Blackberries and iPhones
yadda yadda, Nokia phones have had this for how long now?
Security expert Bruce Schneier has said that he probably made a mistake when he backed a usability expert's plea to website operators to stop masking passwords as users type because it does not improve security and makes sites harder to use. Usability guru Jakob Nielsen said last month that sites should show most passwords in …
Can't browsers just have a button that toggles between clear text in password boxes and masked passwords?
If you're at home on your own then turn it off, if you're demoing to a crowded room of thieving pikeys then turn it on...
Could be turned on by default in porn/privacy modes...
There's no need to be all-or-nothing with password masking. I like Apple's choices in a recent iPhone update to show the last character while typing your password, and masking it after 2 seconds.
Also, nice idea in Mac OS X to have a check box to "show password" during or after you've typed a password to double-check (when you're using fat fingers). ;)
What happens if your keyboard is unreliable?
For instance, some of the chip-and-pin terminals are pretty cruddy.
Showing the character temporarily is a risk, yes, but I'd be a lot more confident the keyboard was working if I were seeing more than the ****. If feels almost hostile, sometimes.
I don't want my banking password viewable by anyone looking over my shoulder.
My ElReg password, on the other hand, I really don't care. Likewise the password I use to connect to Usenet. Or facebook, hotmail, twitter, myspace, youtube and the rest of the Web2.0 space (if I actually had any accounts that I used more than once or twice in those spaces). I'm not going to give 'em away on purpose, mind, but if anyone managed to get 'em I wouldn't exactly cry about it.
Bruce Schneier's biggest problem will probably be that he has now lost the respect of anyone with a brain, and he will likely not get it back. To make such purely anti-security statements while claiming to be a security expert is unbelievably stupid, and anyone who truly believes what he said is no security expert at all.
"Schneier now backs an approach taken by BlackBerry devices and iPhones, which display each character briefly before masking it. 'That seems like an excellent compromise,' he said."
And with his latest quote, he once again proves that he is no security expert, and that he still believes shoulder surfing is not a problem (despite his quote to the contrary). The only thing this approach will prevent is someone from seeing your password as they are walking by. Anyone standing over your shoulder will STILL see your complete password (unless they have an attention span of only two seconds). And since most passwords are made from words (as they should be*), it would be relatively easy for them to remember. This BlackBerry/iPhone approach is only reasonable for handheld devices where you can ensure that nobody else can see the screen.
* Yes, that's right, I said it. Passwords SHOULD be made from words, though not ONLY from words. My password-generation advice is to take two words, a punctuation character or symbol, and a four-digit number (such as "second-nightmare-3617" or "Dwight$Fry$1971". That makes it much easier to remember while still making it very difficult to guess or brute-force. The only problem with this approach is retarded passwords systems which limit you to an unreasonably low character limit (such as a max of 12 characters).
Nope, still wrong.
Point of note - what if you're making a presentation using an iphone on a big screen, showing lesser types how to access their email accounts? By doing so, you will have inadvertantly revealed your own password to all and sundry, possibly without realising it.
Sure shoulder-surfing for pwds on iphones isn't likely to be prevalent, but putting that same method on a full desktop is likely to be just as bad as totally unmasked pwds.
You can't win, plain and simple, I would argue that the situ as it stands right now isn't good enough - even revealing your pwd by typing it on a keyboard is sufficient for some people to snatch your pwd. Especially if its done professionally as part of a police/private investigation, using cameras.
You're not even close to a perfect solution even if you have computers with a direct-to-brain interface!
Now get the beers in and forgedaboudid.
This post has been deleted by its author
Like the rule for not writing down your password.
I am logging in from home, on my own in a locked house - which is better, to have a different "juvbqr7yc^$" password for each site, change them regularly and have them written down, or just use "martin" and remember it.
I said it there, so I'll say it here. The debate so far has gone roughly like this:
Nielsen: "Here is a suggestion based on actual data from studies my colleagues I have been performing on actual users and software."
Dissenters: "I disagree based on my subjective personal experience." Or "I disagree based on what feels like common sense."
