TechRepublic : A ZDNet Tech Community

IT Security

Host: Chad Perrin
Contact

I’ve just read an article arguing that password masking isn’t worth the effort, even detrimental. I’m not sure where I stand on this, so let’s work through it together.

——————————————————————————————————————-

The article Stop Password Masking, was written by Dr. Jakob Nielsen, a well-regarded expert on Web and user interfaces:

“Jakob Nielsen, Ph.D., is a User Advocate and principal of the Nielsen Norman Group which he co-founded with Dr. Donald A. Norman (former VP of research at Apple Computer). Before starting NNG in 1998 he was a Sun Microsystems Distinguished Engineer.

Dr. Nielsen founded the “discount usability engineering” movement for fast and cheap improvements of user interfaces and has invented several usability methods, including heuristic evaluation. He holds 79 United States patents, mainly on ways of making the Internet easier to use.”

As you can see by Dr. Nielsen’s accreditation, his mentioning that using password masking is a bad idea isn’t something to be taken lightly.

Why mask passwords?

Until I read the article, I considered masking passwords to be a no-brainer for the following reasons:

  • Masking passwords were the logical outcome of being concerned about people stealing passwords by visually observing the password being entered.
  • Auto-complete is a bad idea period, but masking helps prevent someone from seeing previous passwords that have the same first few characters. This is of special concern when the computer has multiple users.
  • Masking passwords is required by some regulatory bodies in order to gain their approval. Also a company’s security policy may require masking any time a password is entered.

Why password masking is bad

Nielsen summarizes his stance by pointing out:

“Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn’t even increase security, but it does cost you business due to log in failures.”

Through his research, Nielsen has come to the conclusion that using nondescript bullets to cover up password characters violates an important usability principle, that of providing sensory feedback. To back up his claim, Nielsen provides some additional detail:

  • Users make more errors when they can’t see what they’re typing while filling in a form. They therefore feel less confident. This double degradation of the user experience means that people are more likely to give up and never log in to your site at all, leading to lost business.
  • The more uncertain users feel about typing passwords, the more likely they are to (a) employ overly simple passwords and/or (b) copy-paste passwords from a file on their computer. Both behaviors lead to a true loss of security.

I didn’t see any reference to studies verifying either of the above theories, still both appear to have merit.

Using portable devices

I do agree with Nielsen about how masking passwords on mobile devices is a real pain. As proof, I know associates that do exactly as Nielsen mentioned above. They dumb-down the password just so it’s easy to enter. Not a smart thing to do when visiting important Web sites such as a banking portal.

Another viewpoint

Jason Montgomery, a security expert with SANS presented a different viewpoint in this blog post. As a security aficionado, I was interested in his reply to something Nielsen had written. I quoted it earlier, so here’s a recap of the part being referred to:

“Typically, masking passwords doesn’t even increase security, but it does cost you business due to log in failures.”

Montgomery responded:

“Nielsen’s probably right: It might be costing you business. The question is how much business? Security shouldn’t be the be-all, end-all goal. It’s there to serve the organization first and foremost. Viewing the cost of security controls with respect to the function it’s protecting is the correct perspective.

Well said Mr. Montgomery, I concur with your approach and I’m sure Dr. Nielsen does as well. It’s called compromise and I think that Nielsen may have already found a solution:

“Yes, users are sometimes truly at risk of having bystanders spy on their passwords, such as when they’re using an Internet cafe. It’s therefore worth offering them a checkbox to have their passwords masked; for high-risk applications, such as bank accounts, you might even check this box by default. In cases where there’s a tension between security and usability, sometimes security should win.”

Sounds like it might work, what do you think? Does it cover all possibilities? When do we know if we’re safe enough to lower security standards for increased usability?

Final thoughts

Until I read Nielsen’s blog post, I felt that masking passwords was just a necessary part of the process. Now I’m not so sure. It’s cumbersome and businesses could be losing customers. Yet on the flip side, not masking passwords is a potential security risk.

