programming and human factors
by Jeff Atwood
As far back as I can remember-- which admittedly isn't very far-- GUI toolkits have included a special type of text entry field for passwords. As you type, the password field displays a generic character, usually a dot or asterisk, instead of the character you actually typed.
I've criticized the login dialog before, but I definitely understand the need to obfuscate password entry, even if you're using fancy two-factor authentication with smart cards and the like. If password entry was treated as plain old text entry, you'd reveal your password (or PIN code) to anyone who casually happened to be looking at the screen while you're typing. So instead of seeing:
**************
Everyone in your meeting or presentation would instead see:
IHeartBunnies!
Which would be sort of traumatic on several levels. Not to mention the security implications.
I can't talk about login dialogs without bringing up one in Lotus Notes 6.0. Like everything else in Notes, it's a massive trainwreck.
This dialog box contains several security "features":
- The hieroglyphics on the left of the dialog box are supposed to distract anyone who is peering over your shoulder trying to learn your password as you type.
- The number of characters you type is hidden; a random number of X's appear instead of one asterisk per character.
Is any of this nonsense really necessary? If I want to learn someone's password as he or she types it, I will look at the keyboard, not the screen!
I actually had to use that exact login dialog for my job at the time, and I can tell you from personal experience exactly how mind-bendingly, appallingly awful it truly was. Who reinvents a perfectly standard dialog-- and makes it so much worse? On second thought, perhaps "how can we make this worse?" was the design goal for Notes. It certainly felt that way while I was using it.
But I digress. As much as we worry about password obfuscation, at least one dialog in Vista bucks this long-standing GUI trend. Specifically, the dialog where you enter your wireless network password.
Checking the "display characters" checkbox overrides the password obfuscation and reveals the password. At first I was appalled. Reveal my password? Imagine the security implications! The chutzpah of Microsoft's developers, putting my password at risk in such a careless, haphazard manner! What were they thinking?
I'm guessing they implemented the reveal option here because network passwords can be unusually long and complex-- and troubleshooting network connectivity is difficult enough even without factoring in the inevitable password typos. But are network passwords really so different from any other type of password? After using this dialog a few times, I began to see how useful the reveal password option truly was. If you think you've made a mistake entering your password, tick the reveal box and find out. It's quite a time saver compared to typing in your password in blindly two, three, or even four times before getting it right. I don't know about you, but that happens to me at least a few times a day on average.
I've come full circle. I now think the password reveal option should be available on all login dialogs.
It's awfully convienient, and it doesn't seem particularly risky to me. Nobody leaves their password typed in and waiting to be revealed on the login screen. If you're in a public place, you simply refrain from using the reveal option. But at home or in a private work area, why not opt to reveal your password? Traditional GUI password obfuscation is a nice convention, but it's not the alpha and omega of password security. Far from it. If criminals really want to get your password, they'll be watching your fingers on the keyboard or using keylogger hardware.
I'd suggest taking a look at the Mac Keychain application.
Most computer-remembered passwords are stored there, and each individual one can have it's text revealed *after you enter your login password*.
Ben on February 13, 2008 11:28 AMAdding a checkbox on every dialog box is pretty useless. If you really want to go down this path of revealing passwords based on external factors (i.e. public place, people looking over your shoulders), then add an option in the main dialog box of Windows logon that asks where you are (just like many web sites do). Based on that you can then configure various policies in Windows, one of them being this.
But I think the whole reveal password is pretty useless to begin with.
Hadi Hariri on February 13, 2008 11:39 AMJeff,
I always enjoy the diversity of your posts. Relating to the post above:
At the risk of sounding like a commercial....
I work in the online advertising industry are regularly log into hundreds of accounts for search engines, comparison shopping engines, my company's hosted application, and all the internal applications (crm's, ticketing systems, wiki's, survey apps, etc) we use in our day to day business. Throw in my personal stuff like credit card accounts, bank accounts, email accounts, networking sites, and so on...and you have a ton of usernames and passwords to keep track of (not to mention all the various methods of logging in).
So, the whole login thing is a huge part of every day. Because many of the accounts I access belong to clients, standardization isn't an option. Multiply this issue by all the employees in our company, and you have a huge liability/security issue with all the client accounts.
Our company started using a product available for PC's called RoboForm.
It's a real time saver and adds a level of security to all password based authentication.
A few features I really find useful:
* Prompts user to "remember" all browser based usernames and passwords (such as a gmail account authentication) the first time they are entered; subsequent trips to the website can be authenticated via RoboForm
* provides for easy/automatic filling of standard forms (name, address, phone number, etc)
* encrypts all stored usernames and passwords (accessible on the local machine by one master password only)
* provides easy methods of sending usernames and passwords to others via email with encryption
* defeats keyloggers because once a password is "remembered", there is no typing done...just a click on the appropriate RoboForm link to fill in the data
* for non-web browser based usernames/passwords, RoboForm also has a "SafeNote" feature that allows you to store usernames and passwords on your PC in a secure place (this provides for easy copy/paste functionality without the security risk of having your passwords "laying around")I use this to store my VPN client credentials and remote access passwords to name a couple.