Ironically, Nielsen's column this week is on how to explain to people that usability is a real subject on which trained professionals can have expertise.
"Schneier now backs an approach taken by BlackBerry devices and iPhones, which display each character briefly before masking it. "That seems like an excellent compromise," he said."
And a fairly obvious compromise given that they are the devices on which the keystrokes are hardest to judge. They've always been the most likely to have thought about this issue before.
I can normally tell on a "proper" keyboard when I've made a tpyo <sic>. So I need some other way on a "non-proper" keyboard...
What they should be saying is that you should never have to enter visible text twice - i.e. email addresses should only be entered once - the reason for entering passwords twice is that you can't read them back.
Dare I suggest that there is a huge difference between logging on to your online banking account and signing onto facebook or your local newspaper's flame-wall?
My local paper sends me a password by SMS... Yes... As if I care if some five-year old gets hold of my password there and starts posting nazi-propaganda or links to pictures of naked women. (I do the latter already -- 'cause I've always been a weak one for the naked women...)
Some sites simply take themselves way too seriously. Besides... Typing blind forces many to type slower. Thus their passwords are almost easier to shoulder-peek.
Showing each character for a second before converting it to a star is not a compromise, it's just a sensible way to implement obscured passwords on mobile device with multiple letters on each key.
It's been the de facto standard for years, certainly pre-dating the iPhone, and possibly the Blackberry!
"Schneier now backs an approach taken by BlackBerry devices and iPhones" Please stop referring to specific brands unless you are actually talking them. Doing this makes you sound like a marketing shill. Just use 'smartphone' since there are numerous devices out their that do this that aren't crack berries or Jesus phones.
... and in fact, a false sense of security. I wonder how many net-newbies think the asterisks or blobs are protecting the password transmission too? Sure, it doesn't take much technical knowledge to understand they don't, but the days of the geeks inheriting the networked earth are over.
Browsers could potentially implement a checkbox as part of the password form control (or have a global / site-specific config option), and allow the choice. 99% of use is perfectly safe unmasked, but the "internet cafe" option could be there for the 1% (though the risks of packet interception would be higher than that of shoulder-surfing there anyway)
Summary: you weren't wrong, just speaking uncomfortable truth.
To Bruce for admitting is initial reaction was way off base, I'll give him credit for that. Bear in mind that unlike some of the mouth breathers in the comments above me I don't harbor some baseless hatred to Bruce or think that it's some how cool or hip to hate someone simply because others like that person or because he's popular. However I've read Bruce's blog and he proves that even with the retraction of his initial statement, he still doesn't get it. He is still not grasping the realities of day to day computing or how password masking really does help enhance security.
For what ever reason he still doesn't get it. A fact which is driven home by the whole "password masking is not a panacea" line. Well no shit Sherlock, you're supposed to be a computer security expert. So you of all people should know there is no such thing as a panacea for computer or internet security, it simply doesn't exist aside from going to birth to death without ever using a computer to do anything that could potentially be tied back to you individually. /facepalm. Wake up Bruce and stop pushing password safe long enough to think beyond the limited world you live in now.
another *vote* for option to show password text ..
to mask passwords for me, as nearly 100% of the time there is no one around to shoulder surf anyway .. is just ... LESS FUNCTIONALITY
most of the reason for typing in a password twice, say when you are changing a password, is BECAUSE it's masked and likelyhood of mistakes are high .. so again ..
twice the time + higher mistake potential = less functionality
now .. when will some sites stop asking for my email address twice when the entry is not masked ? .. doesn't everyone just highlight > copy > paste the first entry anyway ?
I'd venture that the point on Blackberries and iPhone having it "right" is partly the case. Lots of handsets have worked that way on passwords (triple-tap entering passwords is rather harder than discrete keys - and predictive text is of course really hazardous - made worse if you then decide to "learn" your password - security, schmekurity!).