Disputes surrounding password usage continue to impress upon me the need for mainstream multi-factor authentication. But wishful thinking doesn’t help us right now. What’s your take on yet another usability versus security conflict?

Michael KassnerMichael Kassner has been involved with with IT for over 30 years. Currently a systems administrator for an international corporation and security consultant with MKassner Net. Read his profile or Twitter at MKassnerNet.

Print/View all Posts Comments on this blog

Masking passwords may do more harm than good Michael Kassner | 06/29/09
edited to remove my dumb post CG IT | 06/29/09
I'm not sure that's his purpose Michael Kassner | 06/29/09
edited to remove my dumb post CG IT | 06/29/09
I'm sorry Michael Kassner | 06/29/09
Mike, seen to many people trying to "sell" CG IT | 06/29/09
I'm confused, I guess Michael Kassner | 06/29/09
It is the business stuart@... | 06/30/09
CG IT and Stuart, It's not quite that simple NickNielsen | 06/30/09
Great comments Michael Kassner | 06/30/09
Nick... the article wasn't about using new security CG IT | 06/30/09
But there is positive feedback NickNielsen | 06/30/09
and the 2nd point IS about security, although... ITSecurityGuy | 06/30/09
Nielses Norman Group has to sell something CG IT | 06/29/09
I'm with you now Michael Kassner | 06/29/09
Selling something stuart@... | 06/30/09
I agree, masking is good. Timbo Zimbabwe | 06/30/09
Dumb post was because I removed my initial post CG IT | 06/30/09
I appreciate both of your comments Michael Kassner | 06/30/09
Can you learn some more? sgmunson | 07/07/09
Interesting point of view Michael Kassner | 07/08/09
Michael, good response and I think the article and responses Deadly Ernest | 07/08/09
Thanks Ernest Michael Kassner | 07/09/09
More about masking Romeemore@... | 06/30/09
Actually Michael Kassner | 06/30/09
biometrics Deadly Ernest | 06/30/09
Fellowes 99199 Secure Touch Mouse with fingerprint security ITSecurityGuy | 06/30/09
yep, about as good as any password and can be tricked Deadly Ernest | 07/01/09
I agree with Ernest Michael Kassner | 07/01/09
Revealing typos, rather than unmasking pworlton | 07/02/09
Second factor Michael Kassner | 07/02/09
That sounds reasonable pworlton | 07/06/09
It's bad enough without the DC sync Neon Samurai | 07/06/09
Here is a similar article CG IT | 07/20/09
Never thought of it that way seanferd | 06/29/09
Good idea Michael Kassner | 06/29/09
blackberry passwords andrew.lawlor@... | 06/30/09
I have that capability Michael Kassner | 06/30/09
another password entry model? cpr | 06/30/09
The problem with that ITSecurityGuy | 06/30/09
HUH? gcalderon71@... | 06/30/09
You are santeewelding@... | 06/30/09
and this is relevant why? ITSecurityGuy | 06/30/09
Count yourself santeewelding@... | 06/30/09
Is it bad? gcalderon71@... | 07/01/09
Variation on a theme santeewelding@... | 07/01/09
Not a real problem on my end... jemorris@... | 06/30/09
Thank you Michael Kassner | 06/30/09
Use sentences for your passwords. gcalderon71@... | 06/30/09
good thing that @ sign is there ITSecurityGuy | 06/30/09
I saw it after I posted it gcalderon71@... | 07/01/09
Heck that's nuthin'... JCitizen | 07/10/09
Strange Michael Kassner | 07/11/09
He just needs some anger management.. JCitizen | 07/11/09
Needs to chill Michael Kassner | 07/11/09
Sensai says santeewelding@... | 07/11/09
Bigger Problem ksgilliland@... | 06/30/09
WOW! 4 whole digits ITSecurityGuy | 06/30/09
I use PWsafe Michael Kassner | 06/30/09
Ah! You neglected to mention... ITSecurityGuy | 06/30/09
