We need to stop masking passwords

We need to stop masking passwords

Summary: Masking passwords doesn't defend against any likely threat, causes user frustration, and drives them to pick poor passwords.

SHARE:
TOPICS: Security
85
stop masking passwords
Windows 8 has a little "reveal" button on password fields to help you type in passwords correctly.

Truth be known, I'm a little bit nervous about this article. I'm going to suggest something that a lot of people won't like.

And it's this: Passwords should not be masked by default.

Now, I know what you're going to say. It will be something like, "but someone will steal my password if they can see it! Won't somebody think of the children!"

Before you jump to the comments section, let's see whether we can get on the same page on this...

Faulty

Masked passwords come from the age of mainframes. And when we're talking about mainframes, that makes sense -- they were secure, private systems, used by specialists.

My argument is that masking passwords does not make sense in the modern era, for two reasons.

Firstly, no one is going to see your password. I'll come onto that, but they just won't. Ever.

Secondly, if people could see their own passwords rather than just dot-dot-dot, etc they would choose better passwords, and be less likely to reuse the same passwords.

As humans we're very good at looking at something and taking a visual snapshot. If I actually see the Facebook login screen with my username and a long, passphrase like "correct horse battery staple", that's more likely to sink into my brain.

From a user experience (UX) point of view, masked passwords are bad. We all know this is true -- it's much harder to type a complex password correctly if you can't see what you're typing. (Usability guru Jakob Neilsen wrote about this back in 2009.) As an upshot of this, people will choose simpler passwords, and be more likely to reuse them as they are relying on muscle memory to key them in, as opposed to using visual memory to remember them.

Rods/cones

Let's go back to the idea that no one is going to see your password.

Where exactly do you think someone is going to see you typing in your password? More to the point, do you not have a much, much bigger problem than someone snaffling your Facebook login if they do?

I'm writing this in my home office. There is no one around. Masking passwords in this scenario is one hundred percent inconvenient and zero percent increasing security. The only way that someone could see my password is if there was a covert camera in the room. Frankly, if that's the case, I have a much bigger problem than someone logging into my Facebook account.

Plus, if you want to get my password, there are much easier ways to do it. A keylogger would do it. Some other form of exploit would do it.

This is a key tenet in my argument. We're not in the mainframe era anymore and there are generally easier ways to steal credentials than relying on photons bouncing off of a screen and into someone's eye.

Say you're in Starbucks on your iPad. Password fields are about five millimetres tall in a standard rendering of a login form on an iPad mini. How is someone going to see that? Someone in the parking lot training a telephoto lens on your screen maybe? Again, if that's happening, you have bigger problems.

And, as before, there are easier ways to phish you. This write-up by Troy Hunt on a device called the Pineapple should scare you well enough.

There are virtually no situations I can think of where someone will be fast enough, clever enough, and have good enough eyesight to casually snaffle a pair of credentials. Frankly, only Sherlock could do it. It has to be an intentional attack, and there are always, always easier ways to phish someone.

Improvements

Windows 8 offers a decent enough pragmatic solution to password masking in that their standard password field implementation shows a little button you can press to unmask the value so that you can read it.

That's a fabulous improvement, but Chrome and Firefox don't support it, which makes it useless for a great number of people. It's also not done on Android, or iOS, or OS X. On mobile devices, masking passwords is a particular pain because muscle memory doesn't work so well when typing on glass.

My proposition is that this needs to be flipped around with unmasking as default, but if you are somewhere where you want a little more privacy, you can click a button to mask the results. Or, if you want to be low-tech about it, you could always put your hand over the field.

People aren't stupid. People already know to protect their PIN when keying it into an ATM. (Personally, I'm fine with masking for PINs because they are short and non-complex.) Those same people will learn that on the rare occasions that they have to type in a password and they can be seen that they should give themselves a little extra cover. And, who doesn't look away when someone is typing in a password in front of them anyway. Most people do.

Conclusion

When I discussed this point on Twitter with a few friends, the feedback (pushback?) I got was that this approach usurps security for the sake of convenience.

For me, I don't buy that argument -- it's classic technologist-style thinking. We're babying users and going out of our way to protect them from a threat that is not there, whilst all the time damaging their experience -- particularly on mobile -- and actually pushing them into using poor passwords. 

Masking passwords hurts people. It doesn't help people.

UPDATE: My Twitter friend Ross Dargan put together a Chrome extension that turns password fields into normal fields. I'm using it. It a bit strange, but I like it! Give it a go and see what you think...

What do you think? Post a comment, or talk to me on Twitter: @mbrit.

