Do unseen passwords really need masking?

Do unseen passwords really need masking?

Summary: The latest beta version of Red Hat's Fedora operating system now chooses not to mask passwords by default in its installation, but should this become a standard practice?

TOPICS: Security

Passwords. They're the bane of any IT security guru's existence. Picking a good one, making them easy to remember, forgetting them, resetting them, storing them correctly, and now, it appears, deciding whether to mask them.

It's not a new issue. Well-known information security advocate Bruce Schneier argued back in 2009 that there's not much point in showing asterisks or bullets in place of a user's password — masking it — while they enter it, as anyone who's close enough to read over the user's shoulder can simply look at the keyboard.

It's a classic case of security negatively impacting usability, and Schneier argued at the time that it really isn't worth it, since the user is typically alone in their office, anyway.

That seems to be the justification for why the latest beta release of Fedora no longer masks passwords as you type.

When starting an installation of Fedora 19 Beta TC2, administrators are asked to set a root password, but the password isn't masked until the focus is taken away from the field. This gives the administrator the convenience of checking that they're typing the password in correctly, but it does raise concerns, considering it's the root password for the system.

(Image: Screenshot by Michael Lee/ZDNet)

The issue was filed on Red Hat's Bugzilla instance as a bug, but initially dismissed by Chris Lumens, one of the developers on the Anaconda installer for Fedora. He wrote that it was "working exactly as it is intended", and brings about other benefits, such as solving keyboard layout-related problems — an issue that is particularly taxing during an install stage.

The installation process also allows administrators to create an additional local user account, and also add that to the machine's list of administrators. But creating such an account has the same mask effects, and, strangely enough, includes a complexity "meter" that is missing when setting the root password.

(Image: Screenshot by Michael Lee/ZDNet)

Even stranger is that once administrators go through the installation process and actually get Fedora up and running, login passwords are masked when typed, anyway. The exception to this is changing a user password in the GNOME graphical user interface — but, even then, the default action is to mask the password unless the "Show password" option is checked.

And that is one of the ways that installation password masking — especially for the root password — should have been done. Other alternatives could include masking everything but the most recently typed character. Or by doing what Microsoft recently did in Windows 8: Including a button next to logins, which shows the unmasked password for as long as the user is clicking it.

This is another instance of when an assumption is made that the user wants convenience over security, when the proper thing to do is put in place a reasonable level of security and let the user downgrade as necessary. Users can always choose to reveal their password if they know that no one else is in the room, but if the lowest security options are implemented by default, it's too late. After all, the people responsible for designing security mechanisms don't know exactly the environment users are in, and can't always offer advice that will apply to everyone.

Does this mean that gurus like Schneier are mistaken, then?

I guess it's telling that Schneier himself later admitted that he probably was.

Is password masking necessary? Or should it be considered too inconvenient to enable by default? Have your say in the comments.

Topic: Security

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Masking passwords during remote control

    How about when I'm supporting my clients remotely via screen sharing? I can't "look over their shoulder." They enter passwords frequently during remote sessions, as do I. Without masking, things would be disastrous.
  • Unmask the password!

    The way that android masks passwords is a compromise that does not always make for usability. Each new character is displayed for half a second before it is turned into a dot. This is LESS useful for verifying correct typing than the new keyboard feature of blinking a temporary large copy of the key above and to the side when it is touched. With a touch keyboard on a phone size screen and the inability to be SURE the right key has been entered, the password either has to be entered VERY slowly, or there is a risk of having it rejected, and any site that uses a password LOCKS up after only a few (usually three) failures, at a time when phone AND full page (most password reset sites still assume you are using a full screen PC or Mac, not a phone) web browser access may not available together to have it unlocked.

    Another problem with passwords on mini-screens is that a good password requires MIXING alpha, numeric and special characters, but mini-screen touch keyboards require a case shift to switch; thus, a password that happens to be in a Canadian postal code format must be typed "A, num, 1, ltr, B, space, num, 2, ltr, C, num, 3, go". And if it uses upper case letters, "shift, A, num, 1, ltr, shift, B, space, num, 2, ltr, shift, C, num, 3, go", thus requiring as many as 16 keystrokes for a 7 character "recommended strength" password!

    Displaying the password until "next" or "go" is typed would be a big improvement for phone users, and the privacy issue is mitigated because the user can shield the phone from view by others with his/her body, holding the phone close to the face with the head bent over.
  • Absolutely it should be masked.

    It's far harder to keep track of key strokes that someone is using, rather than simply reading (or photographing) a password on a screen.

    I respect the developers views, but strongly disagree with them.
  • Entering complete passwords should be obsolete by now anyway

    Passwords were fine in the early days but what is needed to be really secure is a dialogue such as "Enter the 1st, 4th and 6th characters of your password. That way, anyone trying to find out your password will have to watch your keyboard entries many times before getting the full password - a highly unlikely possibility.
    Another option is to have a PIN such as 13429 and you're presented with a word or phrase of 9 letters or more and you type in letters 1,3,4,2 and 9 in that order.
    It's only with dialogue rather than simple user entry that true security is possible.
  • Why do some password entry systems only allow alphanumeric characters?

    One of the craziest password restrictions I have come across is limiting the number of characters in a password to just letters and numbers. This makes any password much easier to crack than if the full range of punctuation and symbol characters is also allowed.
    Can anyone explain why this restriction is so common?
    • SQL injection?

      I usually assume this is because they're afraid they could have some unpatched vulnerability to SQL injections in their system. Although if they're worried about that, they should probably take their site offline.

