As you enter your password into a form online or a dialog box in an application, more often than not you see asterisks instead of a clear text password entry. This basic level of security design is a feature everyone has gotten used to using. Be that as it may, one expert on usability thinks it’s time to let go of the past and move to presenting passwords in clear text for the sake of making things easier for users.
Usability expert Jakob Nielsen, known among other things as “the usability Pope”, recently made a comment that, while it should have sparked a serious debate, earned nothing more than a small debate on Slashdot and a blog post by Bruce Schneier.
“Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn’t even increase security, but it does cost you business due to login failures.” – Jakob Nielsen, Alertbox posting, 23-JUN-2009.
Nielsen flushed those thoughts out by saying many websites and applications employ password masking to prevent people from looking over their shoulders to watch what is entered in to the field. “Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed. So, password masking doesn’t even protect fully against snoopers,” he said.
Now, out of context those comments could cause some confusion, so it’s important to note that Nielsen pointed out that, “…users are sometimes truly at risk of having bystanders spy on their passwords, such as when they’re using an Internet cafe.”
“It’s therefore worth offering them a checkbox to have their passwords masked; for high-risk applications, such as bank accounts, you might even check this box by default. In cases where there’s a tension between security and usability, sometimes security should win.”
Now, Nielsen is a usability expert, not a security expert. However, you can give him points for making a valid argument with the checkbox suggestion. It isn’t that bad of an idea. Also worth mentioning is the fact his article and comments are related to mobile device usability testing, where errors, typos, and user frustration are a direct result to password masking. However, the same issues exist on a PC he said, so all related interfaces are included.
“The problem really isn’t so much with password masking as it is with bad password advice and implementations,” said Randy Abrams, Director of Technical Education at ESET, who for the record, likes his passwords to be masked.
Abrams said that one major problem is with sites such as social networking portals, and even banking sites that do not allow the use of long passwords. The second problem he said is bad password advice.
“The requirement to have convoluted passwords with strange characters, etc. is driven by systems that limit the length of passwords to 8 or even 20 characters. Remove the constraint of short passwords and users can use pass phrases that do not need to complex character sets. With long passwords users can use pass phrases. Typists can much more quickly and accurately type in a sentence than an unintelligibly convoluted password,” Abrams said.
Abrams went on to tell us that there is a “…small subset of people who can read the keyboard as one is typing their password.” Adding that an even smaller subset that will get an entire sentence, which a passphrase is.
“The option to mask or not mask the password does make sense, especially for people who use privacy filters, but those people are more likely to also prefer the masked password. My guess is that if passwords were not masked there would be a lot more account hijacking from places like coffee shops. Certainly there are far bigger problems to solve than masked passwords though.”
Raz Yalov, Chief Technology Officer for 41st Parameter, gave us his thoughts on Nielsen’s article, and picking up where Abrams left off, he centers on one of those bigger problems to worry about. “Malware designed to steal passwords via screen scraping would thrive by having the passwords in the clear,” he said.
However, there is merit to the checkbox solution proposed by Nielsen and a way to add to it, increasing security. “Adding a second factor form of authentication such as device ID, along with the check box, lessens the impact of removing the masking on passwords,” added Yalov.
“For mobile devices a different approach is appropriate, especially when the risk of shoulder surfing is reduced due to the size of the smaller screens and the fact you are using a personal device (not a public PC or kiosk) which again may be used as a second factor by using the device intelligence for authentication. In this environment, a check box option would be a welcomed improvement to the status quo,” he said.
While we mentioned that Nielsen is a usability expert and not a security expert, one noted security expert agrees with him, “Shoulder surfing isn’t very common and clear text passwords greatly reduces errors. It has long annoyed me when I can’t see what I type: in Windows logins, in PGP, and so on,” said Bruce Schneier, adding that he is not talking about asterisks used on ATMs or public terminals for PIN masking.
Bruce’s statement, as well as the call to abandon legacy design methods by Nielsen, hinges largely on the frustrating aspect of password entry. Yet, why scrap known, tested, and proven methods, because some users will get frustrated?
“We do need to be constantly updating our security methods – but as a rule of thumb, we should not discard the old ways just because we find new ones. There is value to keeping the traditional authentication approaches to keep the trust of the end user. Again, having a check box option that is by default set to mask passwords would be an appropriate transition from the current standard and as a step towards what comes next,” Yalov said.
So which is worth more? Usability or layered security, and are you willing to trade the password masking layer of security for more usability on websites and applications? There’s no right or wrong answer, but ultimately, the consumer and end user will determine what comes next.
In 2000, Nielsen wrote about password security, he said at the time that, “…when you require simple passwords that users can remember, you increase the probability of passwords being kept secret. The same goes for passwords that users choose and that they don’t have to change too frequently. While it’s true that such passwords are easier to crack, the vast majority of security breaks come from intruders (or insiders) who expose a human weakness, not those who run code-breaking algorithms.”
In 2000, that was a valid point and a decent argument. Nine years later, that simply isn’t the case, for a number of reasons.
My take on the issue is this, password masking does two things; first it adds a layer of security on forms and interfaces that makes things harder for Malware designed to capture screenshots. It also prevents, even if rare, shoulder surfing and other forms of password compromise. Does that mean there is not room for improvement? Not at all. Again, the checkbox suggestion is great and should be considered.
However, removing masking entirely, especially from things like PGP or shell prompts, where you don’t even get an asterisk, would not be a wise advancement in usability or security.
Second, and this can be argued one way or another, the masking simply makes you feel more secure. While the feeling of security can be abused, in some cases it can be useful. In the case of masking, when you enter your password on a SSL secured site, such as a bank, then you want that layer of protection and the feeling of security you get from seeing it. Maybe it isn’t as useful of a security layer as SSL itself, but it does offer assurance in some cases, and that is a good thing.
The real solution is training and education. Users know the value of a password, masking a password form might frustrate them, but only because passwords can be so complex that they cannot remember them or need to look at the keys as they type instead of touch type them. That is why phrasing is such a highly suggested method.
These days, it’s entirely possible to create a long password that is both hard to crack and easy to remember, we as security professionals need to get in the habit of teaching people how to do this.
[This editorial is the opinion of Steve Ragan and not necessarily those of the staff on The Tech Herald or the Monsters and Critics (M&C) network. Comments can be left below.]