Most are familiar with password fields in Web forms. When you use a password field, anything the user types is obfuscated. This is, to my knowledge, to reduce the danger of shoulder surfers stealing the password by reading the screen as it's typed in. As long as I've used computers, this has been standard practice--the IBM Selectric terminals I used in 1976 would pre-print multiple characters on the paper before having you type your password so it couldn't be stolen from the printout.

What would you think of a social networking Web site that in the interest of reducing friction for people who aren't computer literate simply let passwords be typed into a normal input field, and visible on the screen? How dangerous is that? Is the danger small enough to trade off against the ease-of-use that would result? In short, is password obfuscation an idea that is simply perpetuated without thought now or is it still a vital part of security?


Please leave comments using the Hypothes.is sidebar.

Last modified: Thu Oct 10 12:47:19 2019.