Sign in or Join FriendFeed
FriendFeed is the easiest way to share online. Learn more »
Panagiotis Astithas
Panagiotis Astithas
The Problem with Password Masking - http://www.schneier.com/blog...
July 2 from Google Reader - Comment - Share
"Shoulder surfing isn't very common, and cleartext passwords greatly reduces errors. It has long annoyed me when I can't see what I type: in Windows logins, in PGP, and so on." - Panagiotis Astithas
In my mind this is a non problem. Sure Nielsen is a usability expert and Schneier is God, but they are wrong. If we are to do what the users expect us to do, then either we password mask everywhere or not (*including* public terminals and ATMs). Could it be that Nielsen wrote this article after misspelling a password a few times and getting blocked from his system? - Yiorgos Adamopoulos
Why should the options be black or white? Mask everywhere or nowhere? Why not mask only where it is absolutely critical to do so (i.e. the security risks outweigh the inconvenience)? - Panagiotis Astithas
Because as Nielsen says, we must do what the users expect us to do. This makes it black or white. I am all for variations, but I am not an ordinary user. - Yiorgos Adamopoulos
Nielsen's piece is strictly about computers and mainly about web apps. Schneier generalizes the discussion to ATMs, etc. So, regarding Schneier's take, wouldn't you agree that there is no black and white? If you frame the discussion strictly around Nielsen's piece, then what is the counter-argument about removing masking from "many web sites (and many other applications)"? - Panagiotis Astithas
Both classes of applications have the same (dumb / bored / careless) userbase. So yes, Nielsen discusses web usability, but what the user expects from a password entry point is the same, regardless of it being a web application, a login window or prompt or even the PIN keypad and screen. This makes it all or nothing. The problem is not solved by unmasking passwords. The problem is that we need a different kind of authentication for these users. What kind? I do not know. - Yiorgos Adamopoulos
Besides your apparent dislike of a non-generalized solution, you still haven't described what do we lose by removing the masking, only in the specified use cases. - Panagiotis Astithas
We do not lose spelling mistakes. For more than a lifetime we educate users to use hard to guess passwords. Hard to guess passwords are hard to type by heart regardless of whether the field is masked or not. On the other hand, "easy" passwords are easy to type regardless of the situation. So while it may seem logical that unmasking helps, we virtually gain nothing. In this case Nielsen and Schneier suffer from "groupthink". My userbase instructs me otherwise and I can privately offer graphic examples. - Yiorgos Adamopoulos
You almost convinced the man http://www.schneier.com/blog... - Christos Stathis