BUT I think that misses the point. Shoulder surfing a large piece of glass is one thing, but shoulder surfing a hand held device is another. I'd venture that Blackberry and iPhone have got it WRONG - and have said so at developers' gatherings for mobile in the past. The phone is a very personal device and while you are doing data entry hiding the screen is not tricky. Remember these devices are not "wide-angle" visible typically so a user is going to need to have their personal space pretty badly invaded for that to be a problem.
Glass screens - I certainly sympathise with Neilsen, but that's not my expertise.
Honestly folks what are we all going on about?
Ignore the emotional terms we've assocaited with the authentication process - username & password. Now just think of them as two pieces of information.
It would be logical to either hide them both or neither. It is of little benefit to hide one and not the other. In fact having the user name in cleartext allows others to 'grab' half your credentials in any case - so whether it's the username or password really makes no difference at all.
The problem here is that it is a study on USABILITY not SECURITY. Of course it's more usable to display the password back to the user as they type. So whilst the data is accurate with regards to usability Nielsen is actually himself using subjective opinion as to whether this solution is equally secure as having passwords masked. There would need to be another study comparing the security of masked passwords to that of unmasked passwords.
"..but if anyone managed to get 'em I wouldn't exactly cry about it."
I can understand your thinking here but I have the opposite situation.... Many years of important e-mails, documents, photos and lots of work is stored in Googledocs and Hotmail accounts so I NEED a secure pasword. Fortunately I have a good memory and have made up a strong password, because I need to care about my security, especially when I'm away from home and using an internet cafe.
Oh FFS, everyone knows that if you want someone's password, you merely phone them and tell them you're from IT and need to reset their password. Then you phone IT, pretend to be them and reset their password. Simple. Shoulder surfing doesn't come into it.
Another commenter wrote that shoulder surfing still takes place even with blanked out passwords. It's rare though. There are other means that are far more common (looking at the post-it notes stuck to their monitor for example...)
People ARE stupid. We all know that. Asterisks or not, people's passwords will be discovered from time to time.
A retraction is a sign of an open mind. Schneier appearss to be saying he's listened, he's reconsidered and he's learned. A person only becomes an expert by learning, and once they stop learning, they become yesterday's expert.
I said in the original comment torrent, that websites don't hide the password: they use the password type input. The browser hides the input. The place to tackle this, is with the browser, not the website. The website is simply describing what is being asked for, and we do not need a plethora of home-grown approaches to password management, implemented on a site-by-site basis, across the web to handle an input type that is clearly defined within the HTML spec (HTML 5 actually defines more of these specialist input types, not less of them, but browsers continue to apply the same approach to input fields first implemented in Netscape Navigator 2.0; there's been zero progress or develpment on the useability in just about any browser, since).
The use of <input type="password"> is important to people like my mate Bob, who is now nearly completely blind, as a result of an inherited illness. He uses the <input type="password"> all the time, when browsing the web, to help him locate the login form on a page. The useability experts appear to argue that password masquerading is a bad thing because the user cannot see what they are typing. Well, guess what? Bob can't see what he's typing, either. I'd like to suggest that removing semantic markup from a page, and thereby making the web even less accessible to people like Bob, is not justifiable if the basis of the argument for doing so, is that you're all sloppier typists than Bob.
One of the few people I agree with,
People here are using examples that do not tally with common sense and are being deliberately awkward (actually the phrase deliberately thick comes to mind)
What is wrong in discussing such things, possibly Bruce isn't thick enough to recommend using unmasked on-line banking passwords in a cybercafe somewhere in Russia. But then somehow I don't think that was his original intent.
I also do not think he was referring to typing in real passwords during a public demo (but then he is probably smart enough to use a demo account).
It is something worth discussing, and if your security relies on blobbed passwords then as far as I am concerned you are already well on your way to making a mistake.
There are situations such as cash machines et al where you are forced into that situation, but surely you do not continue if somebody is a little too inquisitive?
I can understand the dilemma. There are 3 kinds of typists in the world. The hunt and peck types, who never look away from the keyboard to see what they're typing, and touch typists who can look anywhere they like and KNOW they're typing correctly.