You are right Michael Kassner | 06/30/09
YubiKey does look very interesting ITSecurityGuy | 06/30/09
It is cool Michael Kassner | 06/30/09
Two versions of YubiKey or Encryption ITSecurityGuy | 06/30/09
That's it Michael Kassner | 06/30/09
two configs would be handy ITSecurityGuy | 06/30/09
It's fairly new Michael Kassner | 06/30/09
The problem with end user choice... mwlod@... | 06/30/09
Well said Michael Kassner | 06/30/09
Transparency ultimitloozer@... | 06/30/09
Read my mind Michael Kassner | 06/30/09
They will ITSecurityGuy | 06/30/09
re: The problem with end user choice... fkowal@... | 07/02/09
Paranoid Curious00000001 | 06/30/09
Great book Michael Kassner | 06/30/09
I have a sweet little script for service accounts neilb@... | 06/30/09
Sorry not quite following you Michael Kassner | 06/30/09
Windows service accounts neilb@... | 06/30/09
What about applications that use the passwords? kmdennis@... | 06/30/09
We use a different account neilb@... | 06/30/09
Whoa, you all are on top of this Michael Kassner | 06/30/09
Good one Michael... JCitizen | 07/10/09
Thanks, Jay Michael Kassner | 07/11/09
To mask or not extends beyond passwords anita.louis@... | 06/30/09
Just a thought Michael Kassner | 06/30/09
Also RoboForm ITSecurityGuy | 06/30/09
Sounds like Michael Kassner | 07/01/09
http:\\www.roboform.com ITSecurityGuy | 07/05/09
Some of us are on a strict budget... JCitizen | 07/10/09
Darn Michael Kassner | 07/11/09
Is the YubiKey free software/firmware? JCitizen | 07/11/09
not always true ITSecurityGuy | 06/30/09
Maybe just something that is necesary. Derteufel | 06/30/09
How about some masked password costs here we can measure? Former Big Iron Guy | 06/30/09
Thank you Michael Kassner | 07/01/09
Exactly - just the kind of thing the article... JCitizen | 07/10/09
Wow - so by unmasking passwords The 'G-Man.' | 07/02/09
too tight security is no security allenm@... | 07/02/09
Good password policy, not fully implemented SDH_NetService | 07/02/09
Yes - our AD policy alerts started about a week.. JCitizen | 07/10/09
Passwords should NOT be required BEFORE needed. alan@... | 07/02/09
what password generator are you using Neon Samurai | 07/02/09
The problem is B.T. incompetence, not LastPass alan@... | 07/03/09
wow.. that's freaking irony.. I just checked the website Neon Samurai | 07/03/09
Wow! Worst "verify" I've seen yet! JCitizen | 07/15/09
Very good example...(nt) JCitizen | 07/10/09
Security Questions Michael Kassner | 07/02/09
I've considered that ITSecurityGuy | 07/05/09
Keepass to the rescue again Neon Samurai | 07/06/09
Too late, RoboForm beat you to it! ITSecurityGuy | 07/06/09
Need to know Michael Kassner | 07/07/09
If it's working for you then your all set Neon Samurai | 07/07/09
Michael, on the site now. Looks good overall but not for me Neon Samurai | 07/07/09
Yes, I had replied two days earlier & 256bit encryption ITSecurityGuy | 07/14/09
Sorry, lots of posts Michael Kassner | 07/15/09
it reduces the attack methods Neon Samurai | 07/15/09
Cost of incorrectly typed password is negligible SDH_NetService | 07/02/09
Still Michael Kassner | 07/02/09
Good consideration, but... SDH_NetService | 07/02/09
Wouldn't disabling Michael Kassner | 07/02/09
Absolutely correct... SDH_NetService | 07/03/09
anti-hammering ITSecurityGuy | 07/05/09
If it's FTP then lockout tries is irrelevant.. sFTP makes a difference Neon Samurai | 07/06/09
@Neon Samuri re: correct terms & overkill ITSecurityGuy | 07/06/09
spelling errors and login credentials. Neon Samurai | 07/07/09
