Do unseen passwords really need masking?

The latest beta version of Red Hat's Fedora operating system now chooses not to mask passwords by default in its installation, but should this become a standard practice?

Passwords. They're the bane of any IT security guru's existence. Picking a good one, making them easy to remember, forgetting them, resetting them, storing them correctly, and now, it appears, deciding whether to mask them.

It's not a new issue. Well-known information security advocate Bruce Schneier argued back in 2009 that there's not much point in showing asterisks or bullets in place of a user's password — masking it — while they enter it, as anyone who's close enough to read over the user's shoulder can simply look at the keyboard.

It's a classic case of security negatively impacting usability, and Schneier argued at the time that it really isn't worth it, since the user is typically alone in their office, anyway.

That seems to be the justification for why the latest beta release of Fedora no longer masks passwords as you type.

When starting an installation of Fedora 19 Beta TC2, administrators are asked to set a root password, but the password isn't masked until the focus is taken away from the field. This gives the administrator the convenience of checking that they're typing the password in correctly, but it does raise concerns, considering it's the root password for the system.

Image: Screenshot by Michael Lee/ZDNet

The issue was filed on Red Hat's Bugzilla instance as a bug, but initially dismissed by Chris Lumens, one of the developers on the Anaconda installer for Fedora. He wrote that it was "working exactly as it is intended", and brings about other benefits, such as solving keyboard layout-related problems — an issue that is particularly taxing during an install stage.

The installation process also allows administrators to create an additional local user account, and also add that to the machine's list of administrators. But creating such an account has the same mask effects, and, strangely enough, includes a complexity "meter" that is missing when setting the root password.

Image: Screenshot by Michael Lee/ZDNet

Even stranger is that once administrators go through the installation process and actually get Fedora up and running, login passwords are masked when typed, anyway. The exception to this is changing a user password in the GNOME graphical user interface — but, even then, the default action is to mask the password unless the "Show password" option is checked.

And that is one of the ways that installation password masking — especially for the root password — should have been done. Other alternatives could include masking everything but the most recently typed character. Or by doing what Microsoft recently did in Windows 8: Including a button next to logins, which shows the unmasked password for as long as the user is clicking it.

This is another instance of when an assumption is made that the user wants convenience over security, when the proper thing to do is put in place a reasonable level of security and let the user downgrade as necessary. Users can always choose to reveal their password if they know that no one else is in the room, but if the lowest security options are implemented by default, it's too late. After all, the people responsible for designing security mechanisms don't know exactly the environment users are in, and can't always offer advice that will apply to everyone .

Does this mean that gurus like Schneier are mistaken, then?

I guess it's telling that Schneier himself later admitted that he probably was.

Is password masking necessary? Or should it be considered too inconvenient to enable by default? Have your say in the comments.

Show Comments