programming and human factors
by Jeff Atwood
As far back as I can remember-- which admittedly isn't very far-- GUI toolkits have included a special type of text entry field for passwords. As you type, the password field displays a generic character, usually a dot or asterisk, instead of the character you actually typed.
I've criticized the login dialog before, but I definitely understand the need to obfuscate password entry, even if you're using fancy two-factor authentication with smart cards and the like. If password entry was treated as plain old text entry, you'd reveal your password (or PIN code) to anyone who casually happened to be looking at the screen while you're typing. So instead of seeing:
**************
Everyone in your meeting or presentation would instead see:
IHeartBunnies!
Which would be sort of traumatic on several levels. Not to mention the security implications.
I can't talk about login dialogs without bringing up one in Lotus Notes 6.0. Like everything else in Notes, it's a massive trainwreck.
This dialog box contains several security "features":
- The hieroglyphics on the left of the dialog box are supposed to distract anyone who is peering over your shoulder trying to learn your password as you type.
- The number of characters you type is hidden; a random number of X's appear instead of one asterisk per character.
Is any of this nonsense really necessary? If I want to learn someone's password as he or she types it, I will look at the keyboard, not the screen!
I actually had to use that exact login dialog for my job at the time, and I can tell you from personal experience exactly how mind-bendingly, appallingly awful it truly was. Who reinvents a perfectly standard dialog-- and makes it so much worse? On second thought, perhaps "how can we make this worse?" was the design goal for Notes. It certainly felt that way while I was using it.
But I digress. As much as we worry about password obfuscation, at least one dialog in Vista bucks this long-standing GUI trend. Specifically, the dialog where you enter your wireless network password.
Checking the "display characters" checkbox overrides the password obfuscation and reveals the password. At first I was appalled. Reveal my password? Imagine the security implications! The chutzpah of Microsoft's developers, putting my password at risk in such a careless, haphazard manner! What were they thinking?
I'm guessing they implemented the reveal option here because network passwords can be unusually long and complex-- and troubleshooting network connectivity is difficult enough even without factoring in the inevitable password typos. But are network passwords really so different from any other type of password? After using this dialog a few times, I began to see how useful the reveal password option truly was. If you think you've made a mistake entering your password, tick the reveal box and find out. It's quite a time saver compared to typing in your password in blindly two, three, or even four times before getting it right. I don't know about you, but that happens to me at least a few times a day on average.
I've come full circle. I now think the password reveal option should be available on all login dialogs.
It's awfully convienient, and it doesn't seem particularly risky to me. Nobody leaves their password typed in and waiting to be revealed on the login screen. If you're in a public place, you simply refrain from using the reveal option. But at home or in a private work area, why not opt to reveal your password? Traditional GUI password obfuscation is a nice convention, but it's not the alpha and omega of password security. Far from it. If criminals really want to get your password, they'll be watching your fingers on the keyboard or using keylogger hardware.
Not trying to troll here, but the hieroglyphics on Lotus Notes are not for distracting people looking above your shoulder. They change as you type the password, and their purpose is to prevent spoofing of the login window by a trojan or malware trying to capture the password.
Carlos Silva on February 12, 2008 4:32 AMWhen I need to make sure I'm typing my password correctly, I just open up an editor, type the password in the clear, and then cut and paste it into the password field. There's absolutely zero risk, since I only do it if there's nobody around who shouldn't know my password. The "reveal characters" checkbox in Vista is much more convenient.
But you bring up another point -- there isn't one best way to protect a password. If I make a horrendously complicated password for my bank account, and then write it down and put it in my desk at home, that's much, much safer than making a password that's easy to remember so that I don't need to write it down. If the criminal is sitting at my desk in my house, I've already lost.
JPLemme on February 12, 2008 4:45 AMI used to work for IBM, and from personal experience I can tell you that back in the day they routinely would encourage designers to deviate from the standard dialogs and controls in order to beef up the patent portfolio. I don't know how much of that they are still doing, but when I was there there were fantastic incentives to come up with "clever" and different ways to present information.
Keith on February 12, 2008 4:49 AMThe risk of copy pasting your password is that it ends up sitting in the copy buffer waiting to be shown the next time someone hits Ctrl-V at your terminal.
WhoMe? on February 12, 2008 4:51 AMJust an interesting note, I installed linux (fedora 8) on my laptop a while ago, and I noticed it revealed my password for my wireless network (which I only enter once and store anyways). I don't even think there was the option to hide the password. At least for a wireless network where you typically enter the password once on your laptop or PC and store it, I felt it was far more usable than the Windows XP model, which both hid the password AND required me to type it twice. This always seemed like a lot of extra work to me for a password that never needed as much security as something like a user login password. After all, any wireless password I was ever entering was inside my home or a friend/relative's home and there was absolutely no chance of someone seeing the password who shouldn't have.
