Panagiotis Astithas

In my mind this is a non problem. Sure Nielsen is a usability expert and Schneier is God, but they are wrong. If we are to do what the users expect us to do, then either we password mask everywhere or not (*including* public terminals and ATMs). Could it be that Nielsen wrote this article after misspelling a password a few times and getting blocked from his system? - Yiorgos Adamopoulos

Why should the options be black or white? Mask everywhere or nowhere? Why not mask only where it is absolutely critical to do so (i.e. the security risks outweigh the inconvenience)? - Panagiotis Astithas

Because as Nielsen says, we must do what the users expect us to do. This makes it black or white. I am all for variations, but I am not an ordinary user. - Yiorgos Adamopoulos

Nielsen's piece is strictly about computers and mainly about web apps. Schneier generalizes the discussion to ATMs, etc. So, regarding Schneier's take, wouldn't you agree that there is no black and white? If you frame the discussion strictly around Nielsen's piece, then what is the counter-argument about removing masking from "many web sites (and many other applications)"? - Panagiotis Astithas

Both classes of applications have the same (dumb / bored / careless) userbase. So yes, Nielsen discusses web usability, but what the user expects from a password entry point is the same, regardless of it being a web application, a login window or prompt or even the PIN keypad and screen. This makes it all or nothing. The problem is not solved by unmasking passwords. The problem is that we need a different kind of authentication for these users. What kind? I do not know. - Yiorgos Adamopoulos

Besides your apparent dislike of a non-generalized solution, you still haven't described what do we lose by removing the masking, only in the specified use cases. - Panagiotis Astithas

We do not lose spelling mistakes. For more than a lifetime we educate users to use hard to guess passwords. Hard to guess passwords are hard to type by heart regardless of whether the field is masked or not. On the other hand, "easy" passwords are easy to type regardless of the situation. So while it may seem logical that unmasking helps, we virtually gain nothing. In this case Nielsen and Schneier suffer from "groupthink". My userbase instructs me otherwise and I can privately offer graphic examples. - Yiorgos Adamopoulos

And he replies what? - Yiorgos Adamopoulos

He seems to agree, but I 'm not quite certain - Christos Stathis

Agreeing is the easy part. - Panagiotis Astithas

So what do you need? - Yiorgos Adamopoulos

As always I have just one question: Where is the math? - Yiorgos Adamopoulos

Would you ask the same question if the debate was about the relative beauty of jazz vs. classical music? - Panagiotis Astithas

No I would not. For Xenakis music and the like, yes I would. On the subject: Either one can prove mathematically the validity of speed, or cannot. So unless I see complexity measures on time and space and a mathematical formalization on the queries, I still consider any such view as a plain hack. Returning to the era before Codd's mathematical model is hardly innovation. Keep in mind... more... - Yiorgos Adamopoulos

Why do you see this as an attack against the relational model? All I can see is a different solution to some of the problems relational DBMSs address, albeit with different tradeoffs. You may belittle such approaches as hacks, but this doesn't change the fact that they provide important tangible benefits in some scenarios. Unix was a hack compared to Multics. A PC was a hack compared to a workstation. Ruby was a hack compared to Java. - Panagiotis Astithas

Or, as Ralph Waldo Emerson eloquently put it: "A foolish consistency is the hobgoblin of little minds, adored by little statesmen and philosophers and divines." :-) - Panagiotis Astithas

I see such articles as attacks on the relational model for one simple reason: They compare their "innovative" (as in 30+ years old) approach with the relational model to prove they are better. Only had they done their homework right, they would already know that for the last 30 years we already know what the relational model is good for and where it does not fit. So comparing a "new... more... - Yiorgos Adamopoulos

Nah, you are too harsh to these people. It may be clear to you and me that the relational model is a poor choice in some situations, but for the majority of developers who need to persist data, RDBMSs are the only way to do it. It says so in the manual, and I have worked with many of them. And of course, not everyone had a chance to work in or near a dblab :-) - Panagiotis Astithas