Really?
I can maybe see where they were coming from with this ... it would make users think a little more. You could argue that password masking is security through obscurity.
A few years ago, I amazed someone at a clients IT dept by sniffing their password off the wire (html form based authentication) - they thought the masked password was encrypted. This is the part of the puzzle that the users probably don't understand. “I can't read it on the screen, it most be secure.”
That said, I still think removing it would be a really *bad* idea. It would create a few really large problems, rather than the comparably small problems we currently have.
I can imagine people using high powered telescopes through windows etc. Never a good thing.
I wonder how many people use html forms to authenticate over their unencrypted home wireless network? *Most* sites now seem to use SSL/TLS for the authentication process at least, but some probably still exist. For example your password for your register comments doesn't appear to be submitted over a secure connection: action="http://comments.theregister.co.uk/2009/06/30/masked_passwords_usability/"
------
A couple of replies to comments (I've given up reading all of them!)
------
@Anonymous Coward Posted Tuesday 30th June 2009 08:23 GMT
You have described another security issue, using the same password on two accounts. This has nothing to do with password masking. If I sniff your password off the wire, how is masking it on screen going to help?
@ChrisInBelgium
* 40 passwords? More a symptom of your infrastructure than a issue with passwords. Maybe centralising some of the user accounts would help.
* password lock out - stops password brute forcing. 3 is maybe too few attempts, it depends on what you are protecting. Brute forcing is the security threat that this control is trying to protect you from.
* Coding your own encryption algorithms is not a recommended practice.
@Mike Peachey
@By Anonymous Coward Posted Tuesday 30th June 2009 08:48 GMT
@Peter Kay
Good examples guys!
@Gilbert George
I used to have a tool, forget it's name (maybe winspy) that would work on any input box. Really useful! I may check that tool out.