Security is important no doubt, but I think the appropriate level of security for the job is also important.
Mike on February 12, 2008 4:53 AMI believe the username field should stay in the form. Not because of the added security but because of the convenience :
1- The username can be associated to the email address or be the user's email address. Then a reset password could be emailed to this user.
2- Although this has little chance of happening, what if you try to set the same password as another person ? It would be stupid to warn you that the password is already in use.
3- By entering its username, the user should have stronger feeling of being identified (this is just a guess because I wanted to add a third reason ;))
Tell me when you find a way to fix faulty tab presses. There's nothing quite like typing your password right next to your username for everyone to see.
I just remembered a college professor not hitting the tab during a lecture. All 100 students saw his uni password and he didn't even realize he did it. Poor sap.
capi on February 12, 2008 5:27 AMI just remembered a college professor not hitting the tab during a lecture. All 100 students saw his uni password and he didn't even realize he did it. Poor sap.
Happened to me too when I was at school, the helpdesk boss was explaining how something worked, and typed his password in his username box since he was used to the program filling in his username. He changed his password when he did actually get in. Seemed like he had a few up in his head.
Cullen Murphy on February 12, 2008 5:37 AMThere is a firefox addon that allows the user to reveal ALL passwords... it could easily be tweaked to allow the user to select which boxes to reveal.
saintpretz59 on February 12, 2008 5:44 AMI've always wondered about the meeting at which that login window for Notes got approved.. That said, I still use it at work everday and I've gotten used to it, sort of like an eccentric uncle ;)
Balaji Dutt on February 12, 2008 6:02 AMThe standard dialog is better:
-Its simpler, without the "reveal" option.
-It helps keep the rules clear: A password is a secrete; you don't reveal your password. People *will* confuse the issue; lots of people have trouble with anything computer related.
-Not displaying the text forces people to pay attention to what keys they've pressed and in what combination. (Is it a "iI1!|"? Thats only a question if you try to remember it by appearance.)
The above seems less compelling then when I started typing... but still better then a "reveal" option. If you're not sure then cut and paste. Heck, if someone doesn't understand the cut/paste option, can you really argue that "reveal" won't confuse them?
And as for it being a trouble shooting aid, well, having the wrong password is much more common then mistyping it. When I worked on the help desk (Heaven help me) asking someone to slowly retype a password was a polite way to work through some stupid user mistakes, fixing or explaining other issues along the way.
Jim on February 12, 2008 6:02 AMIn Mac OS 10.5 (Leopard) the join network has a show password checkbox too.
Marco Valtas on February 12, 2008 6:05 AMI've got a different take on the Lotus Login Glyphs. I don't know that I'm right, but I'd bet $5 on it.
My take is that it's designed as a one-way hash to let you know if you typed your password in correctly. Certainly, I learned to recognize the pattern just before I hit enter, and if I mis-keyed, I saw a drastically different set of characters.
I don't have the Crypto-Fu to know if it's a security weakness or not. I suspect a bad implementation would be, but I don't know how many distinct images you need and how strong a hash you need before it's not a problem.
Glenn on February 12, 2008 6:20 AMRE "reveal password" thing, from somebody who has spent a lot of time in large cold rack-rooms at various broadcast facilities at 3am in the morning trying to figure out why (eg.) the primary sports streamer falls over inside a minute or two of it's 16 sources connecting to it... and I have to check them all, including the redundant's, their logs, etc. before I can go home to bed...
The room is sealed from the outside world by 2 levels of badge scan doors, 2 human guards and an 8-foot chain-link fence... there is nobody in this freakin' room with me, wooly jackets only work when you aren't sleep-deprived, sliding rack keyboards and avocents of dubious quality, and if I mistype another unfamiliar 18-character password I'm going to throw a wobbly.
There are times when I don't give a flying-rats-quince about security for the simple reason that: if an attacker is able to read the password of my screen, the attacker MUST BE ME.
What's all this nonsense about the glyphs in that Notes logon?
It's a pictorial hash of your password. Jeesh...
It doesn't take much effort to notice when you type in your password correctly that you always END UP with the SAME GLYPHS. I'm not sure how good it would be at defeating any trojan trying to steal your password, if the trojan knew the algorithm for producing the glyphs (although there's probably a "salt" based on your environment, never tested that). BUT, it does give you enough info to ensure you entered your password correctly without actually revealing the password, by giving you a unique "confirmation" glyph.