* for frequently visited websites that require authentication, RF will let you create a shortcut on your desktop (or any folder) that you can active; it will open your default browser and log you in automatically (assuming you've already logged into RF via your supreme master password; if you haven't, when you click the shortcut, it will prompt you to sign in)
I'm not sure of the company cost as we bought in at the enterprise level. They do offer an individual license for around 30 smackers.
They also have versions for Palm and PocketPC. They only thing they don't have that I would buy is a version that will work on OS X. I use both Mac's and PC's on a day to day basis.
Doug Winenger on February 13, 2008 11:48 AMOn the version of Notes that I used once upon a time the Xes weren't random. They were based on a hash of the password the same why the hieroglyphics where. More than once I noticed I had a typo in my password because the behavior of the Xes changed.
Joshua on February 13, 2008 12:13 PMInteresting post. I have to say, I agree that the "reveal" option should become some sort of standard.
Hell, if you set your computer up at home, and you are the only user, and 99.9% of the time, people are NOT looking over your shoulder, and passwords are masked by default (meaning I must always enable it), what's the big deal?
Wireless network keys are a classic example of the way passes are going, they are forever getting longer and more complex. These sorts of keys I do not want to have to mess up 2 or 3 times and start from scratch. If the machine is a public machine (i.e. people can always be looking over your shoulder - internet cafe or whatever) then why not have the option within the OS to say, "this is a public machine, disable the "reveal" option?
Should the mask be there by default? Yes. Should we be restricted in being able to see the password, if we are confident that we are not being watched (which is most of the time)? HELL NO.
This could also raise the debate that more people are writing their passwords down now (due to their complexity) are actually causing more harm? 90%+ of rape victims know their attackers, you think it could end up being the same way for malicious computer abuse? =S
Rob on February 13, 2008 12:30 PMNotes was hardcore with security. First product to ship with RSA, and a nightmare to change the passwords for. Where I worked we actually recommended that users never changed from their default password so we'd have a record. Otherwise we'd have to reissue the certificate.
I see this as a design issue, by differentiating themselves from other products with an apparently more secure password entry, it might encourage users to take their passwords more seriously.
I actually quite liked the variable X's in the field.
Charles on February 13, 2008 12:34 PMI put together a bookmarklet ( http://philharnish.tumblr.com/post/26219829 ) which adds this feature. I love the idea, especially compared to the "enter password twice" paradigm.
Phil Harnish on February 13, 2008 12:37 PMRe Lotus:
It's been a few years since I dealt with them but
I haven't seen any sign that this has changed recently.
If you had dealt with them in the last few years, you would know that things have changed drastically.
The new Lotus UI - shared between Notes 8.x and Symphony - was described as "cool-looking", "really attractive", "beautiful" and "pretty impressive" on the 08-Feb-08 edition of the Windows Weekly podcast. That sounds like change to me.
And, yes, it does still have the visual password hash and multiple 'X's per character. Which I like: you soon learns subconsciously to recognise the visual pattern of your password, telling you whether or not you've entered it correctly without ever having to 'reveal' it or copy it from the clipboard. In fact, because Notes is so hot on security, the paste operation is not supported in the password dialog anyway, so the clipboard cheat is not available.
Back to the 'reveal' thing: it certainly has a place, but would need to be tightly policy-controlled to meet an auditor's definition of 'secure'.
Julian Woodward on February 13, 2008 12:56 PMI'm not so sure I agree with this. While it's possible to reveal the text in a password entry with the help of a tool, it's not so simple as clicking a button. Allowing the entry to reveal/mask the password with the click of a button just doesn't sound good.
Yes, it would be more convenient to the user... but it could also make it easier to have their password stolen, in certain situations, like if a user is filling out a form, finishes entering the password, then they leave the computer for a short time. Then someone comes along, clicks the "unmask password" checkbox, and boom, there's the password. It's just a little too easy.
I've never had a real problem entering passwords correctly, even long ones. When I do, I just become more careful. It may happen more often than I think, however.
mCw on February 13, 2008 12:56 PMThats cause you have to retype the password
every time you rejoin the network
False, but nice troll. Use the keychain.
LKM on February 14, 2008 1:43 AMI like the feature. I often find myself wondering if I mistyped a key in a password.
To the comment that everyone should know how to cut and paste from a text editor, there's two problems with that.