      I guess the real answer is "because they're stupid".
  • keep it masked

    My teenaged daughter likes my Pandora mix (!), so last weekend, she asked me to sign in. While she sat in front of the keyboard, I reached over her shoulders with both hands and typed my password. She's a smart, alert kid, and the keyboard was at the proper reading distance for her, but she couldn't keep up with typing fingers.
    The presence of video cameras changes all the rules, of course, and I like the idea of those utilities that display your password as you type, for certain special circumstances, but the default should all be a hidden password.
  • I hate masking

    No one is ever looking over my shoulder, why can't I see my own password?

    The obvious solution, as mentioned in the article, is to make it optional before you enter the password. A simple checkbox and the issue disappears. Even TrueCrypt does this.
    Glenn Castle
  • Simlpe solution

    Just put a check-box where the user can toggle masking on/off when entering the password.

    This is the thing that makes entering a long complicated wlan-key in Android just bearable, but on IOS it makes you wanna stomp the useless F thing to bits.
  • Depends on each individual case

    Firstly, I had to log in to post this comment, and the password field was masked as I type. No-one was looking over my shoulder.
    Anyway, sometimes masking is good, but what really annoys me is when you log into a broadband router with the Administrator username and password to find the wireless password, AND IT'S STILL MASKED!
    I'm logged in as the administrator and I still can't see my own password. What idiot wrote that software?
  • I like Internet Explorer 10 password masking

    In IE10 when you enter a password, it is masked unless the web page does otherwise but when you key the first character in the password field an icon shaped like an eye shows at the end of the field. While ever you are clicked (click & hold) on that the password is shown. It only works on the current hidden field. Once you move on the eye disappears.
  • Make it optional, default unmasked

    Instead of deciding for everyone, make it optional. Leave in unmasked by default, with something to click/poke/swipe to enable masking. Allow administrated systems to force masking if the administrator asks.

    Anything else is an insult to user intelligence.
  • How about a bigger password problem!

    The number of sites that will send your forgtten password in unencrypted PLAIN TEXT email!
    This positively drives me up the wall!
    Was solved 30+years ago with one-way encryption! Hello administrators! You site gets hacked and now they have everyone of your customers' passwords!
    One of these oufits makes AV software (still does but I dropped them years ago).
    I would propose exposing them on a WALL OF SHAME but why help the bad guys out...
  • It's all about practical privacy!

    Personally, I think it makes sense to UNMASK the passwords during INSTALL. Any other time is a disaster waiting to happen and a very good reason to drop the distro like it's hot if.

    Remote Desktop leaves people vulnerable to seeing administrative passwords. This is further compounded by the ability to take a screenshot with the password visible. We need not share what is supposed to be private. We need not let others find even easier ways of capturing the information by taking a screenshot instead of trying to remember a long complicated password from memory. And we need not have them store the screenshot on their computer for someone, be it at the keyboard or remotely, to snag a copy of the password. This allows for a portable means of spreading the password details. It can be printed too. From an enterprise standpoint, even with a good practice of changing passwords regularly, a root password is usually common across multiple computers, even if that's as small as just a per department root password.
    • Maybe the remote login CLIENT could be enhanced?

      Add LOCAL logic to the remote login client so that, possibly when toggled with a CTRL+H, it will display the password it is sending to the remote system, while making sure that system does not display it on its own screen. Example: you are helping Joe from your help desk workstation, using "RemoteX" (a fictitious name) to log in to Joe's machine. You select (unless it is a fixed option) to have Joe's machine HIDE passwords at all times. But, when you move the cursor to the password field, you hit CTRL+H, then type your password, I'mtheboss! on your system. Joe's screen displays asterisks, but yours, thanks to special code in the remote screen display routine of RemoteX, displays the actual password so you can see what you typed. Joe can have George Lucas himself with a high speed camera on his screen and all he will see is asterisks. You, however, can see what you SENT to Joe's system and can make sure it was typed correctly before pressing the Enter key to do the login.

      There is another thing that would help when typing a password locally into a browser or application: so that the legitimate user will know if a key bounces (especially on touch screens of tablets and phones!), or was momentarily distracted, the row of asterisks or dots that display in place of the masked password should be divided into fives for display purposes. This would solve a problem I have with a banking app on my Android: my password is between 10 and 15 characters, with lots of alpha-to-numeric alternation (requiring case shifting in both directions), and when holding the phone in one hand, there are occasional "bounces" that may duplicate characters. Dividing the row of dots (worse than asterisks when they are that small) into fives makes it easier to detect when I have typed 12 characters so far but one of them has bounced so that ***** ***** *** is displayed instead of ***** ***** ** as intended.

      I do like the idea of having the system prompt a user for a random subset of the password instead of the entire one, although one-way-encrypted passwords do not allow for that, since the login program has no way of KNOWING what the 5th, 9th and 13th characters of the password were before it was encrypted.
  • Bookmarklet

    When im on a webpage, I use this bookmarklet to unmask the dots:

    • Woops

      Should have known it would be filtered.
      Just Google Bookmarklet to view passwords, or similar.
  • How about this?

    Do like I have seen in several applications. The default is to mask the password, but you have a check box to "show password". That way if I have a failed log in, I can check and see if the password that is failing is actually what I "think" I typed in. With so many sites that have different requirements for passwords, I have quite a few passwords. It is easy to type in a completely wrong password 3 times in a row because I wrongly assumed that it was a typo on my part, rather than I am using the wrong password for that site.
  • Reverted

    For the record, the commit to anaconda was reverted in the middle of the day on May 6, presumably after the author filed this story.

    It's worth noting that 'TC' and 'RC' builds of Fedora are not intended as public pre-releases or previews. They are validation builds intended for the QA team to run tests ahead of the official Alpha, Beta and final releases. There are only three official release points for each Fedora release: Alpha, Beta and final. The TCs and RCs are publicly available because we try to make Fedora development as open as possible, but they are not intended for wide re-distribution and they are not intended as review releases for the press.