I guess this misunderstanding is probably why they changed the glyphs to a "key fob" pic that changes as you type in 6.5. It's easier for the unobservant catch on...
I agree about the reveal password option though. There's often no reason to "hide" the password, and as often (for us IT guys anyhow) a need to see what it is while troubleshooting. I also frequently end up typing a complex password into the "username" field so I can verify it is correct before pasting it into the "password" field.
Hey Now Jeff,
Good Point, since we are now moving to more passphrases (usually longer) from passwords it's helpful. PGP (it's pretty good) does offer this option as well.
Coding Horror fan,
Catto
password reveal is incredibly useful. especially for wep and other "hex" keys. on the iphone/touch the wep key is never revelealed and thats frustrating. i probably typed the original wep key for my home router 8 or 9 times because my stubby fat fingers would randomly hit the wrong key and there was no way to know it.
Mikester on February 12, 2008 6:51 AMI prefer the "Display characters" option, personally. Like the guy in the cold server room, I am typically alone (and certainly know when I'm not), so there is no good reason whatsoever to not be able to see what I'm typing or at least be able to double-check when entering those long complicated passwords that I use once per month.
Ubuntu has several dialogs that allow this, and I am thankful for it. It's pretty easy to just not hit the "Display characters" textbox if you don't want to reveal the password :)
Takuan on February 12, 2008 6:52 AMG'day Jeff - I'm all for showing passwords, especially on forums I've signed up for once and never used, and IE remembered my password and now I need to change it and enter the old password first which I don't remember (or something similar)!
OK, breathing normally now.
I chuckled when I read your quote "If criminals really want to get your password, they'll be watching your fingers on the keyboard, not the screen." If a criminal can get to my PC physically, I think I'm already gone.
Cheers, Thomas
Thomas Williams on February 12, 2008 7:01 AMI can't remember where I saw this, but I ran into a web page that did some kind of pre-processing of your password as you typed. Rather than put the data in a hidden field they just intercepted the keys and put something different in the password field. The result was that you saw TWO dots for every keypress. I spent several minutes trying to figure out what was wrong with my keyboard, which was obviously typing double for some reason!
Walter on February 12, 2008 7:06 AMThe people who identifed that the hieroglyphics have nothing to do with are spot on.
The reason they exist is the same reason many banking sites now display a picture that you have previously selected, it's to show that the password dialog you are entering the password into is not a spoofed one. It also has the side benefit of helping many people realize they have entered incorrect password before hitting enter.
Carl on February 12, 2008 7:32 AMNot sure how well his would work in the "remember my password" world that we enjoy today. In theory it sounds like a nice feature. Just like the "remember my password" feature, if used conscientiously it would be great. I'm sure from time to time people would use a public computer and use the computer's "remember my password" feature, so what's the diff really whether someone logs onto your website with a remembered password and changes it versus clicks the "display characters" for a remembered password.
Shan on February 12, 2008 7:40 AMYou mean to tell me that you actually emtype/em all your passwords? a href="http://keepass.info/"Keepass/a does it for me.
The only thing it can't do is the windows login, and the password to keepass itself. Thankfully those are taken care of by my laptop's fingerprint reader.
The 327th Male on February 12, 2008 7:51 AMI used to use the 'Remeber my password' and all of that since I was the only person who used my laptop at work and I took it with me when I left at night. However one day I to completely clean out all of my history and saved passwords etc. It probably took me 3 hours to remember all of the passwords for various subsystems I interact with on a daily basis at work. Now I usually use a password 12 characters long that is a combination of letters, Numbers and special characters. For other passwords I use a slight variation on the first and always type it in. People at work laugh at me but I don't forget them now that I am typing them in 10 times a day.
Chris Howell on February 12, 2008 7:54 AMI don't use remember my password. I just use a long pass phrase with a simple set of rules that are easy to remember.
Jonathan Paul Madrid Abaca on February 12, 2008 8:05 AMI like the thought!
I especially like changes! :D
This could change everything! I am for the open password movement! Let's do it! Yes We Can!
Lawrence Tureaud on February 12, 2008 9:09 AMThank you for this insight Jeff!
We have quite a few government intranet users working from the confines of their offices whose hardest task in life seems to be correctly typing their assigned passwords without being able to see the screen.
Any ideas how one would best simulate the 'display characters' functionality in a web interface? Preferably without a postback? :)
Matias Nino on February 12, 2008 9:16 AMThis is another thing I like about the daskeyboard (aside from being a great keyboard to type on), looking at my fingers while I type my password will be much less useful.
