Friday, June 26, 2009

A call to stop password masking - I agree

I came across this post by Jakob Nielsen (via Bruce Schneier) that calls to end the practice of "password masking" - that is showing asterisks instead of the typed characters for passwords:
Username: vwelch
Password: *********
I believe this is a security best practice that carries over from a very different time (~30 years ago) when computers were too expensive to be private systems, but existed almost exclusively in public places (remember computer labs?) Hence passwords were almost always typed with someone potentially looking over your shoulder.

These days 95%+ of the time, I'm typing when I'm the only one in the room or with my back to a wall or other situation I'm just not worried about someone spying. I'm also typing on a variety of devices with alternative keyboards, e.g. iPhones, that make typing long passwords difficult and there is nothing more frustrating to type a 24 character password only to be told there is something wrong with it but not being see what (reminds me of a demented game of Mastermind).

Now certainly there are situations where masking is good - you are sitting in a airport, giving a demo, etc. - so I believe there certainly should be an option to mask (or maybe there is the default and there is an option to unmask, that seems like a minor point). But I believe not giving the user the ability to tune this particular security-usability trade-off to fit their situation is a mistake. This is something that I believe people will intuitively know when to do unlike many other security decisions as it is very much rooted in the physical world where people's intuition works reasonably well.

The main lesson here is that "best practices" are often created for a certain time and environment. Things change - very rapidly where the Internet and computers are concerned - and we need to regularly re-examine these things and not accept them as gospel.