John Gruber’s Daring Fireball pointed me to Jakob Nielsen’s Alertbox column Stop Password Masking, which resulted in a thoughtful and interesting thread of conversations and a few experimental solutions. Password masking refers to the practice of displaying an alternate character, usually a star or a bullet in place of the actual characters typed into a password field. The idea is that this prevents another party from viewing the password while it is entered. Nielsen argues that in most cases masked passwords are not needed since should surfing is not a major issue and that this is even less of an issue on mobile devices. He says masked passed passwords often reduce usability by increasing the number of errors since users cannot see what they are typing. This problem is further compounded on mobile devices where typing is more difficult and slower. Since users are less certain about what they are typing, they are much more likely to choose passwords that are simplistic or copy and paste the passwords from less secure locations. Nielsen says that high value password forms should offer an optional checkbox for masking passwords so that they can be used on an as needed basis.
Jason Montgomery’s Response to Nielsen’s “Stop Password Masking” on the SANS Institute’s The Application Security Street Fighter Blog that provides a more nuanced commentary on the tradeoffs between security and usability for password masking. Montgomery argues that Nielsen’s points are valid and suggests that password managers, pass phrases, and two factor authentication can sidestep some the problems by increasing the security of stored passwords as well as the ease of recalling them. Earlier I reviewed, 1Password, a password manager for Mac and iPhone that I use daily.
Bruce Schneier, a respected security expert, agreed with Nielsen in his brief response, The Problem with Password Masking. His post generated a large number of comments, which caused Schneier to temper his opinion in a later article The Pros and Cons of Password Masking. Schneier concludes that even though there are significant downsides to password masking, the practice is less problematic than either not masking passwords at all or complicating the interface with an optional password masking checkbox. The second article also generated a thoughtful discussion in the comments. In Strong Web Passwords, Schneier summarizes the Usenix HotSec07 article Do Strong Web Passwords Accomplish Anything? by Florencio, Herley, and Coskun, which argues that complex passwords do little to increase security when adequate policies are in place to limit the number of password attempts. Schneier suggests that the password masking feature on BlackBerries with SureType (non-QWERTY) keyboards and the iPhone (see: iPhone 2.0 password masking) that shows the current character and masks all previous characters is a reasonable alternative.
Farhad Manjoo’s Slate Magazine column, Fix your terrible, insecure passwords in five minutes, offers a solid set of suggestions for creating better passwords and describes why this is important in light of the recent Twitter break in. Macworld’s Joe Kissell offers his own set of suggestions for creating better passwords in a series of articles listed in Top password tips
The ongoing discussion led several developers to create prototypes that demonstrate password masking techniques. Each implementation has an online demo and source code publicly available. All prototypes are currently written in jQuery.
- Stefan Ullrich’s iPhone-like password fields using jQuery and Oliver Storm’s Mypass each implements a password masking field similar to the iPhone and BlackBerries with SureType that displays the current typed character, but masks all previous characters by replacing them with bullets.
- Byron Rode’s showPassword is a jQuery plugin that implements a password entry field that defaults to fully masking the password with bullets, but also includes Nielsen’s proposed checkbox to display the password when requested.
- arc90 created two experimental password masking implementations. The first, HalfMask creates a masking effect by placing translucent random characters on top of the original password characters. This allows the person entering the password to view the original, with some concentration, but makes it far more difficult for another person to casually observe the password. The second implementation, HashMask, masks the password in a standard way by replacing each character typed with a bullet, but adds a visual representation of the password in the form of a Sparklines. This way the person entering the password has a visual indication that the password is correct, although they need to remember the Sparkline.
- Mattt Thompson’s Chroma-Hash was inspired by arc90’s HashMask and masks passwords in the standard way, but adds a visualization of the password as it is typed using colored bars generated from a hash of the password. This allows users to quickly check that the visual representation is correct before entering submit. It has the side benefit of allowing fast comparisons when password confirmations are required for entering new or changed passwords. Lee Gao created pyChroma, a Chroma-Hash implementation in Python, which has source, but unfortunately no online demo.
Finally, Kevin Vigneault describes considers several other related options in his post Confirming Passwords Is Annoying: Is There a Better Way?, which was a result of a thread on IxDA “Confirm password” field - Superfluous? that appeared several months before Nielsen’s column.
* This article originally appeared as Trends in Password Masking Security and Usability in my Messaging News “On Message Column.” Article updated July 31st, 2009 to add additional references.