JosephCooney on February 12, 2008 9:35 AMThanks Jeff,
I had such a horrible flash back to Lotus Notes that I couldn't sleep and I spent an hour ranting about the subject on my blog.
http://www.coderjournal.com/2008/02/lotus-notes-aol-corporate-world/
Just thinking of brings back memories that I would desperately like to forget.
Nick Berardi on February 12, 2008 9:42 AMI've come to agree that "show password" should be around more often. Especially on mobile devices, where typing a complex password can be exceptionally difficult
Scott Yost on February 12, 2008 9:43 AMIf it defaulted to not showing, it might not be a problem. I think it is likely to be more like Hotmail's "remember my password" that is checked by default.
Want some fun? Go to your local library and send the browser to Hotmail. Two out of three times, someone's account is logged in, because they fail to uncheck the box. These sort of shortcuts need to be off by default, so that failing to check/uncheck something doesn't leave the account open to whomever.
W^L+ on February 12, 2008 9:45 AMI've implemented something like this for a site I've developed.
Using Ben Nolan's Behaviour JS Library http://www.bennolan.com/behaviour/ , I attach a behaviour to all input fields which have a type attribute of "password". I have it set up to change the field to a regular text field on mouse over, and switch back on mouse out. You could set up your own events if you wanted (double click, press a certain key after mouse over or whatever), but this is pretty simple.
"input[type=password]" : function (el) {
el.onmouseover = function() { this.type = 'text'; }
el.onmouseout = function() { this.type = 'password'; }
}
You could easily make this into a GreaseMonkey script too, if you wanted the same functionality on all the sites you visit.
PS: I don't think this works in Internet Explorer, but I'm sure you could hack around it somehow.
nickf on February 12, 2008 9:46 AMWell, Jeff, others have already pointed out the true purpose of the hieroglyphics, so I'll just add one more thing.
For all the UI faults for which it is appropriately criticized (many of which are cured in the current verions 8, but not all of them), one of the things that Lotus Notes is really good at is security. As the first commercial software package to offer a full PKI-based authentication, signature and encryption package, it was adopted quite early by a number of federal agencies with three letter acronyms. That's public knowledge. And though I have no direct knowledge of this, it seems very reasonable to me to conclude that if Lotus put a lot of extra effort into the password dialog -- something that seems on the surface to be quite trivial, which most vendors put almost no effort into, and which most customers would never care about, but which is obviously of great interest to those who value security the most -- then they probably had some very specific requirements and advice from people at those three-letter agencies. And, no disrespect intended, but those three-letter agency folks know quite a bit more about good security design than you or I do, and they care very little about what we are used to or whether users will think that their security design goals make some aspects of the user experience worse.
Richard Schwartz on February 12, 2008 10:19 AMI think "reveal password" feature is ok for wireless securities since it requires a long passphrase or key (e.g., 13 characters long). But for other softwares which usually have a limit of a minimum of 6 , people usually keep a password they can remember (unlike in wireless, where the pass key can be a 10-digit long number)
Raseel on February 12, 2008 10:30 AMNot trying to troll here, but the hieroglyphics on Lotus Notes are
not for distracting people looking above your shoulder. They change
as you type the password, and their purpose is to prevent spoofing
of the login window by a trojan or malware trying to capture
the password.
And since as much as, oh, two percent of users know this, they're essentially worthless.
Dave on February 12, 2008 10:31 AMI've always wondered about the meeting at which that login window
for Notes got approved.
The Lotus corporate culture is pretty strange:
1. They're not part of IBM even if IBM think they are.
2. They know better than everyone else (including professional UI/interaction designers) what's good for the user.
3. If people don't understand their work it's because the people are idiots and can't be helped.
It's been a few years since I dealt with them but I haven't seen any sign that this has changed recently.
Dave on February 12, 2008 10:36 AMIf Windows were to implement this, I would hope that there would be a way to turn it off via group policies - I can just imagine some malicious person sneaking in and checking the "show password" box while someone wasn't looking, then watching while some person who didn't know enough about computers to notice puts in their password and... bang! It would be useful at home, sure, but for corporations, schools, government, etc, it would be too big of a security risk.
Nerd on February 12, 2008 10:47 AMThe hieroglyphics are indeed a feature. Think of them as a one-way visual hash of your password. They're not random; if you type in the same password, you see the same glyphs, so it lets you know you did not mistype without having to use clear text.
I totally agree; I've said before that allowing the user to reveal the password actually increases security, because it can give the user the confidence to use more secure passwords: http://www.exubero.com/blog/20060823_Unmask_Password.html
Joe Schmetzer on February 12, 2008 11:21 AMIf the Lotus Notes symbols prevent spoofing, don't they come a bit late? A spoofed dialog could still remember your keystrokes even if you didn't hit enter.
