Security, Productivity, and Usability in the Enterprise

During interviews I conducted for my dissertation research, I asked individuals how the security policies and systems affected their daily life in terms of productivity and work and personal communication. Interviewees gave many examples of tradeoffs between security and usability. People understood the reasoning behind many of the security restrictions. However, these implementations often significantly reduced productivity and frustrated employees everyday work practices and basic personal communications needs. Many implementations actively motivated employees to subvert security protections. The lengths to which people went "work around’’ what they perceive as overly restrictive security and compliance implementations lead to distinctly counterproductive measures in terms of overall security.

Security implementations in systems and security policies vary widely across the enterprise. These systems can help prevent unauthorized access, dissemination of proprietary business information, and confidential customer data. Security and compliance systems are also essential to passing an audit. The effectiveness of a system’s security is directly related to the overall user experience of the system. Security implementations that do not adequately consider a range of factors including existing work practices, the overall usability of the system, and basic social communication requirements may have serious negative consequences for morale, productivity, and information security.

Unsurprisingly, interviewees often responded that they were more concerned with job performance and completing the tasks at hand than with complying with corporate security policies. In short, they were far more worried about a lost job or a promotion from not getting their word done, than they were about violating security policies. Don Norman summarized the problem nicely as “The more secure you make something, the less secure it becomes.”

People did not distinguish between the technology failing, not understanding how the technology works, and not realizing that a task was technically infeasible. In one example, an employee had tried to work from home over the weekend. This employee was not able to access the corporate network, because the VPN was inoperable over the weekend and the situation was possibly complicated due to a user misconfiguration. The following Monday morning, the employee was rebuked for not completing the project by the deadline.

Institutions that do not pay attention to employee’s perception that they can be productive and efficient when implementing security policies may find their employees at odds with their own policies. The employee perceived the situation as technological failure the prevented the work from being completed. This had significant consequences as the employee began to regularly copy data to an external device or via a personal email account to ensure they would be able to work. It is easy to criticize employees who violate security policies and argue they should be reprimanded or fired. However, in nearly every case in my interviews, the employees who violated policies did so to work around situations the company could have been avoided though a more nuanced implementation that took productivity into account. In the particular case of the VPN, it was clear there were widespread problems with remote access that lead to undesirable methods of replicating data.

Companies would be rewarded with higher levels of job satisfaction and productivity if they took greater efforts to both explain security policies and made attempts to ensure that users, especially mobile users, were not regularly prevented from communicating or managing documents. In these cases employees were appreciative of how productive the system allowed them to be while still mindful of the risks involved. Explaining the reasoning behind the policies and implementations goes a long way to improve compliance. In the now classic paper, “Users Are Not the Enemy” Adams and Sasse found that individuals did not have adequate understanding of security issues and that security mechanisms were not adequately explained to them. In addition, the authors found that security departments did not understand their user’s perceptions of security or their needs. The lack of understanding combined with lack of communication resulted in reduced security overall.

Many businesses could reduce the risk of compliance violations by taking into consideration their employees’ everyday communications needs and practices. Internal needs assessments, possibly including surveys and interviews, can be used to determine how well corporate needs for security and compliance align with employee’s work practices and other communications needs. Security policies and compliance systems that take social factors, work practices, and overall understanding of the reasoning behind the requirements into consideration will be far more effective than those that do not. Unfortunately, it seems that this is the exception and not the rule.

References

A. Adams and M. A. Sasse. Users are not the enemy. Communications of the ACM, 42(12):40–46, 1999.

D. Norman When Security Gets in the Way

You should follow me on Twitter.

The World is Not Flat and Neither Are Social Networks

Now that I and the rest of the Internet has grown accustomed to Google Plus and Facebook’s most recent friend categorization features, I thought it was time to revisit and revise a previously unpublished piece of mine. Take a moment and think about your friends, family, colleagues, friends of friends, acquaintances, and members of the same social club. These six groups could comprise a large part, but certainly not all, of the people that you know. You may also have extended family, classmates, common members of sports teams, religious associations, and the familiar strangers you recognize, but don’t know their names. To further complicate matters, the people in these groups often change over time as we move through life. How we conduct ourselves depends on the situation. It is highly unlikely that you act the same way around your grandmother as you do at a party with your friends and people do not expect you to act the same way. Your friends, work colleagues, and extended family do not all know each other and I suspect that in many cases you would like to keep it that way. For this reason, it seems odd to expect that our interactions in online social networks would be any different.