However, there is a middle ground on the ascent to touch-typing. Typing, not looking at the keyboard, but having to look at the screen to know what you're typing. This is the crowd that suffers from password entry. I know, I was there. I could type with a blindfold these days though so don't really care...
>> "So was I wrong?" wrote Schneier. "Maybe. Okay, probably."
That sounds more like weaseling out of fault. He has not really accepted to being wrong; in fact, he continued arguing that shoulder surfing was "overrated", even though in the same sentence he seems to agree with his commenters that shoulder surfing is not a large problem anymore because of such masking.
If saying something like "Well, I'm still right, even though you have a point, and my new argument is orthogonal to my previous one. Oh, and by the way, I *may* be wrong. Probably." is accepting fault, then I guess Schneier is a "Big Man" indeed!
Password masking is incredibly useful in concealing passwords from remote monitoring sessions. i.e. IT department with remote access to view company desktops. A corrupt and nosey tech could easily simply remotely watch someone log into their bank for example. The person would not be aware anyone was watching.
Passwords are a pain in the nether regions and frequently made too much of. I have a 4 digit PIN on my ATM card, but a more complex password for this site!
All a long complex password does is makes sure the user writes it down as they won't remember it. Changing passwords once a month as on many corporate sites doesn't help, it always prompts when the user is busy and they will think of something easy just to get the thing to work again.
I think Handle's idea of the tick box will help, at least we can see if we typed the thing properly but what is really needed is to replace the whole idea, maybe a standardied fingerprint interface so we carry our biometric ID with us is an answer, one that chacks blood is flowing to avoid amatuer amputations!
Whatever the solution eventually adopted there should be a better way than having to try and remember complex alphanumeric strings that often seem in inverse size to the importance of what they protect.
I feel a Killer app coming on here
I can't be bothered to scroll back to see who it was that said that Scheier's credibility has now gone because he made a mistake and admitted to it. Anyone with half a brain knows that admitting you're wrong is a step forward and admitted you're wrong in public takes a fair amount of courage.
One has to ask though, why is shoulder surfing not considered a risk? Well, take the bank account. Do you deal with your bank account in a public place where everyone can not only see your password as you type it but read the details of your finances? I don't think so, so shoulder surfing isn't like to be a problem there. What about typing this comment? Well, I don't want people claiming to be me (even anonymously) so I'm not likely to type with an audience. And my various I-don't-care accounts? Well, chances are the potential shoulder surfer knows the password anyway. There, damn, I've just given it away again.
So if someone standing behind you is a problem, how much of a problem. If they're close enough to read the screen what else can they see? Well, actually, password masking doesn't help at all if you can see the keyboard and watch my fingers. Hell, with a phone you can film the keyboard and read the password in slow motion as it's played back. Password masking doesn't really add any security there either.
I know, I know, there are problems with that line of reasoning. But if one starts from the premise that passwords are visible does that make security better or worse? Don't jump and say "worse". Think about the implications -- what design changes does it mandate that make it better?
In the old, old days, when you used to log into a CRT and there was a 30s delay between hitting the return key and getting a shell prompt you'd be dead embarrassed if your password was there for all to see. That became the de-facto password masking standard until, basically, web forms where you needed some feedback to make sure that keyboard focus was where you thought it was. Now the problem with iPhones, Blackberries, whatever, is that lack of typing precision is an issue and, especially if your password is reasonably complex, getting it right without feedback is difficult.
So think; don't jump to emotive conclusions.
I would prefer a Mask/Unmask tickbox
then if I'm in private I can unmask and if im in public I can Mask.. (mask should always be the default)
I do not want a character preview, shoulder surfers have memories/video cameras also. This is not a solution except in the mobile market where a key is for multiple characters, and the screen is so small shoulder surfing is not feasible.
On most keyboards every key makes a slightly different sound - so it's not too difficult if you have a good ear, to simply listen to the password and then sit down at the keyboard later and work it out.
I've always liked the fingerprint readers - easy to use and reasonably difficult to compromise - let's face it - nothing is impossible to compromise if you're willing to make the effort.
And yes - password marking is a pain in the butt about 90% of the time.