Weeble on February 13, 2008 1:06 AMYou guys don't watch your fingers as you type?
Homer S. on February 13, 2008 1:25 AMThere is a big problem with the "show password" option, especially on web pages. If the browser automatically remembers your password and fills it in next time you visit the page, anyone with physical access to your computer could find it out very easily.
Then, since people re-use passwords, it would be all too easy to guess their logins on other sites all over the place.
James McKay on February 13, 2008 1:32 AMI liked the way some mobile phones do password entry, where you can see the last typed letter for a second. I mocked this up in quick flash demo here: http://polygoon.esken.net/tests/maskingpassword/
You can see that when in reveal mode, you can see the letter just typed, and also reveal previous letters when moving back with cursor.
I think this is better from security standpoint, because you don't reveal all of the password at once, instead you can go back and doublecheck letter by letter, thus lessening the threat that somebody sees the full password over your shoulder.
Erki Esken on February 13, 2008 1:56 AMDoes anyone know why Windows XP ask me to enter *twice* the security key when I want to join a protected wi-fi network? It makes sense to ask for a password confirmation when you're creating a new password, but why when I am just entering a password which was defined somewhere else?
Rod on February 13, 2008 2:03 AM..remember Snadboy's Revelation?
Handy tool to de-encrypt those asterisks, just point your mousepointer at the box and you can read....
That's why you shouldn't save passwords in windows :-)
I simply use a small utility called showpass.exe for situations where someone forgot a password and all we get are *******...
Just drag a cursor over your *****s and it displays the password!
XP security at its best!
hvulin on February 13, 2008 2:15 AMeven at home, I won't reveal my password. I'm worried about TEMPEST contraptions looking at my screen.
:)
Manu on February 13, 2008 2:34 AMRevealing the password is actually quite usefull and there is one situation where I find it invaluable: Where the system language/keyboard settings differ from the keyboard I am using.
I use systems with spanish, german, swiss, greek and english (UK and US International) keyboard layouts.
Safe password rules mean you'll definitely get a couple of @ or $ or pound signs in the password (depending on who setup the system).
Ever tried to enter a @ for a german system with a US-International keyboard? Hint: It's not shift-2
So you end up typing the password in the username field to see which character came up wrong (and experiment with key combination to get the right character).
Oh yes, I'd love a reveal password option.
I remember when friends came home to play one of my online games. The login had a password reveal checkbox AND remembered my password. The very first clic one of my friends did on the login form was on that checkbox, revealing my password to 5 of my friends watching the screen at that moment. Very frustrating.
Please, oh please, *never* place the "show password" on an auto-populating field.
Sunny on February 13, 2008 2:50 AMAm I the only one who strikes it as odd that first you complain about the login window, and then belittle Lotus for trying to "reinvent[...] a perfectly standard dialog" ?
J. Stoever on February 13, 2008 2:51 AMI'm an occasional LotusNotes user and even tho I like your writing Jeff, I must disagree: theyr login box is great IMO.
The picture tells me if my password is correct before submitting, the images don't come random as far as I can tell (I always get the same if my password is correct), though there are more keys that produce the same image, if I miss a key I'll know it fast.
The random XXXs are also great, they give you confirmation that you indeed pressed the key (you might not even realize it but you will notice when you missed one) while protecting your password lenght. While I've been working a while in IT it seems highly unlikely to me to guess someone's password just by length (even tho it really helps shrink down a keyspace for bruteforcing (especially if you mix it with character eliminations like QAZ, 1-9 from shoulder surfing)), however I have some non-IT-related bored friends (lol) who have amazed me in the past.
Tudor on February 13, 2008 2:52 AMSeriously, if the NSA are using Van Eck phreaking on you, it would in fact be easier, faster and cheaper for them to simply bribe the janitors, IT support and... torture the info out of you.
I know Van Eck "did it for $15" but firstly, that's uncited, and secondly, that was under controlled conditions, with only one computer. On an office block? Forget it.
7-Zip had the reveal password thing in it quite a while ago, and it's come in handy a few times. I did always think it was stupid that you had to enter your password twice for it to extract and _then_ have it check to see if you entered the right password, but eh. Compression security isn't really my area.
BTW, do you ever change your captcha? I swear I get 'orange' every single time I come to this site.
Figs on February 13, 2008 3:05 AMFigs: http://www.codinghorror.com/blog/archives/000712.html
J. Stoever on February 13, 2008 3:19 AMPassword reveal is an obviously useful feature, and yet of the dozens of utilities I use, only two include it: a href="http://www.winzip.com"WinZip/a and a href="http://www.sparkleware.com/superbot/"SuperBot/a. What gives?
