Tip: Click here to scan for System Errors and Optimize PC performance

Should Password Masking be eliminated ?

ATNO/TW
Super Moderator
- Website
Joined: May 28, 2003
Posts: 22454
Loc: Pittsburgh PA
Status: Offline

June 30th, 2009, 11:35 am

From Jack Nielson's Alertbox: Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn't even increase security, but it does cost you business due to login failures.

Quote:

Most websites (and many other applications) mask passwords as users type them, and thereby theoretically prevent miscreants from looking over users' shoulders. Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed. So, password masking doesn't even protect fully against snoopers.

More importantly, there's usually nobody looking over your shoulder when you log in to a website. It's just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue.

Do you agree?

The article

Personally I don't agree. Contrary to what the article states, I do have people looking over my shoulder on a semi-regular basis.

"The web is a dominatrix. Every where I turn, I see little buttons ordering me to Submit."
Play sports pools and discuss sports topics at Boasting Rights Sports Forum
Get paid to write articles - www.associatedcontent.com

Anonymous
Bot
- www.ozzu.com
Joined: 25 Feb 2008
Posts: ?
Loc: Ozzuland
Status: Online

June 30th, 2009, 11:35 am

SpooF
Ice Cream
- Website
Joined: May 22, 2004
Posts: 2825
Loc: Richland, WA
Status: Offline

June 30th, 2009, 12:52 pm

I would have to disagree with the article. For one, keystrokes occur in a split second, while text on a screen can be visible for as long as the user has't hit the enter key. Also, I've heard of picture perfect memory, but never video perfect memory :lol:

College Taught Me - And we're not talking about the classes!
@travisperson

Rabid Dog
Cheese Monkey
- Website
Joined: May 21, 2004
Posts: 3187
Loc: South Africa
Status: Offline

June 30th, 2009, 1:09 pm

I disagree

1) Text is visible therefore memorable
2) Try memorize keystrokes when the user is using both hands
3) People generally don't have people glancing over their shoulder unless it is the it technician asking someone to login to a business system so they can view any errors
4) If people stop using a system because they can't type their password incorrectly they shouldn't be using a computer

I think we should implement ssh/terminal type logins with no echo on any characters, see how long before people ask for the mask back LOL

My Software Development Company
Music I have recorded (fixed now

)

UPSGuy
Lurker ಠ_ಠ
- Website
Joined: Jul 25, 2005
Posts: 2491
Loc: Nashville, TN
Status: Offline

June 30th, 2009, 1:42 pm

Quote:

I think we should implement ssh/terminal type logins with no echo on any characters, see how long before people ask for the mask back LOL

I second this one! Maybe then I'd stop getting hassled for having a password more complex than 4 characters when someone happens to notice I have 10+ stars. It's difficult to explain that yes, which harder to remember than your cute dog's name, my financial info just might be a bit more secure.

Laziness - the driving force of web development, both positive and negative.

I'd love to change the world, but they won't give me the source code.

ATNO/TW
Super Moderator
- Website
Joined: May 28, 2003
Posts: 22454
Loc: Pittsburgh PA
Status: Offline

June 30th, 2009, 1:51 pm

most of my passwords average 13 or so random characters and numbers caps and small case and none of them include "words". I don't know what's so difficult about memorizing a few complex passwords. It's to a users benefit.

Rabid Dog
Cheese Monkey
- Website
Joined: May 21, 2004
Posts: 3187
Loc: South Africa
Status: Offline

June 30th, 2009, 1:51 pm

The funny part is that the guys with the 4 character fluffy passwords are the guys more likely to have key loggers and trojans on their machines.

My Software Development Company
Music I have recorded (fixed now

)

UPSGuy
Lurker ಠ_ಠ
- Website
Joined: Jul 25, 2005
Posts: 2491
Loc: Nashville, TN
Status: Offline

June 30th, 2009, 2:02 pm

Quote:

most of my passwords average 13 or so

My rule of thumb is (all are minimums) 2 caps, 2 upper, 2 special, 2 numbers, 14+ characters. I like to memorize a few and then work out a simple algorithm that leads me to its successor (for situations such as 30-day expirations). That way I can memorize the basic combinations and then use several alterations.

Quote:

I don't know what's so difficult about memorizing a few complex passwords

Me either! I really don't understand how people can be so paranoid about other sensitive information in their lives, but think that their first name in lower case or pet's name is a sufficient deterrent.

I'd love to change the world, but they won't give me the source code.

