Friday, July 3, 2009

Password masking considered harmful?

Private Folder password promptImage via Wikipedia

We've all seen it, it's ubiquitious... the little box to type your password into. The line of asterisks grows as you type the secret characters in.

We've had it drilled into us, make your password safe, use lots of different kinds of characters (some sites even require that you use 3 of the 4 types, lowercase uppercase, numeric, special characters), don't use a common dictionary word, make it long, and so on.

So there I am on some site or another that shall remain nameless, trying to enter in "RodgerD0dgerC0dger!" and all I see is a line of *********

The phone rings mid stride. What character am I on anyway? hmm.. let me count backwards... I think I got it... OK.

"wrong password". Let's try that again ... A bird chirps outside the window Hey, did I remember to make that third 0 a zero but not the first one? Ah, must be right... OK.

"wrong password". Drat... Give it another try. Almost done.... Did my hand slip when I was holding down the 1 to make the ! ? No way... OK...

"wrong password" followed by "You have entered an incorrect password three times in a row and are now locked out of the system, please call our help desk between the hours of 8 AM and 6 PM Mumbai time to get it reset"

Argh! It's happened to all of us. And it's so needless. What do those asterisks do for us anyway? Unless we are being shoulder surfed, nothing.

As reported on there may finally be a realisation dawning that this is needless, and mindless, security. Well known usability expert Jakob Nielsen recently wrote about this in his AlertBox of 23 June 2009, opining that it's not needful, cleartext is better, and it may actually make things less secure. For those that actually have to deal with shoulder surfing, a checkbox to make the system use asterisks in that one case (or default to that for high security sites) is the easy way to handle that.

High time this was done. Start suggesting it to the sites you frequent. I think I'll go open a Bugzilla bug for MediaWiki if there isn't one already.

Oh, and RodgerDodgerCodger isn't actually my password.

Enhanced by Zemanta


MessedRocker said...

If you think that's bad. On a Unix-like command prompt, when you're entering a password, you get nothing. Not even asterisks (or bullets, as they appear on Windows XP). If you want to start over with entering your password on such a system, you're best off hitting backspace several thousand times.

RoscoHead said...

I totally agree (although if I get interrupted while typing a password I generally blank it out & start again to be certain).

The other useless thing that's been showing up on lots of sites lately is having to confirm your EMAIL when signing up - what's with that? Do they think people can't read what they've typed these days???

robbietjuh said...

This is just dumb, sorry to say it the hard way. There are lots of viruses out that record your screen, or make screenshots, and send them to the botnet admin. If you're typing in a password on a very important site, that botnet admin could see it.

Also, I heard something about Linux and not showing passwords.. That's indeed when using a Terminal. When using a GUI on Linux, you can perfectly see the asterisks appear.

The asterisks and password don't appear on a Linux terminal because those machines, mainly servers, should be very secure. It might not be user friendly, but it doesn't have to be user friendly because "users" don't have to log in using SSH or a Terminal. Coming back to your comment, you should understand that passwords should never, ever be seen on, for example, Google's servers, or perhaps the server this Blog is run on. That's one of the reasons they're hidden. When seeing asterisks, someone 'looking over your shoulder', or camera's in the Data Center, know how long the password is. Knowing the length makes it easier to do a brute force attack.

Conclusion: let's be happy with the way our passwords are being handled client-side.