Chris Marshall on February 13, 2008 3:37 AMFor those wanting to implement the password reveal in ASP.NET web apps, see my post at http://weblogs.asp.net/traviscollins/archive/2008/02/13/dramatic-password-reveal-in-asp-net.aspx
Travis Collins on February 13, 2008 4:09 AMThe worst kind of fault tab press problem is the one where the GUI sits there showing you your username (and in this case password too) while it decides your password is incorrect. You know the ones that waste a few seconds of your time so you can't try too many passwords too fast? I've done that a few times in front of people, and I feel like such a n00b.
Ben on February 13, 2008 4:26 AMhttp://www.codinghorror.com/blog/images/word.png
http://www.codinghorror.com/blog/images/word.png on February 13, 2008 4:27 AMthere's no need for an addon in firefox to display your password(s). Firefox just does it!
songo on February 13, 2008 4:29 AMPassword could be displayed as you type, but... scrambled (non randomly). That's an easy way to spot typos without revealing much.
i.e. Display something more useful then *****, but secure.
Display characters: * | scrambled | plain
This rant against Lotus Notes is a bit unfair: it should be a rant against companies that simply "assume" that people know how to work the software they use. Admittedly: Notes takes a different approach to a lot of things, and is therefore "difficult" for people who only know Microsoft UI conventions. (Which is not surprisingly is the main gripe of the website you refer to)
Nothing that cannot be alleviated with some (decent) training however, and that is what is quite often missing.
Yes, Vista is late to the party with the whole "reveal" option for the wireless. Ubuntu Linux and others have had this checkbox for a few releases now. At least Microsoft recognizes a good idea and steals it ... wait - Microsoft always steals good ideas.
Glen on February 13, 2008 4:42 AMSeriously, how hard is 'password1!' to remember? And if you use it everywhere, it becomes very easy to type! ;p
Andy Burns on February 13, 2008 4:47 AMNot to troll even more, its hieroglyphs, not hieroglyphics, a common mistake.
Andy W on February 13, 2008 4:57 AMPoor poor lotus notes. Everyone's always picking on him.
I use lnotes everyday for work. As someone else mentioned it deviates from MS UI and that makes it harder to learn. But then again Apple deviated from MS UI and that was a good thing! So IBM needs to readdress their UI in general. At least put all the configuration settings in one place instead of several. (oooh and use standard email addresses instead of the weird lnote addresses)
Brian on February 13, 2008 5:15 AMI'd have to say I'm half in favor of the Lotus login dialog box. I don't like the hieroglyphics simply because I don't think they are "distracting." However, having a random number of *'s appear as you type is beneficial. For someone who wants to see you type but can't, will still have a much easier time determining your password with brute force. I don't know the exact numbers, but knowing the length of the password cuts down the number of guesses many, many times.
Mike on February 13, 2008 5:29 AM"people usually keep a password they can remember (unlike in wireless, where the pass key can be a 10-digit long number)"
Aren't we forgetting here that it's much, much easier to remember something that we've seen before? A reveal password option, would make it easier for people to chose more secure passwords.
I'd even go one step further and ask for a 'hide password' option having the password revealed by default.
Manni on February 13, 2008 6:03 AM"Many applications have disabled copy and paste to and from password fields for a while."
Someone else noticed this? Holy cowbell, Gene Frenkle!
James on February 13, 2008 6:12 AMA very novel idea.
I love the yiddush.
Marc Arbesman on February 13, 2008 6:16 AMI'm pretty sure the hieroglyphics are a visual hash to allow you to verify that you typed your password correctly. When I used Lotus Notes 6, they would be the same every time once I finished typing my password correctly. If I typed it incorrectly they would differ.
Johnny D on February 13, 2008 7:05 AMThe only 'safe' system is one that is locked up in a Titan missle silo and not attached to any outside network.
That goes for passwords too...
As for the rest of us, it's kinda like driving a car, we don't expect to get into an accident but sooner or later it will happen.
Mac on February 13, 2008 7:07 AMAnyone ever use Password SAFE?
http://passwordsafe.sourceforge.net/
It has an autotype feature where it will paste your username and password and hit enter for you and then clear your clipboard.
You can generate random passwords and you only ever need to remember the 1 password to open the application.
In Mac OS 10.5 (Leopard) the join network
has a show password checkbox too.
Actually, this has been in OS X for at least 2 years.
LKM on February 13, 2008 7:37 AMThe Notes thing is a great example of poorly directed creativity. Huge teams pounding at diminishing code bases often get erratic spurts of creativity that ultimately make the overall product 'fugly'. Instead of fixing the real problems, they just pile on more. It is a downward spiral, that most of our big well-known software products are unhappily in the middle of surfing (including, unfortunately huge parts of Linux, which are not immune to the same cultural problems).