First, that's not always available. If I'm logging onto my machine, I can't access anything but the log-in dialog - which means I can't access a text editor. (Of course, the password for my Ubuntu account isn't 16 characters long...)
Second, it's not about an unbelievably great new idea. It's about efficiency and productivity. Sure, you can do the same thing by opening up Gedit/Notepad, typing your password, copying, and pasting. But it's simply more efficient to have a button on a dialog box that I can click to reveal my password.
Anyhow, I'm all for password reveal. Put my name on the petition.
Brian Rock on February 14, 2008 2:12 AMMaybe the "reveal password" feature should be a "hold to reveal password" button rather than a checkbox. This would enable it to "spring back" to hidden when you let go of the mouse.
Of course there's accessibility to think of, but I'm sure it would be possible to give the button focus and trap a keyDown event to enable a keyboard equivalent of holding down the mouse button.
Just my 2p worth... not that it's likely to be seen by a MS developer and implemented ;-)
Andy Vaughan on February 14, 2008 4:58 AMI don't think we should have reveal my password button. We've many password manager like Keepass, AI roboform, It does our job, keep our password safe :)
Nxqd3051990 on February 14, 2008 8:55 AMThe Notes thing is a great example of poorly directed creativity.
Huge teams pounding at diminishing code bases often get erratic
spurts of creativity that ultimately make the overall product
'fugly'. Instead of fixing the real problems, they just pile on
more.
I think this is a perfect summary of the problems at Lotus when I was involved with them (caveat as before: some years ago). Lots of very smart people, almost all of them programmers/code hackers/hardcore geeks, with unlimited freedom to do whatever they wanted and little to no feedback from the real world. The only difference was that it wasn't a huge team, the Notes team was relatively small.
Dave on February 15, 2008 1:57 AMKeePass has the same "Reveal Password" feature and I love it. Especially since I use and very strong password to lock and encrypt my safe.
Justin Kohnen on February 15, 2008 4:06 AMHey I just made it today
This is a simply javascript of display password mode.
http://devzilla.wordpress.com/2008/02/15/display-password-javascript/
THANK YOU for linking that site about Lotus. Oh sweet joy, how I am going to enjoy reading that.
I absolutely loathe Lotus Notes. What a piece of fantastically overcomplicated, ugly, bloated software.
I agree with the general direction of your post; a Reveal option would make password entry that much more usable. Although maybe it would make careless people more prone to revealing their passwords to overlookers.
Leonardo on February 16, 2008 7:27 AMFor all those that go from computer to computer, you should try portableapps.com. (must have a usb flash drive) They have all kinds of password applications. If you use Keepass, then you should try Password Safe. It's has a few more options than Keepass. X-Pass lets you see what is in a password field. Believe it or not, that can be really helpful at times. I help noobies troubleshoot problems with their PC, and one of the more common problems that I get is people with SBC DSL, and 2wire gateway modems. They usually can't get past the firewall in the modem for other apps to get through to the internet, and they don't know what the password is for the 2wire modem. It's the same password as they use for their SBC yahoo homepage, and alot of times the password will auto-fill itself in at the login screen, but with asterisks. Thats when X-Pass really comes in handy.
The reading of this post was really interesting. Getting through the comments got a bit more interesting, but monotonous.
Thats my 2 cents.
babyhewy on February 16, 2008 12:53 PMI just read these comments and while I normally didn't bother to replay to the fan-boi Apple freaks I just had to comment on the anti-MS statements made by Glen; you are a moron. You have never bothered to study history and are a drone suckling at the teat of your hive-master and evil overlord Steven Jobs.
Sound a little wacky? Well, that's what you sound like when you make such idiotic statements as "Microsoft steals everything." We all know Xerox invented the GUI, Apple stole it, then Microsoft stole it. Saying otherwise just makes you look foolish.
Here's the rule: Apple fan-boi's never get to say anything about anyone ever. Steven Jobs ripped off his best friend. The very first deal they did he stole from Wozniak and committed grand larceny. It's a fact.
Legally Apple belongs to Wozniak because of that. So, the next time you want to bitch about Microsoft stealing anything remember your boy Steven Jobs lied, cheated, and stole from his good buddy, Steve Wozinak.
Nuff said.
S. Jobs on February 17, 2008 3:35 AMLOL I always get "orange" too,I thought it was a joke!
There are many people who would be screwed by the reveal option, people in dorms. Public users who don't know much yet, people with roomies and family members who have a high level of curiosity or prankish nature, people who must send the PC away to be fixed, well I am sure others too. So if this is implemented I would want it off by default for sure! And i would want a few of the other possible mentions safeguards in place too.
My two cents.
Stars for password entry is one of the worst ideas ever.
If you are too stupid to tell the person looking over your shoulder to stop, then you have bigger problems.