"Shoulder surfers read the fingers, not the screen. Phone card PINs are stolen every day by this technique, and payphones don't have screens."
That may work for payphone pins, but you tend to type them with one finger.
I can touch type. My current decryption password is 25 characters long and consists of letters, numbers and symbols.
I don't fancy your chances of reading my fingers as I type it on the keyboard.
But you'd have a decent chance if you can read it off a screen.
Well, not for nuthin' but here your average stolen phone card PIN has been read from several yards away in a very busy New York station during rush hour.
Not apocryphal, not even new. Documented cases spotted and filmed by clandestine News cameramen over ten years ago.
Password masking comes from the same place paswword aging does: the "inconvenience the legitimate user but slow down the hacker not one jot" school of thought.
You can't be secure when you base your security model on the assumption that a string of digits identifies a person, and your defense is to lock the stable door after the horse has bolted.
If you *must* use a password-based security system, you should be tracking the usage pattern and reacting to *that* in real time rather than figuring out what happened after the fact. Works for credit cards. My bank tracked me down in a different country to inform me that the spending on my Access Card looked "odd" less than three days after it happened, and by Jove it was too. If I'd been where they thought I was I'd have known that day. They shut down the card the moment they got worried anyway, knowing I'd get in touch if I was the one spending my money. Amex used to be particularly good a spotting possible fraud too.
If someone can crack your password once, changing it out, either manually or by aging, is a minor inconvenience to the cracker (after all, the reality is that you're going to use the same method to construct any new password that you used to build the old one) while at the same time being a major pain in the arse for the person authorised to use the bloody thing.
And don't get me started on the dumber-than-dogshirt MS "Your password will need changing in two weeks. Shall we do it now (and by doing so use up one extra password per year than if I just assumed the effing system administrator knew what he or she was doing)?"
I agree that I have far more respect for someone who admits to a mistake than someone who tries to blag their way out of it.
But let me be the first to say even Microsoft have used the 'tick here to unmask' password on Vista (when entering a WPA key, since you didn't ask).
And possibly the most secure option is that used by my bank: it asks for three random digits from within the password. It doesn't matter how many shoulder-surfers watch me, all they'd get is, say, the third, seventh and twelfth digits. Maybe, just maybe, if someone watched me logon twenty times, then perhaps they'd collect all the digits... But I reckon I could get most people's passwords watching them type them three times, asterisks or not. Most people pointedly look away when a colleague is entering a password to show that they're not doing this.
Steve (or RIM) didn't invent the 'mask after a brief period'. Every mobile that I've ever had does this (from WAP days onwards), and with good reason - they had phone keypads and it was handy to know which letter you'd typed before starring it out.
On a device with a qwerty keyboard it really shouldn't be necessary... perhaps says more about the quality of screen keyboards.
"Many years of important e-mails, documents, photos and lots of work is stored in Googledocs and Hotmail accounts so I NEED a secure pasword."
If they are THAT important, surely you store them on automatically synchronized encrypted file systems accessible via ssh (or similar) at home in Istanbul, and at your Mum's in Duluth, and at your Great Aunt Bessie's in Argentina?
"Fortunately I have a good memory and have made up a strong password,"
A strong password? Only one? The key to the kingdom, as it were?
"because I need to care about my security, especially when I'm away from home and using an internet cafe."
You do "important work" out of internet cafes that requires security, utilizing googledocs & hotmail? Your definition of "important" and "security" appears to differ from mine.
Where I work we recently took a product called BioPassword for a test drive. This works by analysing the speed and 'pattern' that you type your password. For example, there maybe a tenth of a second delay between you pressing the keys Q and W, because they're next to each other and you use the same finger, but a half second delay between Q and 5, due to changing fingers.
Despite being very sceptical about its effectiveness we were all surprised at how well it worked. While the application learned how you type your password, which took about 10 entries, it became more and more restrictive about how close to the pattern you had to be. We ended up putting the username and password on a Post It note and inviting people to successfully sign-on to the machine... nobody was able to defeat it.
A/C because otherwise I'll get harassed by their sales department yet again.