. I hardly think I'm unique.

  92. tony


    Can't say i agree with he password masking, what i disagree with is the undue complexity some site owners go to restrict access

    username, johnsmith nice and easy start

    password, 10 characters mixture of cases with at least 2 numbers & 2 symbols

    kaptcha, refresh, refresh, is that lik kats?


    username, johnsmith is now taken, johnsmith2



    wait for email verification

    finally i've got in to harry potter fans forums, now i can write the 'meto' post

    could understand it for online banking etc but for a trashy web forum, get realistic

  93. Stephen Channell

    Kerberos and/or smartcards are better

    There is something rather bazaar about having to enter a password for a plethora of sites where the only real benefit is that it remembers your home address.. but will send your password in plain-text to your email account if you can’t remember it. The password protection is illusory because the site then goes and “protects” your credit-card number with the password in their database.. the net-risk is higher.

    Within an organisation Kerberos can eliminate the need for signon (using IKE & PC signon cridentials), but for the wider world we are well overdue for a move to the token (e.g. smartcard) based identity/security that could make SET viable.

  94. DJ 2

    Another so called expert

    Passwords have to be masked, you never know when someone can see your screen. Would you go to an ATM and speak out your pin number to the machine?

  95. Anonymous Coward

    A somewhat less than brilliant idea

    OK, so we all know that obscurity is not security but it does at least help a touch. Unmasking passwords would, in general, make my life a hell of a lot harder as it's much easier to unlock an account or reset a password than it is to repair the damage that can be done by unauthorised access.

    I think that these alleged experts must be taking something that reduces their IQs to something more in line with their shoe sizes.

  96. Pie

    what stops people looking at the keyboard

    having a tick box that allowed the password to be masked or not, or to have as others have suggested just the last letter showing could help usability, and stop people having to write passwords down, or keep them in files to copy and paste...

    When I am putting password in front of my children I make them turn away as I know there curisosity would enable them to 'work it out' after a while and I cba to keep changing my passwords.

    But thinking that having a password masked out is the worlds best security when you are typing the password in front of someone is plainly mistaken.

  97. Neil 4
    Thumb Up

    Simple solution

    Just change your password to 8 asterisks.

  98. somerandomguy
    Thumb Down

    Jacob drops another clanger

    I hate Jacob Nielson - all the statements he ever seems to make are either blatently obvious or just wrong. The anoying thing is that he doesn't seem to have any competition so whenever a news agency needs a usability 'expert' they roll this clown out!

    Yes, it's hard to type in passwords on mobile phones but frankly, it's hard to type ANYTHING on mobile phones! Personally I find the iphone easy to type on (especially compared to a normal handset) and their system of handling masked passwords is very elegant (you can briefly see the last character you entered). I know some people find the iPhone hard to type on however so maybe that's just me. The problem there then is the usability of the phones - not the masked passwords.

    Personally I wouldn't want my password on show if I was entering it in a public place. It's true that in our current society it's not entirely necessary because nobody is waiting around to spy on your password; but why is that? Is it possibly because they wouldn't be able to see it anyway? If all passwords were 'unmasked' suddenly it might be worth hanging around internet cafe's with a video camera if you were criminally inclined.

  99. jeffrey 1

    Epic Fail


  100. Peter Kay

    @'is there no humility'

    No, there isn't when people are spouting mostly unhelpful crap.

    Yes, they have some good points. Obscured password entry is awkward and will lead to errors or more insecure passwords.

    Pointing out the flaws with no readily available solution is pointless posturing, though. It's not even presented in a suitable forum for discussion - instead it's on two different blog posts aka 'look how wonderful I am. I write and you get to comment with no response from me'.

  101. iBeech

    I actually signed up to say what a bad idea this is

    What a rubbish idea? Letting your password be in plain text!

    If anything, it would discourage people from using online services!!

  102. mmiied


    maby it is unnessary as 99% of the time there is noboady looking over your sholder BUT for the 1% of itmes where there is I would like to see it keeped even having your account hacked 1% of the time is still more anoying than a masked password box

  103. Rob Fisher

    Masked passwords on IRC

    Look, IRC automatically masks passwords!

  104. chris 27


    I can maybe see where they were coming from with this ... it would make users think a little more. You could argue that password masking is security through obscurity.

    A few years ago, I amazed someone at a clients IT dept by sniffing their password off the wire (html form based authentication) - they thought the masked password was encrypted. This is the part of the puzzle that the users probably don't understand. “I can't read it on the screen, it most be secure.”

    That said, I still think removing it would be a really *bad* idea. It would create a few really large problems, rather than the comparably small problems we currently have.

    I can imagine people using high powered telescopes through windows etc. Never a good thing.

    I wonder how many people use html forms to authenticate over their unencrypted home wireless network? *Most* sites now seem to use SSL/TLS for the authentication process at least, but some probably still exist. For example your password for your register comments doesn't appear to be submitted over a secure connection: action=""


    A couple of replies to comments (I've given up reading all of them!)