See also:

 

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

85 comments
Log in or register to join the discussion
  • I can only agree

    Masking password fields is annoying. I'm not saying that the mask possibility should be fully removed, but as the article says the default setting would be unmasked.
    With mobile devices it's even more obvious, they are much more personal, and the screens are smaller, also virtual keyboards are not as good as physical ones leading people to more typing errors.
    AleMartin
  • I disagree.

    Masking passwords is important.
    I've had a great deal of friends or just people waiting for me to extract information (from an E-mail message, for example) and most of them have praying eyes and a great memory to work with.

    Masking passwords is just as important as picking complicated, case-mixed (or even if you have a different language advantage) password.
    2nd Paradox
    • Choice is the real key

      It's really simple, provide choices.

      The first should be a device level default setting, to mask or not. 99.9% of the time I use a password, there is absolutely no problem with preying eye's, so I would set the default to no masking. Work in a busy environment and concerned? Then make your default to mask.

      The second choice should be provided at the password field. A simple toggle from the default to the opposite, and back. While I don't need masking as a general rule, I may be in Starbucks with someone looking over my shoulder. Or if you default to mask, maybe your alone, having a typing issue and want to shut it off.

      There could be a third level of choice, at the application level. Maybe I want to mask my bank password, but not the password for ZDnet.

      In the end one person may choose to mask some devices, and not others. Leave it to the device user.
      tarapup
      • IE10 seems to do this

        I know that IE10 has an option to see what you've typed in the password window so far, which is kind of handy if something has derailed your train of thought.

        I tend to use a sort of hybrid of strategies: something I would remember, with modifications made to satisfy the requirements. I do like having an option to unmask the password, but I do think that masking should at least be the factory-installed default (you should, of course, be able to change this at your discretion based on what you think the odds of shoulder-surfing are).
        Third of Five
      • Author grade: F, tarapup grade: A+

        I choose your logic over the authors. Making black and white statements like, "Passwords should not be masked anymore" is just being an elitist pig thinking that the world revolves around you. Choices, choices, choices is what it's all about. That's why I disagree with the title of this article and that's why I can't stand Windows 8 for the same reasons. Everybody going around screaming "Touch is the future, hope on the train". No, it isn't the future for everybody. It might be the future for you. I am not you. What's wrong with choice? Somebody please tell me.
        j4w4
        • A little extreme, dont' you think?

          Tarapup makes pretty much the same points the author made... Did you bother to read the article or did you make a snap judgement from the title? The only difference seems to he the author believes masking should default off and you and tarapup believe they should default on, even though neither of you gave any substantial against the author's eloquent points about how useless it is.

          So you're entitled to your opinion, which appears to be like tarapup. But calling the author an "elitist pig" because he makes good, detailed arguments that you seem incapable of refuting is just vulgar.
          InspectorGadget
          • Your thinking is inherently flawed...there is no "should be" this/or that

            The author thinks the default for passwords should be "not masked". I think the default doesn't not matter so much as the ability to "choose" the default. There is a subtle but very distinct difference. The author stated his opinion for why he believes the default should be "not masked" which is fine. But he's making a case for "his" choice.
            I read the entire article...what's your point? The author states his opinion in the title. And my opinion is that "choice" should be the default for anything.
            I am tired of these articles that are chosen just to get hits and then trying to back off in the article as though they did no wrong.
            I am not here to refute the authors reasoning for his preference, how can I refute ones own preferences? If he wants passwords unmasked by default, go for it. The title is overly dramatic and misleading. But I guess that's what you do to get hits these days.
            j4w4
          • Pick more appropriate titles for your articles

            How about "Why I think we should stop masking passwords". When somebody uses the word "we" it implies that you and I are in the same group. And I don't need people speaking for me. I can speak for myself.
            And another thing the author should have clearly stated in the title was that his arguments apply, more than anything to mobile devices. So I have a perfect title for the author of this article to use. "Why I think we should stop masking passwords on mobile devices". Then I could have completely ignored the article all together and not been dragged through one mans gripe about his new cellphone.
            j4w4
          • I love your ideas on choice, but...

            I had to laugh at this... ZDNet drives their webclicks by controversial titles to their 'articles'. The more the argument can ensue, the better for them.

            I used to have a couple of links to make my point on this one, but seem to have misplaced them... It was quite funny. The same basic article written by two different authors where one was open-minded in their title and the other was not. It was a difference in hits by over 10,000%...