Is it so bad?? larry@... | 07/07/09
Why do you keep doing this, Michael? santeewelding@... | 06/29/09
Sure you will Michael Kassner | 06/29/09
it's already there! patrick@... | 06/30/09
Wireless key Derek Schauland | 06/30/09
I like d-link's approach detours | 07/02/09
get Keepass or Password Safe Neon Samurai | 07/02/09
a good pasword manager ITSecurityGuy | 07/05/09
You think either of those... JCitizen | 07/10/09
I wish he would stop trying... ITSecurityGuy | 07/05/09
Which has absolutely no bearing on site interactivity Deadly Ernest | 07/05/09
many being irrelevant &/or wise-a$$ comments ITSecurityGuy | 07/05/09
Correct, which is why I don't follow the figures at all Deadly Ernest | 07/05/09
if you look at an earlier post in this thread... ITSecurityGuy | 07/05/09
All reasons why passwords are a bad idea jdclyde | 06/29/09
I do as well Michael Kassner | 06/29/09
Not my reason for disliking autocomplete jdclyde | 06/29/09
Good point Michael Kassner | 06/29/09
You know who is worst about trying to guess a password? jemorris@... | 06/30/09
I could see that jdclyde | 06/30/09
I've experienced Michael Kassner | 06/30/09
passwords: Why it's not a good idea Jaqui | 06/29/09
Multi-factor systems Michael Kassner | 06/29/09
true, but Jaqui | 06/29/09
True Michael Kassner | 06/29/09
sounds like the KeyScrambler extension/accelerator ITSecurityGuy | 06/30/09
What about video hooks... JCitizen | 07/10/09
Security requires inconvenience SDH_NetService | 07/02/09
I like your example Michael Kassner | 07/02/09
There has got to be another way santeewelding@... | 06/29/09
There are solutions Michael Kassner | 06/29/09
That's what I mean santeewelding@... | 06/29/09
Gotcha Michael Kassner | 06/29/09
Oh, no. santeewelding@... | 06/29/09
Slow but sure Michael Kassner | 06/29/09
I am thinking jdclyde | 06/30/09
That's funny Michael Kassner | 07/01/09
rhinological? NickNielsen | 07/01/09
Still, a study Michael Kassner | 07/01/09
& sniff computers? rbees | 07/02/09
I'm guessing this is ironic Michael Kassner | 07/02/09
ING Direct had a good one ITSecurityGuy | 06/30/09
Roboform Michael Kassner | 06/30/09
I would swear by it! ITSecurityGuy | 06/30/09
Open Source? Michael Kassner | 07/01/09
Sounds like NIS 2009.. JCitizen | 07/10/09
re: Roboform fkowal@... | 07/02/09
and they still have it available ITSecurityGuy | 06/30/09
I'm going to Michael Kassner | 07/01/09
Like CNET and ZDNet?... JCitizen | 07/10/09
Checkbox choice seems reasonable e_caroline@... | 06/30/09
View button sseifert@... | 06/30/09
Same with TrueCrypt anewcoder@... | 06/30/09
Agree with masking choice AFTER entering password bshaffer@... | 06/30/09
Mask on exit mdj801@... | 06/30/09
All thought are much appreciated Michael Kassner | 06/30/09
RE: Masking passwords: Why it's not a good idea mcvickerp | 06/30/09
My iPhone as well Michael Kassner | 06/30/09
Text entry box qlue | 07/02/09
Totally agree Michael Kassner | 07/02/09
Forget about CISSP study ?! ilya.shick@... | 06/30/09
Not sure what you mean Michael Kassner | 06/30/09
RE: Masking passwords: Why it's not a good idea rdowdy@... | 06/30/09
Great example Michael Kassner | 06/30/09
Hmmm!? JCitizen | 07/11/09
Why tweak a proven security measure? tdarmond@... | 06/30/09
Not out of your league by any means Michael Kassner | 06/30/09
Thank you for your comments, Mr. Kassner tdarmond@... | 06/30/09
My pleasure Michael Kassner | 07/01/09
Since your new, maybe these tips will help... JCitizen | 07/11/09
Good job, J Michael Kassner | 07/11/09