    @Anonymous Coward Posted Tuesday 30th June 2009 08:23 GMT

    You have described another security issue, using the same password on two accounts. This has nothing to do with password masking. If I sniff your password off the wire, how is masking it on screen going to help?


    * 40 passwords? More a symptom of your infrastructure than a issue with passwords. Maybe centralising some of the user accounts would help.

    * password lock out - stops password brute forcing. 3 is maybe too few attempts, it depends on what you are protecting. Brute forcing is the security threat that this control is trying to protect you from.

    * Coding your own encryption algorithms is not a recommended practice.

    @Mike Peachey

    @By Anonymous Coward Posted Tuesday 30th June 2009 08:48 GMT

    @Peter Kay

    Good examples guys!

    @Gilbert George

    I used to have a tool, forget it's name (maybe winspy) that would work on any input box. Really useful! I may check that tool out.

  105. EnricoSuarve

    Chicken or Egg?

    Is shoulder surfing a phantom problem because no one ever did it or (more likely) is it a phantom problem as everyone knows passwords are masked so there's no point? If you removed this valuable default rule shoulder surfing would once again rise as there would be a point to it again

    I manage IT support for a large corporation, in our office environment we make extensive use of remote desktop takeover. Frequently users need to input passwords into apps and internet dialogs while my agents are connected to their screens at present they can do so without fear of giving away their passwords (which as others have pointed out many people recycle endlessly). I'd rather they stayed masked out thanks - I'd rather not have the liability of my agents knowing users passwords

    OK that's not a huge concern to most but it is an example of where the present setup really helps us

    I agree that password masking can sometimes be annoying, especially when you're using someone else’s IT and you're not 100% sure the keyboard is set up correctly and sometimes I do copy and paste my password from a notepad session just to be sure I am getting it right, so perhaps an OPTION to one time disable masking on some sites might be nice (with a warning to check over your shoulder); but seriously? remove it altogether? except for sites where "security needs to win" as teacake above quite rightly points out the discrepancy in the authors statement

    Utter balls - I can only assume Bruce was having an off day

    On another note other security experts have advocated leaving your keys in the ignition when you leave your car, as otherwise it can be very inconvenient if you forget where you put them and very few car thieves currently use the 'ooh look keys in the ignition' method

  106. Philip Harvey

    Cause and effect

    "Shoulder surfing is not a largely phantom problem at all"

    Ahh, that would be because passwords are masked.

  107. Paul H

    I can see their point

    I guess if users are willing to part with their passwords for a bar of chocolate, or if they put them on sticky notes next to the PC, you might as well unmask the password. It's not even like most passwords are any good. The most recent offspring's name usually. Then there's the password recovery question that usually has fairly easy to gain information. What's the point of the password then? In fact perhaps we should do away with passwords entirely. You just put in your login and the system just accepts that in all likelihood you're probably really that person. Law of averages and all that.

    - not sure if I've remembered my el Reg password now. Perhaps I should simplify it...

  108. Doogs

    @John Angelico

    I don't exactly mask my signature - just change it every time I use it - no one's noticed yet.

    Could be a form of mutating encryption, maybe...

  109. Tim Williams 2

    Wrong target

    He should be addressing his comments to the browser makers not website designers. The password form type exists for a reason, browsers don't automatically remember it's content without asking you. If I change my password fields to text and then use a website on somebody elses computer, my password is going to get flashed up to every subsequent user who manges to type in the first letter of my password. Not good.... If he really wants the option to turn off masking, it should be a browser config option to change the behaviour of the password field type. But then I might be showing my banking login details which are critical.......

  110. Giddy Kipper

    Excuse me but ......

    What I find interesting is that the majority of posters at the Reg are involved in technology to a greater or lesser degree, everyone from users to sysadmins, programmers to software architects (that's analysts to us old geezers) et al. So how is it that "according to two of the technology world's leading thinkers", 99% of the posts in response to this article are wrong?

    I have a feeling we are being fed consultant-bollocks by these 'thinkers'.

    For what it's worth I think they are wrong too. But I've only been in IT for 30 years, so what would I know?

  111. Chris Dupont

    Master Troll!

    10/10 Nielson and Brucey! Bonus points to all the apologists condemning the 'knee-jerk' responses. Consider this - if someone has worked in IT with security or support for even a few years then do they not get to make a swift call on whether or not an idea that fundamentally alters security is good or bad?

    If the Lesser Spotted NielBruce suggested, "Tell yer best mate yer passwords for usability so you don't have to get double-penetration-degredation for forgetting it," I would hope an equal amount of experienced IT staff would respond with a similar cramming.

  112. Anonymous Coward
    Paris Hilton

    Rubbish - however...

    What rubbish, I don't want colleagues reading the admin password when I log on to their boxes to sort stuff out for them.

    However - on a related note - can web designers please note that the need to retype the password is because it is not in clear text and can't be checked visually - therefore it is checked by comparison between 2 typings of it.

