Nielsen made an interesting Alert Box post the other day that has drummed up some discussion in my workplace. The post was entitled Stop Password Masking and as the name would suggest, argues that password masking is no longer necessary most of the time and acts counter to business purposes.
It’s an interesting topic, and it’s always good to challenge established conventions. I have to say, I disagree with him on this one, though. His solution is fine on private computers, but in a public environment, snooping *is* a real problem – even in the workplace, where I would seem that most people do a lot of their secure actions. I agree that sophisticated snoopers can potentially find ways around it, but just because password masking isn’t the silver bullet that stops “all” password snooping, doesn’t mean you should drop it altogether. I also think that dropping it altogether would result in a huge “perceived security” related backlash from users – masking the password gives the perception that the password is being hidden during transmission, and I would foresee that even a lot of technically savvy users who know that the security is no different would feel that the site was “less secure” even if there was no rational reason behind it (let alone Grandma and Grandpa New-Fangled-Computer-Device).
Interestingly, Apple seems to have already challenged this convention – the iPhone has a great hybrid solution that takes both the user confirmation need and the user perceived and actual security needs into account. The iPhone masks passwords, but shows the last letter that you typed, which allows the user to confirm that they typed the right letter while stopping a lot of the snooping problem. (Ie, if I am typing my insecure password of “password”, after pressing the fifth letter I would see “****w”, after the next “*****o” etc.) It’s much harder for an observer to watch and mentally put together a password one letter at a time than it is to read a likely semantically meaningful password at one glance.
Sans SSI had another good discussion of this issue from the security perspective.
1 Comment
29/06/2009 at 1:42 pm
[...] the rest here: Response to Nielsen’s "Stop Password Masking" Categories: Computer, Computer Security Tags: grandma, grandpa, rational-reason, savvy-users, [...]