Paul.
http://theprogrammersparadox.blogspot.com
I've always found that feature useful for network keys, but never thought of using it for password fields.
While I don't think it is that useful personally, I could make use of it from time to time. I'll be sure to try to add it to my future password fields.
I'm not a fan of having a check box for that feature but I think something else could be used, like a little button (with an appropriate icon) that only reveals your password when you hold the mouse button down and if you want to keep it revealed, you have to double-click the button.
I'm just thinking out loud here, thanks for the inspiration.
Mike B on February 13, 2008 7:53 AMGreat commentary. Now I'll have to use some Javascript trickery to build this idea into my web-based login forms.
ND on February 13, 2008 7:57 AMThe first time I recall a non-obfuscated password field was on the Palm IIIx (the wireless one). I was horrified at first of the thought of entering in a password I could see! But then I realized that nobody else was really able to watch me enter the password in (it was a Palm Pilot after all) and relished the notion of making password entry that much _easier_.
Josh Peters on February 13, 2008 8:55 AM"In Mac OS 10.5 (Leopard) the join network
has a show password checkbox too.
Actually, this has been in OS X for at least 2 years."
Thats cause you have to retype the password every time you rejoin the network, which on leopard will be every time you come out of sleep.
brian on February 13, 2008 8:57 AMProblem is, I don't even know what my passwords look like because I've never SEEN them. Sometimes I'll accidentally type my password into a regular text field (focus-stealing, anyone?) and I just sit there and think "WOW, my password looks nothing like I imagine it." For even more password pain, try using virtual keyboards that never work.
Mattkins on February 13, 2008 8:58 AMI have quite different experience regarding MS design abilities rgearding the subject when I chose password for my xbox live in password boxes.
For rare people who did not have this experience - imagine huge TV screen. Left part is displayng table of letters visible from next block’s house and right part is the familiar password box with generic asterisks. To enter the password you have to choose by your controller letters from left box and press “A”, the letter choice being not only highlighted but also (of course) making beep.
But password box on the right – it shows asterisks. We don't want to breach security, do we?
I like the idea, so much so, that I wrote a cross browser script to do this on the page:
http://blog.kaosweaver.com/index.php?entry=entry080213-114936
I built my own password entry dialog. It shows boobies of various shapes and sizes while I type in my password, causing substantial distraction.
I don't even bother hiding the characters.
This even works on the women in the room. They're too distracted by their own feelings of discomfort to pay attention.
Only problem is that sometimes I forget what I'm doing.
MR on February 13, 2008 9:05 AMWhen I was switching over to Dvorak, I would have really appreciated the ability to reveal my passwords with a check button. It is a huge hassle to relearn one's passwords in a layout that doesn't match the symbols written on the keys.
calcnerd256 on February 13, 2008 9:05 AMIf this ever gets widely implemented, I just pray to whoever that it will only display the password for a brief second. Long enough to identify a mistake, but not a permanent toggle.
Government workers were mentioned above, and it's true. They actually put on their resume "Can remember passwords sometimes". They would leave the password revealed always.
Zip on February 13, 2008 9:05 AMthe most infuriating thing on XP with the wi-fi passwords, which ARE obscured, is it forces you to type them TWICE and there is no option to reveal the actual text. great, thanks, just what I need when entering some absurdly-long key.
OS X has had the reveal option for ages.
42 on February 13, 2008 9:10 AMModest proposal: keep the reveal option only for passwords that aren't habitually entered; i.e. keys, or preferences for an automated login. These are also the most likely to be written down somewhere to visually compare.
Often, the "typed-in" ones aren't written down anyway, so verification consists of simply typing slower and more carefully. That doesn't work for a password that you don't usually enter, because you can't just consult your memory for the correct characters, but rather another source.
Rich on February 13, 2008 9:10 AM"Not trying to troll here, but the hieroglyphics on Lotus Notes are not for distracting people looking above your shoulder. They change as you type the password, and their purpose is to prevent spoofing of the login window by a trojan or malware trying to capture the password."
- So now trojans and malware will have to be smart enough to randomly generate hieroglyphics... if it is targeting Notes, I don't see how that is going to be very difficult. Additionally, i doubt any users would notice if the hieroglyphics changed much.
OT: Why is the Captcha always orange?
Brian on February 13, 2008 9:15 AMBrian, obviously in OS X you can save the password of any network which you don't want to repeatedly enter it.
geekbot on February 13, 2008 9:15 AMI've never recovered from the shock, back in the early 90's when a student ran a program named something like "bond007.exe" on one of our lab machines that turned the asterisks into the plaintext.