    There is NO such need to make me enter my email adress twice in CLEAR TEXT, when all it does it make the process more irritating, and I don't know about anyone else, but I just cut and paste it from the first anyway - no value gained, some loss of convenience.

    Paris, because she understands about entering twice and comparing. (allegedly)

  113. Steven Jones

    Legal Angle?

    It seems rather strange that this little story came out of OUT-LAW.COM. Is there some legal angle to this which escapes me?

    Anyway, the idea is truly daft. By all means introduce a browser option to display passwords, but the default most assuredly needs to be off, not on. Shoulder surfing is not a non-issue. The producers of a web site cannot possibly know all the locations where it might be used, so this most assuredly needs to be a user option defaulting to the "safe" mode. I also don't understand why exposing the them would make users come up with more secure passwords. The real problem is remembering all the damn things, and this doesn't help a jot.

    In the case of sites, like banks, these all require rather more than a basic password system.

    However, the real need here is for a one-time password generation system on a credit-card sized device you keep in your wallet. It should not be beyond the combined resources of major commercial operators on the Internet to come up with a single device which can be used for strong authentication (not just for web sites of course - anywhere where electronic transactions may be required). Of course you still need a personal password so that somebody who steals the device can't use that alone. Plain passwords are just too prone to replay attacks.

  114. Fragula

    excrement for brains

    Are these guys totally full of it, or wot????

  115. Adam Williamson 1
    Thumb Down


    "How often is someone looking over your shoulder as you type?"

    As several people have pointed out, the lack of prevalence of this practice is highly likely to have something to do with the fact that password blanking has been used for over thirty years. By your logic, we may as well not bother with highly sophisticated measures against bank thefts, because no-one robs banks any more anyway (...because of the highly sophisticated measures against bank thefts...)

    "How often are they malicious?"

    According to good security practice; always, potentially. If we magically knew who was 'malicious' and who wasn't, security would get a hell of a lot easier in a hurry.

    "How easy is it for them to even read the screen at that distance?"

    I can read a normal sized screen pretty well from across the room.

    "And will they be able to remember the arcane string of symbols that is your securely chosen password?"

    Oh, right, because we all know everyone chooses terribly secure passwords. And besides, every character they remember is an order of magnitude of possibilities they don't have to bother with when brute-forcing.

    "And what is to stop them just watching what you type?"

    it's much harder (especially with fast typists) and can't be photographed. And for me, the answer is 'the fact that I cut-and-paste my password in from a secure password storage application, of course'.

    "There are far easier ways for bad guys to harvest large numbers of passwords rather than wandering round offices looking over peoples shoulders and taking notes."

    Right, because all bad guys can be conveniently lumped into a single group who act in the exact same way from the same motives. Presumably they wear black masks with cut-out eye holes and carry bags with SWAG written on them, too.

    Above comments have given numerious plausible scenarios for shoulder-surfing 'attacks', many from personal experience.

  116. Icey

    No thanks...

    I'll keep the mask on my password thanks! I'm not lucky enough to have a desk that faces a wall!

    Besides just because a user can see what password they are typing does not mean thay will remember what it is in the first place!!

    I thought shenier was supposed to be an expert?

  117. steogede

    Everyone else has said it...

    but I'm going to anyway. It's the browser that should have the option to not obfuscate passwords - they should probably have the option of 3 stars, no stars or a random amount of stars, like it did in KDM (perhaps still does) - it has nothing to do with the website. I can see that there are situations where obfuscating the password offers no extra security (someone at home on their own) and it could detract from usability a little.

    I have a better idea, and this is something that websites (rather than browsers) could do - they could do away with all that confusing SSL certificate malarky. It just confuses people, having to look for that little padlock symbol. I better patent that idea, before Nielsen steals it (though chances are he's already published it).

  118. Jach
    Big Brother

    Not a fan

    Like hell I'm going to write the simple JS for offering a choice. (Okay, maybe if this catches on...)

    But jeeze, if you fail with your password, write it down or use your browser's remember password feature, or memorize it already.

    What would be a more welcome change would be an end to retarded password policies. If you want me to have upper and lower case and digits and funky chars, let me use my 34 character password, don't force me in the 6-8 character range where I have to do something like &i1eLmH& (if I ever Lose my Hands, song-generated style). In my own code I don't care; if they want to 'protect' themselves with a 1-char password, go for it. Same with a 100 char one.

  119. Bob Hoskins


    "Schneier, a renowned IT security expert, echoed Nielsen's concerns, and supported Nielsen's assertion that password masking does nothing to improve security."

    Schneier, a renowned media whore saw an opportunity to vent yet more bulls**t to disingenuous media, desperate to fill copy space.

  120. The Fuzzy Wotnot
    Thumb Up

    Fantastic idea!

    You don't need all that keylogging cack, just screen grab when the user presses RETURN, instanly capture both username and password, instead of trying to find it in a stream of characters.

