Password masking considered harmful?

We've all seen it, it's ubiquitious... the little box to type your password into. The line of asterisks grows as you type the secret characters in.

We've had it drilled into us, make your password safe, use lots of different kinds of characters (some sites even require that you use 3 of the 4 types, lowercase uppercase, numeric, special characters), don't use a common dictionary word, make it long, and so on.

So there I am on some site or another that shall remain nameless, trying to enter in "RodgerD0dgerC0dger!" and all I see is a line of *********

The phone rings mid stride. What character am I on anyway? hmm.. let me count backwards... I think I got it... OK.

"wrong password". Let's try that again ... A bird chirps outside the window Hey, did I remember to make that third 0 a zero but not the first one? Ah, must be right... OK.

"wrong password". Drat... Give it another try. Almost done.... Did my hand slip when I was holding down the 1 to make the ! ? No way... OK...

"wrong password" followed by "You have entered an incorrect password three times in a row and are now locked out of the system, please call our help desk between the hours of 8 AM and 6 PM Mumbai time to get it reset"

Argh! It's happened to all of us. And it's so needless. What do those asterisks do for us anyway? Unless we are being shoulder surfed, nothing.

As reported on there may finally be a realisation dawning that this is needless, and mindless, security. Well known usability expert Jakob Nielsen recently wrote about this in his AlertBox of 23 June 2009, opining that it's not needful, cleartext is better, and it may actually make things less secure. For those that actually have to deal with shoulder surfing, a checkbox to make the system use asterisks in that one case (or default to that for high security sites) is the easy way to handle that.

High time this was done. Start suggesting it to the sites you frequent. I think I'll go open a Bugzilla bug for MediaWiki if there isn't one already.

Oh, and RodgerDodgerCodger isn't actually my password.