I'm an old command line type and so I'm used to typing passwds with nothing appearing one screen...
But then I'd learned to do UNIX commands with the screen
dead/swamped with output/turning letters into bits of boxes/... Even with the bottom half below the edge of the CRT.
Dick@neanderthal.not
RJBotting on February 13, 2008 9:18 AM"OT: Why is the Captcha always orange?"
As explained in an old post the static captcha is used because it works.
So far there have been no robots getting through so there is no reason to do something different.
will dieterich on February 13, 2008 9:27 AM"Brian, obviously in OS X you can save the password of any network which you don't want to repeatedly enter it.
geekbot on February 13, 2008 09:15 AM "
Negative.
Come outa sleep and i gotta either reboot or go through the network diagnostics to reestablish a network connection. Network diagnostics forces rentry of network password, it acts like it is identifying the network for the first time, it also requires the router to be rebooted.
Do not pass go, do not collect 200$. It does not remember the password entered previously.
So just because OSX has had a feature for 2 years doesn't make OSX a good OS. The fact windows is incorporating good features that OSx has is great, it adds all those candy features to a solid OS. All OSX has is those "neat" little features.
I was joking about the Reason of the feature in OSx. From my standpoint, with this buggy MacBook Pro, the feature is because network password reentry is required after comming outa sleep. I'm sure apple added the feature because they are "innovative" or whatever.
brian on February 13, 2008 9:49 AM"If Windows were to implement this, I would hope that there would be a way to turn it off via group policies - I can just imagine some malicious person sneaking in and checking the "show password" box while someone wasn't looking, then watching while some person who didn't know enough about computers to notice puts in their password and... bang! It would be useful at home, sure, but for corporations, schools, government, etc, it would be too big of a security risk."
Ditto. Beat me to it.
Personally, I can't see myself using it. I create a password and then get so used to typing it in I rarely make a mistake, and when I do I just type it in again. It would take me more time for me to navigate to the checkbox then to just retype my password. If your password takes more then two seconds (literally) to type, then either you've got it way too long or way too complex than it needs to be.
Brent on February 13, 2008 9:58 AMHowever, having a random number of *'s appear as you type is beneficial. For someone who wants to see you type but can't, will still have a much easier time determining your password with brute force
Have you ever *used* a password dialog that emits a random number of asterisks/dots when you type a character? It is really confusing. Did you press one key.. or two? Hard to appreciate how weird it really feels until you try yourself, but suffice it to say, it ain't good.
As someone else mentioned it deviates from MS UI and that makes it harder to learn. But then again Apple deviated from MS UI and that was a good thing!
Yes, but Apple deviates in (usually) good and at least sensible ways. In Notes, every "clever" feature is usually considerably worse than the standard they deviated from.
At least Microsoft recognizes a good idea and steals it ... wait - Microsoft always steals good ideas.
I'm not so sure. Internet Explorer needs to be stealing a lot more great features from Opera, Firefox, and Safari. Ditto for Vista.
Jeff Atwood on February 13, 2008 10:04 AMIf your password takes more then two seconds (literally) to type, then either you've got it way too long or way too complex than it needs to be.
I disagree.
http://www.codinghorror.com/blog/archives/000360.html
Jeff Atwood on February 13, 2008 10:05 AMJeff, I am sure there are any number of readers now rolling on the floor experiencing a Lotus Notes flashback seizure: please don't do this again (think of the victims!).
Originally, passwords have been hidden or scrambled in some way, anyway you want but not plain readable, because of CRTs electromagnetic leaking: guys from a 3 letter acronym agency in a van parked outside can see an image of your screen unless you are in a shielded room.
If you can see a password so can they!
This is also why displaying the correct number of '*' (or any generic char) was not considered secure enough as it helps a lot in cracking the password.
And curiously a lot of vans have always been parked near embassies, government buildings, big corporation headquarters... ;-)
"If criminals really want to get your password, they'll be watching your fingers on the keyboard or using keylogger hardware."
This may still be a valid reason to obfuscate passwords on screen in some situations:
http://en.wikipedia.org/wiki/Van_Eck_phreaking
And look at that, someone beat me to it while I was searching for the correct name.
It's actually possible with flat screens as well by the way.
tommy on February 13, 2008 10:42 AM"Show Password on Mouseover" [ http://userscripts.org/scripts/show/1893 ] is a Greasemonkey userscript which works well.
Jeff Daly on February 13, 2008 11:21 AMThe comments to this entry are closed.
Subscribe in a reader
Subscribe via email
|
|
Traffic Stats |