As has been said; with complex passwords you end up having to type them into a temporary text file, copy them into the highly insecure clipboard, then past them into the password field; if the app even allows it.
Hiding the password is one of those things that anyone that's actually thought about it (maybe 10% of the programmer population) would have to agree is a bit idiotic but we get shouted down by the remaining superstitious 90%. They screech, "But that's how we've ALWAYS done it! It's 'Secure' that way! And if we've always done it that way it must be right." No, it's not and it's actually LESS secure because it forces you to expose your password to mulitple interfaces.
Kaitain on February 17, 2008 10:33 AMTruecrypt does the same thing, it allows you to display the password. I have a very long password and type it very quickly, so it definitely helps and I'm happy to sacrifice a tiny amount of security for the convenience factor.
On-screen password hiding is useful if you're doing a presentation and possibly shoulder surfing...but like you say, anyone can look (or video) keyboard instead of the screen! Almost all the 2-factor stuff I use still relies on keyboard input, although one bank uses the mouse.
si on February 18, 2008 4:52 AM@S. Jobs: Apple != Jobs. Equating the company with the man is a typical fanboy mistake. Grow up.
LKM on February 21, 2008 12:49 PMI don't know when it became a feature, but Mac OS X had this at *least* by version 10.4 Tiger, when I switched over to that camp. It sure is a useful feature!
Alan H on February 28, 2008 11:01 AMI work in a school, and one of the things the network admin guys have installed (for certain members of staff who need to monitor the kids on the network) is VNC. Hmm. So, all I'd have to do to see a password is... erm... watch the screen - remotely. I can see a flaw in the concept of using revealed passwords _everywhere_ - even if you _think_ it's safe.
RWW on March 5, 2008 11:51 AMIs there anybody who know any command line utility by which we can see internet explorer and firefox stored password.
may i ask if i can somehow set or change the asterisk characters in a password to somehow a series of dots or any other character
iori on July 15, 2008 3:44 AMhello
s on July 15, 2008 7:34 AMLike everything else in notes its a trainwreck
Do you mean just the client or does your thinking strech to designer and administrator also?
Domino is extremely resilient and I find developing in Formula language and lotusscript a pleasure.
Rob on October 26, 2008 11:38 AM.
jaemes chan on April 10, 2009 6:01 AMI found this article very interesting, as well as all the script suggestions people have offered. I played around with this a bit and came across something I was surprised was not mentioned anywhere. With the ability to change the password field to a text field, if the user submits the password as a text field, not a password field, the value will be added to the browsers autocomplete list and the password is stored in plain text on the local machine. Whatever implementation you choose to use, be sure at a minimum to set autocomplete='off' on the password field.
adam on May 4, 2009 12:31 PMOne tweak: For the non-revealed field, instead of displaying:
*****
when I type the first five characters of my password, type:
12345
Doesn't reveal the password. Does substantially alleviate Did I hit X character once, twice, or none?
Jonathan Hayward on May 6, 2009 9:07 AMI know this isn't quite so closely related, but bear with me. I'm on a wireless network and the password was given to me by my neighbor in this building. I wanted to give my girlfriend the password, but can't find the screen where I can view my stored password as dots and opt to reveal the characters. I'm using Windows Vista, can anyone direct me to the password setup?
Anonymous on June 24, 2009 9:16 AMA little off subject, but does anyone else see it as useless to enter your wireless password twice in xp??? I know it is a good idea for users who are creating a password, but for entering it for authorization? Seems a bit redundant to me.....
jason on February 6, 2010 10:20 PMcoincidentally, I was just typing a comment when my focus was stolen by the end of the VS2K5 installation. A message box appeared for 0.1s because I was typing a word so I didn't notice it and I must have activated the 'Restart Now' button with the space bar. grr. focus stealing, grr.
What I was saying before the VS restart rudely interrupted me was that Hotmail, sorry, Windows Live Mail, (on Mac Opera) has been telling me my password is wrong, but I type it a second time (even using copy and paste) and it works the second time. weird.
John Ferguson on February 6, 2010 10:20 PMMany applications have disabled copy and paste to and from password fields for a while.
John Ferguson on February 6, 2010 10:20 PM100 people in an office all use the same wireless password to get on the network, that's the kind of thing that makes showing the wireless password okay. Chances are, you're hiding it from a person on the street in a car or in the apartment next to you, not from people who will see it. Some wireless passwords have been crazy hex schemes anyway, which makes being able to see them important (to some). I doubt that option was put there for the sake of debugging wireless connectivity issues when a simple "incorrect password" notice would do the trick.
Tom von Schwerdtner on February 6, 2010 10:20 PMThe comments to this entry are closed.
Subscribe in a reader
Subscribe via email
|
|
Traffic Stats |