Tuesday, June 30, 2009

Masked Passwords Should Stay... Probably

The WebAppSec world has been awash with conflict following Bruce Schneier's discussion/comments that the masking of password entries on computers (and smartphones) should be done away with.

The discussion itself has morphed to some degree (well, quite a bit really), but essentially the argument is that the masking of passwords as they're entered in to a computer as part of an authentication sequence shouldn't be masked because of usability issues.

Now first off, I'm not a great fan of masked password entry myself, and I'm guaranteed to screw up a password several times each day, but I still think its a useful and relevant security technology. True, it's not much better than the password it's trying to protect - and it offers as much protection as the padding on a cars steering wheel does in a head-on collision - but it serves a purpose.

But I also split my answer. I think that password masking is less relevant to smartphones and could more easily be done away with. At least with a smartphone you can pull it close to your chest and obscure the password you're typing - it's damned near impossible to do the same with the LCD screen on your desk without looking like you're trying to theive it.

As with any security technology, theres a time and a place. Masked password use belongs as part of desktop protection of Web applications - but less so for smartphones (and fat fingers).


  1. First day at my new work, the administrator come to do *something* on my computer. He give me back the computer, but he left his secret password masked in a window previously opened to access a shared folder.


    I think that if the password was not masked, he didn't do this error.

    Perhaps a solution is just to add a button to mask the password if someone other is watching your screen. But the real solution is multi-factor authentication.

  2. I agree about the smartphones. When you type the password the character shows up at least momentarily anyways (at least on the one's I've used).

    I agree about Multi-Factor Authentication as well, Dnucna.

  3. Sorry, last post was me, didn't mean to use the company name...

  4. One of the few nice features of using lotus notes is that while it masks the password it provides a changing picture with each character placed in the password box. If you fat finger a password your habitual picture is not present so you know that you didn´t put the right one in.

    This is a workable compromise.

  5. I bet you IBM probably owns a patent for that picture aspect!

  6. Another version of live visualization of password input fields.