You're a knowledgeable and security conscious user... SDH_NetService | 07/02/09
Lost Business? delphi9_1971@... | 06/30/09
I questioned that Michael Kassner | 06/30/09
re:lost business hlhowell@... | 06/30/09
All the on-line sites I do shopping at don't require a password Deadly Ernest | 07/01/09
agreed rbees | 07/02/09
I don't see entering a bit of information... JCitizen | 07/11/09
I have seen many of my friends who... JCitizen | 07/11/09
A lot depends upon what the password is for Deadly Ernest | 06/30/09
Great post!... JCitizen | 07/11/09
RE: Masking passwords: Why it's not a good idea Scaramoosh | 06/30/09
Which GPS Michael Kassner | 06/30/09
Garmin Nuvi760 Scaramoosh | 07/02/09
I have a Garmin Michael Kassner | 07/03/09
At first, I thought you meant ITSecurityGuy | 06/30/09
password masked, get it wrong and you're screwed! Scaramoosh | 07/02/09
It's just a GPS Michael Kassner | 07/02/09
address list? Neon Samurai | 07/02/09
I suppose Michael Kassner | 07/03/09
True, it wouldn't be a pandemic issue I expect Neon Samurai | 07/03/09
Still Michael Kassner | 07/03/09
I can make some guesses Neon Samurai | 07/03/09
It's bad usability, but there is another threat against which it defends bob@... | 06/30/09
I've read about that briefly Michael Kassner | 06/30/09
Somewhere I read that the security for wireless.. JCitizen | 07/11/09
Did you See his Credentials? Conexxions | 06/30/09
Losing sight of the goal bblackmoor@... | 06/30/09
I disagree.. the article is soley about user experience CG IT | 06/30/09
Only if you ignore his second point. ITSecurityGuy | 06/30/09
Choose the goal: secure or friendly? SDH_NetService | 07/02/09
Valid point Michael Kassner | 06/30/09
Good of you to post links to the articles SDH_NetService | 07/02/09
Only if you think password authentication ... JCitizen | 07/11/09
"with something better" santeewelding@... | 07/11/09
I must admit... JCitizen | 07/12/09
Never too much, my friend santeewelding@... | 07/12/09
I was a little bit ago... JCitizen | 07/12/09
Partial mask achieves both aims ITSecurityGuy | 06/30/09
fuggedaboudit ITSecurityGuy | 06/30/09
Have you Michael Kassner | 06/30/09
no I haven't, but why do you ask? I'm curious. ITSecurityGuy | 06/30/09
I'm trying Michael Kassner | 07/01/09
Only after the fact... JCitizen | 07/11/09
As usual, I agree with Nielsen bblackmoor@... | 06/30/09
I have to ask Michael Kassner | 06/30/09
I thought he meant the useability doctor ITSecurityGuy | 06/30/09
Password Rules bbanks69b@... | 06/30/09
So just getting rid of passwords or unmasking them CG IT | 06/30/09
bbanks69b wasn't suggesting either ITSecurityGuy | 06/30/09
Got You bbanks69b@... | 06/30/09
How about an answer of an on-line DNA analysis to get in Deadly Ernest | 07/01/09
I've been reading Michael Kassner | 07/01/09
A lot depends upon the type of test they do and to how big Deadly Ernest | 07/01/09
I think a biometric multi-factor solution is better.. JCitizen | 07/11/09
I agree with that ITSecurityGuy | 06/30/09
that's a security through obscurity function as they think Deadly Ernest | 07/01/09
True Michael Kassner | 07/01/09
correct, but it will make no difference to say how long the max Deadly Ernest | 07/01/09
Not sure Michael Kassner | 07/02/09
Two questions, two postions Deadly Ernest | 07/02/09
What about trust? darren.meyer | 06/30/09
I love it! - "where are they going to?" ITSecurityGuy | 06/30/09
I was thinking of it all along but.. JCitizen | 07/12/09
I was going to mention that Michael Kassner | 06/30/09
I agree bbanks69b@... | 06/30/09
RE: Masking passwords: Why it's not a good idea twainiqolo@... | 06/30/09
