Home page logo

pauldotcom logo PaulDotCom mailing list archives

Stop Password Masking
From: mike.patterson at unb.ca (Mike Patterson)
Date: Fri, 26 Jun 2009 10:51:47 -0400

That's addressed in TFA.

You may disagree with his reasoning, but he didn't forget about it either.

I'm not sure I agree with him either.  That said, I won't type if
somebody's watching me, masked or not.  I wonder if it might almost be
safer - I work with sysadmins who will happily type passwords in with
users right there, but if their password showed up on the screen, they
might send the user out, or at least make them turn around.  Of course,
that's probably also the same kind of thinking that says people would be
safer drivers if we put a HUGE FREAKING SPIKE in the steering column and
banned seatbelts.

If I happen to be around when somebody's typing a password in, I make a
point of turning around.


Joel Esler wrote on 6/26/09 9:20 AM:
What about Shoulder surfing?  Haven't you ever watched "Hackers"?


On Fri, Jun 26, 2009 at 8:40 AM, Aaron<subdriven at gmail.com> wrote:
I read an interesting article about removing the mask from passwords.
For mobile devices I think it would be a great idea. For some
desktops, I know it would cut down on support calls. In other
instances I think they must stay masked. I was just wondering what the
rest of the PDC list thought. I have links to the articles below.

Usability suffers when users type in passwords and the only feedback
they get is a row of bullets. Typically, masking passwords doesn't
even increase security, but it does cost you business due to login

Main article here: (http://www.useit.com/alertbox/passwords.html)

which was also posted to slashdot here


Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
Main Web Site: http://pauldotcom.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]