Should Password Masking be eliminated ?

  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

From Jack Nielson's Alertbox: Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn't even increase security, but it does cost you business due to login failures.

Quote:
Most websites (and many other applications) mask passwords as users type them, and thereby theoretically prevent miscreants from looking over users' shoulders. Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed. So, password masking doesn't even protect fully against snoopers.

More importantly, there's usually nobody looking over your shoulder when you log in to a website. It's just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue.


Do you agree?

The article

Personally I don't agree. Contrary to what the article states, I do have people looking over my shoulder on a semi-regular basis.
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • SpooF
  • ٩๏̯͡๏۶
  • Bronze Member
  • User avatar
  • Posts: 3422
  • Loc: Richland, WA

Post 3+ Months Ago

I would have to disagree with the article. For one, keystrokes occur in a split second, while text on a screen can be visible for as long as the user has't hit the enter key. Also, I've heard of picture perfect memory, but never video perfect memory :lol:
  • Rabid Dog
  • Web Master
  • Web Master
  • User avatar
  • Posts: 3245
  • Loc: South Africa

Post 3+ Months Ago

I disagree

1) Text is visible therefore memorable
2) Try memorize keystrokes when the user is using both hands
3) People generally don't have people glancing over their shoulder unless it is the it technician asking someone to login to a business system so they can view any errors
4) If people stop using a system because they can't type their password incorrectly they shouldn't be using a computer :)

I think we should implement ssh/terminal type logins with no echo on any characters, see how long before people ask for the mask back LOL
  • UPSGuy
  • Lurker ಠ_ಠ
  • Web Master
  • User avatar
  • Posts: 2733
  • Loc: Nashville, TN

Post 3+ Months Ago

Quote:
I think we should implement ssh/terminal type logins with no echo on any characters, see how long before people ask for the mask back LOL


I second this one! Maybe then I'd stop getting hassled for having a password more complex than 4 characters when someone happens to notice I have 10+ stars. It's difficult to explain that yes, which harder to remember than your cute dog's name, my financial info just might be a bit more secure.

Laziness - the driving force of web development, both positive and negative.
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

most of my passwords average 13 or so random characters and numbers caps and small case and none of them include "words". I don't know what's so difficult about memorizing a few complex passwords. It's to a users benefit.
  • Rabid Dog
  • Web Master
  • Web Master
  • User avatar
  • Posts: 3245
  • Loc: South Africa

Post 3+ Months Ago

The funny part is that the guys with the 4 character fluffy passwords are the guys more likely to have key loggers and trojans on their machines.
  • UPSGuy
  • Lurker ಠ_ಠ
  • Web Master
  • User avatar
  • Posts: 2733
  • Loc: Nashville, TN

Post 3+ Months Ago

Quote:
most of my passwords average 13 or so


My rule of thumb is (all are minimums) 2 caps, 2 upper, 2 special, 2 numbers, 14+ characters. I like to memorize a few and then work out a simple algorithm that leads me to its successor (for situations such as 30-day expirations). That way I can memorize the basic combinations and then use several alterations.

Quote:
I don't know what's so difficult about memorizing a few complex passwords


Me either! I really don't understand how people can be so paranoid about other sensitive information in their lives, but think that their first name in lower case or pet's name is a sufficient deterrent.
  • Rabid Dog
  • Web Master
  • Web Master
  • User avatar
  • Posts: 3245
  • Loc: South Africa

Post 3+ Months Ago

I generally find keystroke patterns and implement a few shifts :)
  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13502
  • Loc: Florida

Post 3+ Months Ago

I'd venture to say most people are more at risk of having a keylogger steal their passwords than they are to have someone looking over their shoulder do it.

I'd like to see sites people are most likely to be using at home or around trusted people lose the masking. Maybe place a button between the username and password boxes that can be clicked/tab-spaced real quick to activate masking when needed.

Code: [ Select ]
<fieldset>
    <legend>Login</legend>
    <input type="text" name="username" id="username" value=""/>
    <input type="button" name="masker" id="masker" value="Mask Password" onclick="to_password('password');this.disabled=true;"/>
    <input type="text" name="password" id="password" value=""/>
    <input type="submit" name="submit" id="submit" value="Submit"/>
</fieldset>
  1. <fieldset>
  2.     <legend>Login</legend>
  3.     <input type="text" name="username" id="username" value=""/>
  4.     <input type="button" name="masker" id="masker" value="Mask Password" onclick="to_password('password');this.disabled=true;"/>
  5.     <input type="text" name="password" id="password" value=""/>
  6.     <input type="submit" name="submit" id="submit" value="Submit"/>
  7. </fieldset>
Attachments:
password-mask.html.zip

(666 Bytes) Downloaded 314 times

  • UPSGuy
  • Lurker ಠ_ಠ
  • Web Master
  • User avatar
  • Posts: 2733
  • Loc: Nashville, TN