  121. Hywel Thomas

    I can see where they're coming from…

    But it's still idiotic.

    The iPod Touch (and iPhone) do the same as described for the

    AC gets it right. The problem is that there are many varieties of invalid passwords. People want to use the same password or use an easy to remember password system that they can apply to all systems. Too many sites can break this - forcing mixed case, forcing the use of numbers, not allowing numbers etc.

    By all means warn people that their password is shit, but let 'em use whatever they can remember rather than engineering a more secure password that makes them write it down somewhere, which then becomes less secure.

  122. Simon B

    What utter bollox!

    What utter bollox!

    How is showing your password clearly as you type it more secure ?!!!

    Grenade so they can hold it without the pin and explain why it is more secure without the pin!

  123. Jimmy 1

    Bruce is having an off day.

    Just can't get my head round the idea that someone with the reputation that Bruce Schneier has established for himself would endorse this laughable concept of stripping out a layer of security for the sake of convenience. Schneier has been advocating a multi-layer approach to security for years, so why is he suddenly giving his approval to an idea whose only justification, according to Jakob Nielsen, is that "it does cost you business due to login failures"

    What next Bruce - leave your house keys under the doormat when you go on vacation?

  124. Anonymous Coward


    They want to read all the passwords from PCs that are not TEMPEST - compliant. It even made appearance on a NUMB3RS episode for chrissakes.

    The spy-guy could read and reproduce the output of a CRT monitor due the electromagnetic field emitted by it.

    You don´t even need to go that far, remote desktop applications (your Windows XP has it too) running WITHOUT user authorization can output the monitor screen to the network. Reading a password from it would too easy without masking.

    Think defensively, in depth, all the time.


    PS I don´t want to let my boss see my typing "BossisaTosser2009" as password.

  125. Stephen 5

    Re: RTFA

    I did RTFA.

    Didn't see anything concrete except for "Lets give hashing as a check box option".

    End users are naturally lazy giving them an extra click option will NOT help them, they will just be more open to being attacked.

    Epic fail.

  126. Will 28

    Ummm... Security Cameras?

    While people looking over your shoulder to get a password may be a phantom thing. There are probably security cameras looking at a lot of screens 24/7. While admittedly they can possibly see what you're typing, that is harder as your key presses are usually obscured at least in part by the movement of your hands to press the other keys, or by low framerate of cameras. I don't like the idea of someone being able to just track back through security tapes to acquire my password.

    Then again I admit I don't know how clearly a camera recording of a monitor can actually be read. Really it's just a quick comment for people to flame.

  127. Jon McAtominey
    Paris Hilton

    Lack of masking perhaps?

    There ought to be more sensitive details masked, especially on ecommerce websites where it should mask the card number as well as the CSC.

    In all its the smallest of inconvenience for those truely lazy!

    Paris, because even she knows which 'bits' need masking.

  128. Winkypop Silver badge
    Thumb Up

    Agree 100%

    ********** (password)

  129. GloomyTrousers
    Big Brother

    Stop watching my fingers!

    The asterisks stop shoulder-surfing from people reading your screen... but not watching your fingers on your keyboard. If passwords were displayed as typed, it wouldn't take long before people started looking around a little more carefully at who's watching before typing their password, instead of being lulled into a false sense of security by the fact that their password can't be seen on screen, and ignoring the fact that watching fingers is pretty easy (see AC's 70WPM comment).

    However, as in many things, there is no 'one size fits all' answer. In some cases, I can see this improving security (and, as seems to have been somewhat forgotten as one of the original points of the article, usability), although in many cases it will of course not do so.

  130. Anonymous Coward



    "The more uncertain users feel about typing passwords, the more likely they are to (a) employ overly simple passwords and/or (b) copy-paste passwords from a file on their computer. Both behaviors lead to a true loss of security,"


    The uncertainty comes from the complexity of the password and the users ability to memorise it, not whether they can see the characters as they type them.

    Removal of the obscuring mechanism will simply tell you average web punter that actually passwords aren't that sensitive after all. BAD.

  131. Anonymous Coward


    "Shoulder surfing is largely a phantom problem..."

    Largely because of password masking.

  132. lahla

    What about the security concept defense in depth?

    I can't believe what I'm reading especially coming from Bruce S. I can somewhat see their point, but about defense in depth? They need to go work in a cube environment for a few days then rethink the idea of not masking passwords.

  133. lahla


    Perhaps shoulder surfing isn't as prevalent as it once was because of password masking.

  134. James Micallef Silver badge

    Fail! Yes, sometimes I mistype my password. So what? I retype it more carefully.

    Yes, sometimes I'm not sure if a key got pressed properly. So What? I delete all and start over, or count the characters and see how far it registered.

    Users need better understanding of security and best practice. They certainly don't need to be looking over their shoulders every time they're typing in a password. If you really want to be a usability freak, at most have a button that can toggle the visibility, but leave teh default as bullets / stars.

