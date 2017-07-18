Ask Slashdot: Is Password Masking On Its Way Out? 46
New submitter thegreatbob writes: Perhaps you've noticed in the last 5 years or so, progressively more entities have been providing the ability to reveal the contents of a password field. While this ability is, in many cases (especially on devices with lousy keyboards), legitimately useful, it does seem to be a reasonable source of concern. Fast forward to today; I was setting up a new router (cheapest dual-band router money can, from Tenda) and I was almost horrified to discover that it does not mask any of its passwords by default. So I ask Slashdot: is password masking really on its way out, and does password masking do anything beyond preventing the casual shoulder-surfer?
what else do you think it does? (Score:3)
"does password masking do anything beyond preventing the casual shoulder-surfer?"
Erm...that is precisely ALL it has ever done?! What else do you think it does?
Frankly, most password boxes should have a 'show' password option because its user friendly -- put the user in charge of whether or not the password is visible -- they can decide the risk of exposure.
Although i do think showing it by default is a bit absurd. On the other hand, with a new router out of the box; the default password is a known quanity or on the labelling anyway... so not a lot of harm exposing it there.
Re: what else do you think it does? (Score:3)
Even for those web sites that don't have the feature it's the top three browsers (Chrome, Firefox, and IE) will all let you see any saved passwords by just inspecting the fields DOM properties...
You are correct on all points, and I completely agree with your opinion based points too.
Originally password masking was purely to prevent shoulder surfing.
Today it remains simply because it is expected behavior. And the default should remain masked for this very reason.
But there is little harm with a button or whatever to display it for the times that is acceptable to do.
There are still many situations you would both expect and need password masking on, and defaulting to not masked can only cause accident
Sure. (Score:3)
It makes it much more likely to make a typo and have to try again.
No, it's not. (Score:4, Insightful)
The only interesting thing here is that you discovered a cheapo home device that doesn't mask passwords, fortunately in a situation (i.e. at home) when shoulder surfing is a non-issue anyway.
Come back when you've got more than one data point, eh?
Masquerade (Score:2)
Which is why you then resort to first typing it in an editor, defeating the purpose of the masking, to subsequently copy it to the password field.
Except of course when the programmer of the password field was such an intolerable and incompetent turd that she disabled pasting into the field; that unfortunately also happens.
And those same idiots also have a "confirm email" field that also disallows pasting. Even moreso than the password field, that one makes no sense.
I use control-v as a special character in my passwords, you insensitive clod.
Assuming the site/application/whatever supports it, you could go with a longer password and restrict it to the Base32 [wikipedia.org] character set. For me, the best reason to use it is:
The alphabet can be selected to avoid similar-looking pairs of different symbols, so the strings can be accurately transcribed by hand. (For example, the RFC 4648 symbol set omits the digits for one, eight and zero, since they could be confused with the letters 'I', 'B', and 'O'.)
It makes it very nice when dealing storing passwords in such a way that the presentation font makes some of the characters confusing or when having to tell someone the password over the phone.
My favorite is trying to enter 15 character randomized passwords into a "force mask" field.
My favourite is entering a 24 character randomised password into websites/software where the retarded morons designing it felt they knew better than me and blocked/intercepted paste. Or, almost as bad, websites/software that relies on keypress events to cause their processing to do something with my password. ReviewBoard does this with its comments fields - if I paste from a pre-prepared note it is unaware that I've edited the comment field.
The algorithm always seems to pick confusing characters like `'|][;: I often have no idea if I'm even attempting to enter the correct password, let alone if all the rando miscreant characters were entered as intended.
If you use KeePass you can configure it to not use so many confusin
Kids... (Score:3)
No, it is not going away, because it is more than just shoulder surfers that look at your screen. For example when you need to login while projecting the screen in a conference room, or sharing it during an online meeting. Now, get off my lawn. Please.
This is why I never connect to a projector with the screen duplicated - always extended.
Praise (Score:1)
Praise the lord for the demise of that insane masking habit. I've been rallying against it since I first encountered it, which was still in the DOS era.
/the better/ choice.
If anything, it should be optional. If no option is given, not masking it is
They could be worse. They could just give no discernable response like a tty shell login...
Are You a Great Typist? (Score:2)
I've only known a few IT guys who were great typist.
There's not a decent-quality password today that can be reliably typed by somebody who is not a great typist. If you are not masking, users will use better passwords. That's all.
"correct horse battery staple" would like to disagree with you. The reality is that putting in special characters, mixed case, and numbers doesn't do nearly as much to increase password complexity compared to simply making them longer. For the network I operate, I now just have a policy of a minimum of 12 characters. I tell my users to make up a silly little rhyme or ditty that they can remember, and use that as their password. Easy to remember, hard to crack, and easy to type.
<input type="password"> (Score:2)
Are we talking about web sites that use type="text" rather than type="password"? If so, then no, never ever ever is that appropriate for a password of any kind.
If we're talking about the UI of an app (either the browser or otherwise) giving the user an option for whether or not to mask, then that's a different discussion.
Is this the right forum for the question? (Score:2)
Lots of app developers here but how many people here are doing OS/Device/Resource human interaction specifications?
Are Passwords on their way out? (Score:2)
Maybe a better question is, are passwords on their way out with inexpensive and reliable fingerprint scanners being standard on many devices and other ones having the user unlock them with a user-defined zig-zag pattern leading up to iris and facial recognition technologies. Maybe there are brain wave patterns that are unique to a user (let's see the NSA hack that).
If anything, I would expect secure logins to become easier for the responsible person to gain access easier while doing a better job of verifyi
Revelation ... (Score:2)
... ring a bell with any of you out there?
If so, reply with the name of the supplier.
You want your password unmasked? (Score:3)
Make it a bunch of asterisks.
Done.
Because of new "Not Secure" browser messages (Score:2)
If you get a password field on a web page the browser will display various scary looking messages depending of the security of the page.
Generally if its a local network page with an IP address (most router interfaces) having the password field will have the browser alert you the page is "Not Secure" of the address bar. If its a self signed certificate (which ads encryption between you and the browser, the message is even scarier with red fields or strikethroughs as a spoofed certificate COULD be playing a
100% useless. (Score:2)
Yes it is only for a shoulder surfer. honestly if you want people to use complex passwords you have to show them the freaking string as they type
ASDq3fwtevybtynsR&56@%^25tqer7gRT*Ubt&tferyweF
for their password