Ok, but you go first. ITSecurityGuy | 06/30/09
Why have a password for all access usage? Deadly Ernest | 07/01/09
It's a loose thread Neon Samurai | 07/01/09
and so is the gatewy, having people writing passwords down is Deadly Ernest | 07/01/09
I'd rather have passwords written for two days Neon Samurai | 07/02/09
OK, lets step back a bit first. Deadly Ernest | 07/02/09
Ah, I see Neon Samurai | 07/02/09
The situation I worked in where I set up the 'no password' Deadly Ernest | 07/02/09
My laptop has a wifi built in, I don't have wifi so I don't use it Deadly Ernest | 07/02/09
Welcome to the global Linksys network Neon Samurai | 07/02/09
I got this thing about security - Deadly Ernest | 07/02/09
From Sally in HR on up to Bob and his real beef with management Neon Samurai | 07/02/09
Neon, one of the first rules of physical security is Deadly Ernest | 07/02/09
I still agree Neon Samurai | 07/02/09
A cogent discourse on what I rant/rambled about Former Big Iron Guy | 07/02/09
You have to remember that any such approach HAS to be Deadly Ernest | 07/02/09
Since we are at pred(maximum level) I'll reply to myself... Former Big Iron Guy | 07/03/09
Nice link Michael Kassner | 07/03/09
Sounds like a college...(edited) JCitizen | 07/12/09
You're not far off the track, as it was a combined work and training Deadly Ernest | 07/12/09
school networks are scary Neon Samurai | 07/12/09
Mucho scary!!... JCitizen | 07/12/09
virtual switched network ITSecurityGuy | 07/14/09
Yes, IT Security Guy... JCitizen | 07/15/09
Bruce S. covered this the other week also Neon Samurai | 07/01/09
RE: Masking passwords: Why it's not a good idea NCWeber | 07/01/09
I used to Michael Kassner | 07/01/09
I can say exactly the same thing: ITSecurityGuy | 07/05/09
for me, it was BBS and IRC Neon Samurai | 07/06/09
I wish I still could Michael Kassner | 07/07/09
I was definitely a geek... JCitizen | 07/12/09
nearly a nutjob Neon Samurai | 07/12/09
My parents made sure.. JCitizen | 07/12/09
how ever did you end up in it? Neon Samurai | 07/13/09
Beats me!? JCitizen | 07/13/09
The only thing I learned in highschool was... JCitizen | 07/12/09
RE: Masking passwords: Why it's not a good idea ericarthurtodd@... | 07/02/09
Once upon a time... mikifinaz1@... | 07/02/09
Exactly Michael Kassner | 07/02/09
Masking passwords: why it's not the best idea Dr_Zinj | 07/02/09
I remember that, it uses WOM chips Deadly Ernest | 07/02/09
Thanks for sharing Michael Kassner | 07/02/09
that last statement is untrue ITSecurityGuy | 07/05/09
RE: Masking passwords: Why it's not a good idea jasilvasy | 07/07/09
That's my approach Michael Kassner | 07/08/09
One variant there would be to toss in a number between two Deadly Ernest | 07/08/09
Long easy to remember passphrases... JCitizen | 07/12/09
RE: Masking passwords: Why it's not a good idea awhitney@... | 07/10/09
Good point Michael Kassner | 07/11/09

What do you think?

White Papers, Webcasts, and Downloads

Recent Entries

TR on Twitter

Archives

TechRepublic Blogs


Quick Reference: Linux Commands
Reduce stress and speed up resolutions with the easiest command references right at your fingertips. You'll receive a PDF file covering Linux, packed with the most common commands you'll need and use daily.
Buy Now
IT Manager's Tool Kit, Third Edition
Proven peer-authored advice and over 30 templates cover a variety of management topics to help you overcome staffing, financial, disaster planning and other technology challenges.
Buy Now

SmartPlanet

Click Here