    Mind you, most of the users who would use this will have the password post-it-ed to their monitors anyway because I feel like

  135. Anonymous Coward

    complete nonsense

    These guys must live in another world.

    How about defining a default password for everyone, so no one would ever again forget his password, because there is only one?

    Or even better: drop the password alltogether. User would just have to enter their username. Well, security would go down the drain, but usability would be TOP.


  136. dasdfdd


    Wow, for experts, these guys sure don't seem to know anything about computers.

    First, websites don't mask the passwords, BROWSERS do. Yeah the web developer chooses the 'password' type of input, but hey, that's what the HTML spec says you should use for passwords. Any other way of developing it would arguably be a hack.

    Second, there have been so many cases where I haven't been sure if I was typing a password correctly, so I typed the password in a DIFFERENT place, read it, and then copy/pasted it to the actual password location. In other words, masked passwords "must" do nothing. They might be annoying when you need to see what you've typed, but there are VERY easy ways around their pitfalls. And, as has already been mentioned, mobile devices handle masking differently BECAUSE you can't copy/paste cleartext passwords into the masked input fields.

    This is hardly a problem at all.

  137. gjduk

    clear text passwords?

    I think having a clear text field would cause additional problems, as setting the password type field for both desktop apps and websites has additional things going on behind the scenes so the password can not be read in memory by snooping programs running on the local machine and browser cross site scripting attacks etc, so this would not only need a system change but also browser software updates etc so you could have a clear text password field, but I think this would allow alot of old style of site attacks to become active again. That is before you get into the realms of what would happen with saved passwords and cookies this is all a very bad idea. I do not think they have thought this one through very clearing, would it not be better to promote maybe using other forms of authentication to help his problem of remembering passwords maybe single sign on such as openid and liveid

  138. Mike 61


    Sorry guys, but the security pros have it right. To be compliant with HIPAA monitors can not be placed inn a position that will allow unauthorized 3rd parties to view your screen. In that case password blanking is not necessary. And in the case of the moron above who "can't tell who is looking at their screen"....well, lets just say you would never be able to work in my department with that level of ignorance.

    Passwords themselves should be retired as a means of authentication. I have a hardware token for TFA & OTP, go ahead and shoulder surf for all the good it will do. That's where we all should be headed, not whining about passwords.

  139. Anonymous Coward
    Black Helicopters

    Jeez theres some clueless individuals

    I'm happy to keep my obscured passwords, but only because I can actually type the buggers in the 1st place

    It sounds like there are too many Visual programmers, web developers, DBAs, solution architects and windows support people around here (should cause a fight in itself)

    To make it obvious, they are making a point that obscured passwords cause problems and are a bit shit and is used as a security blanket (pardon the pun) because the majority of people cannot be trusted to take proper care of their passwords in the 1st place.

    Question : You would really use a public terminal or internet cafe machine for to internet banking (or any other important system) !

    If so then You deserve to be robbed, you are stupid and should have no involvement in the IT industry. If you are not in control of a machine you do not use it for anything that involves the concept of privacy.

    Question: What is this install a trojan and capture the screen?

    CRAP ! Why would you do that? If you have written a trojan, that can you can trigger remotely (at the right time), then you can log the fucking key presses too, rendering the screen capture pretty pointless.

    Why obscure the screen output when you can watch them type on the keyboard (as several more sensible commenter's have said) blanking the password only stops the most inept shoulder surfer.

    TEMPEST screen reading, where shall I start ?

    I attended a demo by some spooks (real ones) who specced all the equipment to make it work, it was pretty shit (unless you where reading a 40 column display).

    If a working TEMPEST has been rolled out against you by the big boys then it's already too late for obscured passwords

    Anyway similar techniques can be used for reading keyboards remotely so obscuring the field is once again pointless.

    But then it was on Numb3rs so it must be true (the Scott brothers renowned science fact documentary makers)

    Somebody standing too close while you are typing, tell them to Fuck Off !

    As was said the passwords are all too often carried in plaintext, (BTW you do realise that clustered firewalls often end up with user entered data echoing around switched networks) looking for the virtual MAC.

    To Adam Williamson, you can read password text fields from across the room this leads me to the following thoughts:

    1: Tiny room

    2: Giant fonts

    3: New eyes (donated by a bird of prey?)

    4: 52 inch display

    5: You can't really but thought you would say you could

    Hmmm which would I choose

    Think of us poor unix & cisco people who don't use web front ends and don't even get those nice bullet points on screen.

  140. mmiied

    @mike 61

    hardware tokens can be lost or stolen

    passwords can not be droped if you have rembered it you can not lose it and it is just as easy to steal a hardware token as screen spy a password

  141. Tom 13

    The obvious solution

    is to make this user configurable. Most of the time when I'm at work, there is no way for someone to shoulder surf my screen, so I could use non-obfuscated passwords. I'd probably stick with obfuscated ones because it is what I am accustomed to. When using a laptop in a public space or a kiosk I obviously prefer the password be obscured. On the other hand, on my last phone I couldn't set the password because the *&^%*#!@!@!!! touchpad kept putting in the wrong character or too many characters or something. And I couldn't tell because I couldn't see the password to confirm what I thought I put in was what the computer thought I put in. I might find the I-phone solution acceptable. But on phones obfuscation should ALWAYS be optional.