Post 3+ Months Ago

I like the idea. We have the ability to detect and handle events from most any key combination within a page, so I don't really get why the universal solution has been to type everything twice. I'm slightly annoyed at the abundance of verify boxes. They're not just limited to passwords, either. I've abandoned forms before that I felt I was filling out twice.
  • Rabid Dog
  • Web Master
  • Web Master
  • User avatar
  • Posts: 3245
  • Loc: South Africa

Post 3+ Months Ago

Ag nee man. Here we go with an additional feature! :P And we wonder why the web won't jsut work LOL

Nice idea joe!
  • spork
  • Brewmaster
  • Silver Member
  • User avatar
  • Posts: 6249
  • Loc: Seattle, WA

Post 3+ Months Ago

In response to the original post, I log into lab computers on a daily basis with many other people in the same room, usually a few feet away. There's no way in hell I'd want my password echoed on the screen, regardless of how long and complex it is.
  • Rabid Dog
  • Web Master
  • Web Master
  • User avatar
  • Posts: 3245
  • Loc: South Africa

Post 3+ Months Ago

Ok all in favour of masked passwords say "I"
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

aye! that would be **** if masking was still good.
  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13502
  • Loc: Florida

Post 3+ Months Ago

i

I'm only half in favor, so I used a lowercase i. :D
  • Rabid Dog
  • Web Master
  • Web Master
  • User avatar
  • Posts: 3245
  • Loc: South Africa

Post 3+ Months Ago

HAHAHAHAHAHAHA half in favour. Good point atno. Recon we should all start talking masked textnox just to prove a point. Would be like hang man :D
  • spork
  • Brewmaster
  • Silver Member
  • User avatar
  • Posts: 6249
  • Loc: Seattle, WA

Post 3+ Months Ago

Eye.
  • UPSGuy
  • Lurker ಠ_ಠ
  • Web Master
  • User avatar
  • Posts: 2733
  • Loc: Nashville, TN

Post 3+ Months Ago

Nay! (Ok, so I support it, but there should always be an opposition) :D
  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13502
  • Loc: Florida

Post 3+ Months Ago

UPSGuy wrote:
Nay! (Ok, so I support it, but there should always be an opposition) :D


What if we all decided not to jump off a bridge, would you do it just because everyone else isn't ? :D
  • UPSGuy
  • Lurker ಠ_ಠ
  • Web Master
  • User avatar
  • Posts: 2733
  • Loc: Nashville, TN

Post 3+ Months Ago

Sure! You didn't say I couldn't bungee. ;)
  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13502
  • Loc: Florida

Post 3+ Months Ago

I didn't say you could secure the bungee to the bridge either.
  • UPSGuy
  • Lurker ಠ_ಠ
  • Web Master
  • User avatar
  • Posts: 2733
  • Loc: Nashville, TN

Post 3+ Months Ago

lol :)
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

I suppose not everyone is a lemming. Seriously though in a perfect world, we wouldn't need masking, but lets face it, there's too many people out there that would seriously take advantage of an administrator password if they were lucky enough to see it. And at work there are dozens of opportunities a day when I'm helping somebody with a problem and they are standing over my shoulder when I login.
  • mindfullsilence
  • Professor
  • Professor
  • User avatar
  • Posts: 854

Post 3+ Months Ago

why not give the person the option. A simple checkbox that enables or disables the password masking.
  • UPSGuy
  • Lurker ಠ_ಠ
  • Web Master
  • User avatar
  • Posts: 2733
  • Loc: Nashville, TN

Post 3+ Months Ago

mfs, that fits what with joebert suggested. Have a look at the code he included in his post.
  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13502
  • Loc: Florida

Post 3+ Months Ago

I wonder how long it would take people to get used to their being an extra button in a log in form. How long did it take the checkboxes for remaining logged in to catch on ?
  • mindfullsilence
  • Professor
  • Professor
  • User avatar
  • Posts: 854

Post 3+ Months Ago

oh, what do ya know. Sorry bout that, didn't feel like reading 2 pages worth of responses. Oh well, let's add that to the vote.

Masking, no masking, user option.

So far we have 2 for user option!
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8388
  • Loc: USA

Post 3+ Months Ago

i (I'm with joebert here. We could do Joebert's idea here).
  • middayc
  • Novice
  • Novice
  • User avatar
  • Posts: 23
  • Loc: Slovenia

Post 3+ Months Ago

I don't agree with the article. I usually like the contrarian ideas and I agree with some points but all in all doesn't make sense.

You need to type in passwords many times per day. It takes one person just one look and he knows it and can freely distribute it further.

How stressed would you feel if you had to fill in and submit login form quickly before anyone comes in each time. Or looking behind while you are typing the form in a room with some people if somebody is not looking.

joeberts idea is cool!
  • spork
  • Brewmaster
  • Silver Member
  • User avatar
  • Posts: 6249
  • Loc: Seattle, WA

Post 3+ Months Ago

The problem with Joe's idea is that designers will neglect to set the z-index correctly for the check box, and I'll end up tabbing to what I think is the "keep me logged in" box, hitting space, and revealing my password to the masses.
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

Post Information

  • Total Posts in this topic: 41 posts
  • Users browsing this forum: No registered users and 2 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.