« Schmedley | Main | Anyone Need a Pair of Netscalers? »
Obfuscating Passwords in Forms
Most are familiar with password fields in Web forms. When you use a password field, anything the user types is obfuscated. This is, to my knowledge, to reduce the danger of shoulder surfers stealing the password by reading the screen as it’s typed in. As long as I’ve used computers, this has been standard practice—the IBM Selectric terminals I used in 1976 would pre-print multiple characters on the paper before having you type your password so it couldn’t be stolen from the printout.
What would you think of a social networking Web site that in the interest of reducing friction for people who aren’t computer literate simply let passwords be typed into a normal input field, and visible on the screen? How dangerous is that? Is the danger small enough to trade off against the ease-of-use that would result? In short, is password obfuscation an idea that is simply perpetuated without thought now or is it still a vital part of security?
Posted by windley on May 18, 2007 10:59 AM
Comment from Peter at May 18, 2007 11:23 AM
Certainly the passing of dumb terminals and the rise of the internet made "shoulder surfing" less of an issue. However, those who are less computer literate are much more likely to be using shared computers to access the internet, whether in an internet cafe, public library, school computer lab, etc. I think that on-screen obfuscation is still a good idea, and it should be up to individual websites to determine if they should provide help or explanation for it, given that they know their traffic and customers better than anyone else.
Comment from William at May 18, 2007 12:43 PM
It should be OK as long as they also ask all users to type "Windley" for anti-spam. :)
Comment from Richard K Miller at May 18, 2007 1:09 PM
I get that "naked" feeling when I see my passwords in plain text.
Comment from Phil Windey at May 18, 2007 1:12 PM
I like the "Windley" idea. That made me laugh.
Comment from C.E. Lopes at May 18, 2007 2:40 PM
It may not be vital for security, but it is expected by computer literate and non-literate people. It may even be security theater (what if the password is obfuscated on the screen but sent in the clear to the server?), but people just need it to be there. See the comment above about feeling naked... :-)
And, should you risk it since there will be no good way to measure why is it that people are not coming back to your site, i.e. are they not coming back because they feel unsafe over the clear text password?
Comment from RSBohn at May 18, 2007 2:52 PM
I'd rather have it obfuscated on screen. My bank just added a secondary security question I have to enter every time I access my account online. It isn't a password field, so it isn't obfuscated, and it is in my autofill cache on some of my computers. I don't like that!
On the other hand, the WEP password for my wireless is 26 characters long, and I have to blind type it twice in Windows in order to connect. I hate that! I wind up typing it into Notepad, then copy-pasting it to the wireless connection dialog. If they insist on obfuscating they could at least show you where your entries don't match on the double-entry form.
Comment from Luis Bruno at May 19, 2007 7:15 AM
Have you ever used a javascript-based virtual keyboard to enter a PIN number? How did you feel using it? One of the banks I use even disables the "password" box, but my greased sea monkey helps with their cluelessness.
For another bank account of mine, the authentication gets me read-only access. Any "interesting" operation must be confirmed using what looks like a one-time pad but sadly isn't.
I guess the uncomfortable feeling of typing a plain-text password disappears if I know the site is using it so I can claim my session (think reddit). If I'm going to do any special operation, please let me use stronger security.
PS: lbruno(Luis )@(Bruno)100blossoms.com is a valid address.
Comment from Ted Roche at May 19, 2007 2:50 PM
I was delighted to find a site recently (sorry, I don't recall the link) that obfuscated my password entry by default with the usual asterisks, but had a checkbox checked labeled "Hide password" that you could de-select to see what you're typing. Handy if you're on an unfamiliar keyboard or running into funny problems with a shift key stuck down, etc. That's the right use case: by default, exposing your password is inadvertent disclosure, but being able to debug it ought to be an accessible option. Empower the user!
Comment from Jesse Harris at May 19, 2007 6:08 PM
I can't think of a single time I've ever written any web site/application without password obfuscation. I do, however, see a disturbing number of sites collecting passwords without using HTTPS. That gives me the willies.
Comment from Britt Blaser at May 19, 2007 10:15 PM
Thanks for this survey. Most design is rote and I'm sure obfuscated passwords are simply habit that errs on the side of procedurality rather than function.
An extension of this approach would be to provide a captcha image composed of real words like "toplion", as some sites use. Instead of using that as only a Turing test, I suggest we ask the newbie to enter the recognizable string, as their starting password, into a single password entry field, obfuscated by default, so the hurried member would only have to type the string once.
In my idealized signup scenario, the new member need only type a desired username and the captcha string and hit enter. The system knows if the string is correct. I prefer to not even require an email address at that time, but request it later in the session or on the next login.
Comment from Zhasper at May 20, 2007 7:46 PM
Used a Wii to sign into a website? Waving that hand around over the on-screen keyboard exposes your password to anyone in the room.
Comment from minikperi at November 29, 2007 12:41 PM
Thank yuo
Leave a comment
I encourage you to leave a comment below. Your email address will not be displayed on Technometria, but allows me to communicate with you directly. Your email address won't be displayed, but will be used to compute a MicroID for your comment.