    And personally, I still worry more about those thrice damned sticky notes with passwords. Doesn't even have the short duration of entering a clear text password.

  142. Anonymous Coward
    Thumb Up

    Not sure I agree

    "And in the case of the moron above who "can't tell who is looking at their screen"....well, lets just say you would never be able to work in my department with that level of ignorance."

    In an ideal world that' may be true.

    However, in the real world, which is where most of us live, with our monitors easily visible by others and cameras (think "leaving" a mobile phone on the desk, recording video), if you are concentrating on what you are doing, you may not notice a person having sidled up behind you.

    Masking passwords is not of itself the be all and end all, however, it does cover off a casual unnoticed observer, which does happen (except in Mike's office clearly!) :-)

  143. Roger Heathcote 1

    Stupid idea.

    I shiver every time I have to use an unmasked password entry field. Maybe users feel less competent because they ARE ACTUALLY not very competent - the solution should be to MAKE THEM more competent not REDUCE SECURITY to make them 'feel' better.

    Shoulder snooping isn't the problem anyway, the problem is when I have to enter my root password at a users terminal at their desk while they are sat there: firstly that's not safe and secondly, many of my passwords contain unutterable obscenity or phrases that I might also use in other, personal, passwords.

    Bruce is very often right about security, this however is one of the times where he's dead wrong.

  144. musoben

    i want to add..

    how effing crazy that is.

    crazy crazy


  145. Andrew Bell


    What a load of utter drivel! There is absolutely no situation where it is acceptable to display a password on-screen. Passwords should be masked, transmitted encrypted and stored as a hash. Plaintext passwords should never be shown or stored.

  146. Mike 61


    yes, hardware tokes can be lost or stolen, but they are useless to anyone but me, that's where the T in TFA comes from. Something you have, the token, and something you know, my personal pin code. Each of these things alone are useless, only together do they function. Geez, why am I explaining this, isn't this supposed to be a group of IT people.

    Also, if you have my token, you also have my car keys, I think I may notice that. First I call the police to report the stolen vehicle, then I call the access guys to have them burn me a new token to pick up. Old token dies as soon as I make the call.

    Granted it is a PITA to login everytime with a 32 digit numeric string, 16 from the token and 16 from my mind, but I no longer worry about passwords.

  147. Anonymous Coward


    "How long it takes the Spelling and Grammar Nazi's to spew!"

    you mean "...Spelling and Grammar Nazis". The term "Nazi's" would apply to a singular Nazi owning something. "Nazis" on the other hand is the plural of the word "Nazi".

    Or was that a double in-joke referencing Goodwin's Law (by planting both the grammatical error and a Nazi reference)?

  148. Owen Williams

    I think we could go further

    Have the server accept badly spelt passwords. If they're close enough let the user log in.

    That'll save loads of money. Might even generate some :)

  149. Anonymous Coward

    Umm no

    Sorry Bruce I respect you and most of the time agree but you're off the mark on this one. Shoulder surfing today is largely a non issue due to the fact that most passwords are masked by default and have been for a long time and it should stay this way. This assumption that users will some how know to protect their passwords in certain environments is complete B.S. and show's how little either of these researchers are dealing with the general computing populace on a daily basis. People wont know to protect their passwords and the slight inconvenience that comes with masked passwords are a fair trade off to give that user more security. Masked passwords plus minimum password standards are and will continue to be a fair usability/security trade off.

    The mobile phone argument I can buy as I've had phones which either display the individual characters in a password and mask that character when the next one is typed or totally mask the password. I have to admit in that circumstance a masked password is a pain since typing the password on a phone is considerably different operation than it is on my normal keyboard. I will also agree to making it optional to users to have their passwords masked or not. Making sure they are informed of the potential risks by not having the password masked. My view is that so long as the users are informed of what might happen if they choose a less secure option, then if something happens they are SOL as they knew the risks and chose to accept them.

  150. Richard Hodgson

    Wait, what?

    Usability expert, maybe, but certainly no security expert. Shoulder surfing is absolutely a problem, but is far less common than it would be if say, passwords were left unmasked and easily readable.

    Security is always a compromise between usability and effectiveness,, regardless of its application. You could keep your door wide open, making the accessibility to your home far better, but killing a layer of security in the process. By adding security, a lack of accessibility is inevitable, but the entire system is wide open for exploitation without it.

    What's needed is a new compromise, or an alternative, more accessible security solution, but making passwords viewable to casual viewers is not it.

  151. b166er

    The point

    seems to be, that masking passwords discourages password complexity because if you mistype one letter, often you can't be sure that you didn't fudge 2 or 3 and have to go right back to the beginning so I can kind of see their point. We've all done it.