Rabid Dog
Cheese Monkey
- Website
Joined: May 21, 2004
Posts: 3187
Loc: South Africa
Status: Offline

June 30th, 2009, 2:07 pm

I generally find keystroke patterns and implement a few shifts

My Software Development Company
Music I have recorded (fixed now

)

joebert
Weathered
- Website
Joined: Feb 10, 2004
Posts: 11817
Loc: Clearwater, FL
Status: Offline

June 30th, 2009, 2:17 pm

I'd venture to say most people are more at risk of having a keylogger steal their passwords than they are to have someone looking over their shoulder do it.

I'd like to see sites people are most likely to be using at home or around trusted people lose the masking. Maybe place a button between the username and password boxes that can be clicked/tab-spaced real quick to activate masking when needed.

Code: [ Download ] [ Select ]

<fieldset>
<legend>Login</legend>
<input type="text" name="username" id="username" value=""/>
<input type="button" name="masker" id="masker" value="Mask Password" onclick="to_password('password');this.disabled=true;"/>
<input type="text" name="password" id="password" value=""/>
<input type="submit" name="submit" id="submit" value="Submit"/>
</fieldset>

<fieldset>
<legend>Login</legend>
<input type="text" name="username" id="username" value=""/>
<input type="button" name="masker" id="masker" value="Mask Password" onclick="to_password('password');this.disabled=true;"/>
<input type="text" name="password" id="password" value=""/>
<input type="submit" name="submit" id="submit" value="Submit"/>
</fieldset>

Attachments:

password-mask.html.zip

(666 Bytes) Downloaded 33 times

Why yes, yes I am.

UPSGuy
Lurker ಠ_ಠ
- Website
Joined: Jul 25, 2005
Posts: 2491
Loc: Nashville, TN
Status: Offline

June 30th, 2009, 2:23 pm

I like the idea. We have the ability to detect and handle events from most any key combination within a page, so I don't really get why the universal solution has been to type everything twice. I'm slightly annoyed at the abundance of verify boxes. They're not just limited to passwords, either. I've abandoned forms before that I felt I was filling out twice.

I'd love to change the world, but they won't give me the source code.

Rabid Dog
Cheese Monkey
- Website
Joined: May 21, 2004
Posts: 3187
Loc: South Africa
Status: Offline

June 30th, 2009, 2:24 pm

Ag nee man. Here we go with an additional feature!

And we wonder why the web won't jsut work LOL

Nice idea joe!

My Software Development Company
Music I have recorded (fixed now

)

spork
HB
- Website
Joined: Sep 22, 2003
Posts: 5474
Loc: Rochester, NY
Status: Offline

June 30th, 2009, 2:28 pm

In response to the original post, I log into lab computers on a daily basis with many other people in the same room, usually a few feet away. There's no way in hell I'd want my password echoed on the screen, regardless of how long and complex it is.

How to Maintain Simple, Static Pages in a CakePHP Application
EEEEEEEEE! It's here!!

Rabid Dog
Cheese Monkey
- Website
Joined: May 21, 2004
Posts: 3187
Loc: South Africa
Status: Offline

June 30th, 2009, 2:53 pm

Ok all in favour of masked passwords say "I"

My Software Development Company
Music I have recorded (fixed now

)

ATNO/TW
Super Moderator
- Website
Joined: May 28, 2003
Posts: 22454
Loc: Pittsburgh PA
Status: Offline

June 30th, 2009, 7:42 pm

aye! that would be **** if masking was still good.

joebert
Weathered
- Website
Joined: Feb 10, 2004
Posts: 11817
Loc: Clearwater, FL
Status: Offline

June 30th, 2009, 11:45 pm

i

I'm only half in favor, so I used a lowercase i.

Why yes, yes I am.

Anonymous
Bot
- www.ozzu.com
Joined: 25 Feb 2008
Posts: ?
Loc: Ozzuland
Status: Online

June 30th, 2009, 11:45 pm

1, 2, 3

To Reply to this topic you need to LOGIN or REGISTER. It is free.

Post Information

Total Posts in this topic: 41 posts
Users browsing this forum: No registered users and 4 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Tip: Click here to scan for System Errors and Optimize PC performance

Should Password Masking be eliminated ?

Post Information

Sponsored Links

Other Languages

Website Development

Graphics

OS & Hardware

Internet Marketing

Marketplace

Community Area

Ozzu Maintenance

Forum Network

Forum Partners

Forum Supporters