            As for masking passwords, I'm around people almost all the time. Masking passwords is my first line of defense against the most common threat I have around me - People getting into my accounts. Who knows what I'd do if someone changed my FB status, for example! ( ; j/k

            But really, the choice in the matter would be nice. It wouldn't work for me in 90% of my uses, but I think that's your point. It's not the same for everybody and the choice would be nice.
            jbwillis01
          • Headline, headline...title, title

            I don't know about blogs but newspaper editors are the folks responsible for headlines, and frequently they are over the top in relation to the content of a news article. Headlines on ZDNet are effectively troll bait.
            That may be the case here, because whether the default password behavior is masked or not, the ability to switch is key. If the default is unmasked and you toggle masked, presumably you can go back to unmasked...and vice versa. So the default behavior is irrelevant.
            I agree that masking passwords is generally a PITA, but it's easy enough to cope with the issue. I use a password program that lets me unmask my passwords if, for some reason I want to write it on a piece of paper. Mostly I just right click, copy, and paste username and/or password. The password program clears the clipboard of password after 20 seconds so it's not availableto a snoop later on.
            bunkport
    • Important from praying eyes?

      You need better friends. Really.
      MorituriMax
      • I caught that one too

        as well as the one who 99.9% of the time had no problem with "preying eyes." Good thing we're not being grade on spelling.
        bunkport
    • Choose new friends

      I'd say, rather than keeping passwords masked as a default, that some people should choose new friends. Furthermore...the author isn't suggesting that masking should be done away with completely - just that it not be the default setting!
      genie86333@...
  • Shoulder-surfing is a thing

    Hey, those of us with real jobs (ie: not typing up crap articles for the internet in their "home office") have these things called "coworkers" and "bosses" that we don't want to be able to know our password and imitate us on our IT systems. You know, so when the boss finds all the pictures in his powerpoint presentation replaced with genitalia he'll be able to have IT audit which user did it. If every user can pose as every other user because they know each other's passwords because some dingus has a hard time typing if he can't see the words at the same time then this auditing won't mean a thing. It also won't hold up in court when the firings start.

    Also, as someone who actually works in IT, I gotta type my administrator password in pretty frequently when working on technical issues on user's workstations. Also, they're usually standing right over my shoulder waiting for me to finish fixing their PC while I do this. Good luck keeping them from trashing their PC and peeping at the company's financial shares once they have admin credentials... Being able to click a button that says "I don't trust you" and mask the password isn't a good solution, it should be masked by default and have a button to unmask.
    jmcgi
    • Good point...

      And I'd like to take it further to say that it's sometimes easier to hide what you're typing but not always possible to hide the screen. Case in point: parental controls or ordering passwords on AppleTV, TiVo, etc. I often order shows in front of three kids who are anxious to watch. If the password wasn't masked on-screen, they'd have the keys to the realm. Out in public with my phone is another story; it will be easier to see my display over my shoulder, potentially including which keys my fingers are striking, but I can at least cover up the keyboard with my hand while I'm using it while I'd rather not cover up the rest of the display too, making it harder to type. This is actually sounding more and more like a case for using biometrics, faulty as they can be.
      spstanley
    • and kids

      standing behind your back trying in vain to read admin password off your fingers.
      ForeverSPb
  • Disagree

    I also disagree. Here's why:

    We're just now getting across the idea that password length is far more important than "complexity." A brute force attack will spend just as much time correctly guessing "HelloKitty" as "H3ll0K1tty" but it will spend far more time trying to guess "HelloKittyHowAreYouToday." But if you're worried about a co-worker or a visitor glancing over your shoulder while you type your password, what sort of password are you more likely to choose, a plain text one like "HelloKittyHowAreYouToday" or a garbled one like "e67Xt34"? Chances are you are going to choose the latter because it's far harder to remember based on a quick 5 second glance. And now users are likely to go back to the bad old days of random number and letter passwords that are so difficult to remember that they generally don't exceed you corporate minimum password length standard, and the brute force hackers are happy again.
    dsf3g
    • Not sure if you are right about the length

      I suppose many brute force attacks rely on a dictionary, they don't just go like "aa", "ab", "ac", ... they try to use a set of common used words - "hello kitty" must be on top of the list :D....
      Anyway, the best way is to use complexity and not very short passwords. But if people type the password too slow, it's even worse than to show the unmask pass on the screen.

      The article doesn't say masking should be eliminated, only that it shouldn't be the default setting.
      AleMartin
      • Dictionary

        Sure they use dictionaries, but they also include logic that performs common character substitutions e = 3, I = 1, o = 0, t = 7 etc. Substituting numbers for letters only gives the illusion of password strength because it looks crazy and complicated to us humans. But to a computer H3ll0 is no more complicated than Hello.
        dsf3g
        • Yes it is

          It is more complicated because you are increasing the number of characters that the hacker needs to go through. Instead of 26Xpassword length, you can have 50Xpassword length, depending on the character set allowed.
          Susan Antony