    If you could be sure that people would use long passphrases were the entry boxen unmasked, then there would be no problem unmasking them, as someone trying to shoulder surf a long passphrase would be quite obvious in their intent. Problem is, most people still wouldn't use a long passphrase unless it was mandatory. So unless there is a concerted effort to require mandatory long passphrases, then this won't work.

    Basically, it's time for the password to die, along with the VHS, FDD, Optical ROM/RAM, MiniDisc etc. It's old hat and too unreliable.

  152. Watashi

    Behind the mask

    I have a better idea - make all your passwords blank!

  153. Kanhef

    Idiots, for different reasons

    "Users make more errors when they can't see what they're typing while filling in a form. They therefore feel less confident. This double degradation of the user experience means that people are more likely to give up and never log in to your site at all, leading to lost business."

    Masking does slightly increase the rate of rejected passwords, since users can't see and correct any errors they make. However, after a failed login, most users will retype their password more carefully. The inconvenience is negligible; the security benefit is not. The rest of that quote makes me suspect that they've never actually asked anyone about their 'user experience' with masked passwords. As for lost business, if someone is entering a password, they're either creating an account or already have one, so the site has to be seriously broken to drive them away.

    "Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed. So, password masking doesn't even protect fully against snoopers. More importantly, there's usually nobody looking over your shoulder when you log in to a website."

    A skilled locksmith can pick the lock on your house or car, and there usually isn't anyone trying to break into it. Is that a good argument for not having any locks at all? No.

    Nielsen has another article/rant about following conventions, but doesn't seem to realize that because password masking is so universally used, people expect it and would be surprised by websites that *don't* do it.

    As AC 8:23 and Lex 2 have mentioned, the inconsistent requirements/restrictions of websites is a nuisance. I use a 16-character alphasymbolic password, uniquely modified by the name of the site. I also keep a list of sites for which I have to weaken it because they don't allow symbols, have a maximum length of 8 characters, and so on.

    @AC 17:14-

    My inner S&G Nazi has been invoked and must point out that it is Godwin's Law, not Goodwin's.

  154. Mark Wooldridge


    I just ask people for their password and they usually just tell me. Easy eh?

  155. Richard Scratcher
    Black Helicopters

    'Shoulder surfing is largely a phantom problem'

    Oh yeah? What about Google Earth?

  156. Fraggle

    Someone should forward this article...

    to the Cardspace folks or the Higgins folks. Maybe both. Then stick a cattle prod in them and tell them to hurry up because the lunatics are about to take over the asylum!

  157. This post has been deleted by its author

  158. Anonymous Coward

    Thank goodness for the new icons!

    I count almost fifty FAILs so far, and probably half that many WTFs again. Glad to know I wasn't the only one double-taking through the whole article...

  159. Jacob Reid

    Any site that stops hiding my password...

    Will be a site I stop using.

  160. Sarev

    I agree with Nielsen and Schneier

    I hate having my password pointlessly masked when I'm working at home, in a trusted environment (i.e. I don't care if my wife knows my passwords - or I can wait until she's not looking).

    On an unrelated note, most of the objectors here are from the "OMG!!1!", "n00b" and "definately" brigade. Anyone who can't spell definitely isn't worth listening to, IMHO.

    Oh, and shoulder surfing proliferation, or the lack thereof, isn't a function of password masking usage; it's a function of most people not being so fucking dumb as to type some private data when they know an undesirable character is standing behind them! I guess those who want to buy into the snake oil of masked passwords never learned that life lesson... so just for you Nielsen and Schneier propose making it optional.

  161. God
    Paris Hilton

    Fractards at large

    Both of these aclueistic twits need a little more real world experience.

    There's a reason I have a 12 digit pin for my ATM card (I know, I sacrifice my security by letting people know there's only 2^32 possiblities). and my passwords are always longer..

    They should try being IT for a school district sometime with that philosophy; my students would have worked them like pimps.

    Paris, because this is so detached from reality ,,, and I should be her pimp.

  162. Mark Roberjot

    No, really really No!

    Just how stupid is this suggestion,whilst web browsers by default cache form data, it is just a free for all as soon as anyone's back is turned.

    Really really stupid. I really cannot believe that this idea ever saw the light of day.

    Having thought some more, I still cannot believe how muppit like this idea is - has this guy never seen a real office?

    Logon to computer, go for coffee, whilst your co-workers browse through your history, and have a quick look at your history (& passwords), then when they go home, have a quick look at your bank accounts, and try the same passwords on your hotmail and yahoo accounts (probably successfully).

    It just doesn't even bear thinking about!

    The beer, because whoever thought this up had had far too many.....

  163. Anonymous Coward

    Bruce doesn't care...

    ...he already knows your password :)

    Now, coming from a person who will (albeit anonymously) admit to having shoulder hovered a password or two, from friends through to college lecturers I would say, shoulder hovering is a real issue, especially in public places.

  164. Tim Bates

    I assume this has been mentioned....

    I work for a school doing random tech work. When it comes to password resets, I often see kids trying to peek at the keyboard when their friend types a new password.

    Now imagine the fun and games if kids could read their friends email passwords off the screen next to them... Or worse... Read the teachers passwords on the big screen!

  165. b166er

    Tim Bates, that reminds me

    I managed to get the network password for our school (1986) by watching what the teacher pressed as she entered it. It was 'clowne' by the way ;-p reason being, that the modules she was teaching used a fictitious company called Clowne Industries. Ah what fun I had doing call!-4 across the network (BBC-B). I got suspended from school for it too. The disk-based storage unit they had at the school became corrupted and I got the blame because some second-year twerp told 'teach' that I had the admin password! All I had done was shutdown a few workstations remotely and broadcast a message saying "Miss Low is a top heavy fraction" (our Computer Studies teacher had frankly enormous baps). That's why I said before, it's high time to get rid of passwords altogether. If she'd had a token round her neck (and presumably between said humongous hooters), I'd have never got access. If we insist on having passwords, combine them with tokens.

  166. Cullen Newsom

    Someone got paid for this?

    Look, it isn't THAT hard. And it does offer a little security, especially if you store some passwords in your browser (only for things that don't matter, calm yourselves).

    The thing that really frustrates me is all of these sites with differing password rules, that somehow think I have read their programmer's mind, and that somehow I know that I must make it more than 8 characters in length, but not more than 16! must include a number, but the number mustn't come first!, and must also include a special character, but some characters aren't allowed! only one of our six favorites, oh, and at least one of the letters must be capitalized, but not all of them! Must I also stand on one foot and pat my head while typing it in?

    I guess it's good money when you can get it.

  167. steve hayes

    The Obvious

    Mask the password but allow the user by a check box to see what they are typing via a simple click. Not so hard!!!!

  168. Inachu


    I say keep them masked!


    Ok lets see you log in durring a busy day at the library and you just want to quickly read your email but many people are behind you.

    So yes Shoulder surfers are everywhere!

    By unmasking passwords will just invite more crime.

  169. Anonymous Coward
    Anonymous Coward


    It'd be great for when you need to log onto something at a meeting, wouldn't it?!


  170. Alan Donaly
    Thumb Up

    As if

    Bruce knows what he's talking about and anyway any shoulder surfer worth their salt watches the fingers not the screen. It doesn't stop a thing.

  171. Wortel


    Malware taking covert screenshots of input areas on windows that have focus and are receiving keyboard attention and then send off the results. Can already be done with AutoHotkey by the way, it's not rocket science you know, to cook up something ridiculously simple to pwn such idiotic 'guru' ideas.

  172. Anonymous Coward
    Thumb Down


    Ok so mobile users can't see what they are typing on the terrible iphone keyboards......

    Have these "researchers" never heard of an internet cafe?

    Do they cover their hand when typing their debit cards pin number into an ATM?

    The hashes are there for very good reason, it allows you to type a password without an observer getting an easy to remember snapshot via their eyes.

    Yes there are issues but they are greatly outweighed by on-screen privacy.

    Hashes = good = must for security in open environments.

    These guys have an agenda.

  173. Ransico
    Thumb Up

    Per-browser setting as compromise

    It should perhaps be a browser specific setting more than a per-site decision, since there are plenty of valid use cases where masking of passwords is desirable.

    For example, what about lecturers and people giving presentations? It is a common that a room full of people observe said presenter either logging in to the computer, or browsing the web.

  174. Phillip Bicknell
    Big Brother

    What about the new style PIN

    Uh, I've just remembered about that new style ATM PIN whereby one remembers a sequence of locations on a 5 x 5 grid. That's more secure than any masked password, so don't websites use that? (Probably because of some expensive patent.)

  175. Jeff 11

    Usability vs. security

    I'm glad the concensus here is comfortingly negative towards this idea. The dubious usability benefits of what Nielsen proposes are vastly outweighed by the damage someone casually observing the screen could do. Even when used as a passphrase in tandem with another means of authentication (such as a hardware key) makes things much easier for a would-be hacker.

  176. Anonymous Coward
    Paris Hilton


    Possibly because that sounds a lot harder than a DECENT (8+digit that isn't something obvious like 12345678, birthday or a phone number) PIN, with no identifiable benfit.

  177. corvus2606


    OK, im gonna stick with everyone else and say this is a bad idea.


    anyone entering a password in any major organisation will have plenty of people to read off their screen, and office politics can mean that even friends can get malicious. then there is the fact that most IT security departments are more than capable of ghosting someones screen and reading their passwords.

    on top of that, just using something like dameware you can remotely view someones screen over the internet(potentially) and there are plenty of viruses around that incorporate a screencap into their bag of tricks.

    so yes, due to masked passwords, shoulder surfing may be *something* of a non issue, but you cant always tell when someone is watching your screen in any other way.

This topic is closed for new posts.

Other stories you might like