I had the final word in Erica Naone’s Technology Review article Can Google Get Social Networking Right?. Naone’s piece argues that Google needed to dramatically improve its social offerings to compete against Facebook. She asked me to comment on Google’s social services such as Buzz and Profiles and how they might interact with user’s search history. It is interesting to see how much the discussion has changed since the article appeared. Disclosure: I worked as an engineering intern on Google Accounts during 2005-2006, but this was well before any of Google’s social options existed. I responded with a discussion of broad problems I saw with social network services. The following quote in the Naone’s article mostly reflects my statements, although the quote makes it appear that I am singling out Facebook for criticism, which misses the point that I think this is a fundamental problem across many social networks.

“Facebook, meanwhile, has its own problems, and some of these could turn out to be opportunities for Google. Ben Gross, an expert in online identity, notes that Facebook and other social networks don’t accurately differentiate between people’s social connections, making their social graph information less valuable to users and advertisers. For example, social networks tend to put all of a user’s connections into a single group of “friends,” and expect users to manage complex privacy settings to sort out family, work connections, and bar buddies. “Social network services should not assume that networks are flat, or that people are willing to put in the effort to articulate these networks or that they even want to,” he says.”

My full response from which the quote was taken follows below. I fixed a few typos, but it is otherwise unedited.

“I see several consistent problems with many of the social network services. First, they often unify disparate social networks in ways that do not match people’s actual experience and may not even make sense to them. In order to have a real representation of people’s social networks, they would have to fully articulate these networks to the service, which is a pretty unnatural thing to do. For many people the edges of the network shift regularly. Most social network services do not make it easy to maintain multiple independent networks on the service. It is common for people to maintain independent social networks, where individuals may not want the networks unified and people may not even care or wish to know about the other networks. For example, one’s extended family vs. one’s work colleagues vs. one’s friends they have brunch with on the weekend. The idea that there is a single flat network is sort of ridiculous.

I often hear people say that people who want to maintain independent identities or networks are somehow up to no good. I have interviewed quite a few people about this topic for my dissertation. It’s clear that people’s lives are complicated and their identifiers and networks reflect this. If you think about it, it is not at all strange for someone to want to separate their work life, from their family life, from their friend, or all manner of combinations. The boundaries of these relationships shift and behaviors vary widely. Social network services should not assume that networks are flat, that people are willing to put in the effort to articulate these networks, or that they even want to. Also for many people, they may have portions of their network that they are connected to online and therefore the online representation of their network may be very skewed. Even if people are connected to multiple networks online, they may use different social network services for different social networks. For example, it is not unusual for people to primarily have email conversations with some connections, use AIM for others, Google Talk for others, SMS for another group, and Facebook for yet another. Each service would be missing the chunk of connections for the other service.”

You need context to create a meaningful representation of a person’s social network. To make matters worse, that context shifts constantly as do peoples social relations, particularly those with whom we have weak connections. This is why people often see online social network representations as a cartoonish view of their own complex and ever changing social worlds. This is not a new revelation about social relations. William James published the following in 1890.

Properly speaking, a man has as many social selves as there are individuals who recognize him and carry an image of him in their mind. To wound any one of these his images is to wound him. But as the individuals who carry the images fall naturally into classes, we may practically say that he has as many different social selves as there are distinct groups of persons about whose opinion he cares. He generally shows a different side of himself to each of these different groups. Many a youth who is demure enough before his parents and teachers, swears and swaggers like a pirate among his ‘tough’ young friends. We do not show ourselves to our children as to our club-companions, to our customers as to the laborers we employ, to our own masters and employers as to our intimate friends. From this there results what practically is a division of the man into several selves; and this may be a discordant splitting, as where one is afraid to let one set of his acquaintances know him as he is elsewhere; or it may be a perfectly harmonious division of labor, as where one tender to his children is stern to the soldiers or prisoners under his command.

It is important to recognize that forcing people interact with their social relations as a flat network has many undesirable consequences. Figuring out how to restore a more natural balance to social relations is a grand challenge for social networks. People we think of as friends, enemies, and acquaintances change over time as friendships intensify and cool and we move through life phases. Also, complete visibility in networks is not always desirable or healthy. When we remove people’s choice to disclose their relationships and group memberships we strip them of something that is fundamentally human. We provide people with only one option for presenting themselves at a time denies them an important means of self-expression that is also fundamentally human.

I find it heartening to see how much has improved over the last year as both Google Plus and Facebook have dramatically improved the situation in allowing us more options to interact naturally with different social spheres. Framing choices about self presentation as choices about privacy misses the point that the issue is usually about context. When social networks lack context, it forces people to articulate everyone that should be included or excluded from a particular interaction. In these cases, the cognitive overhead of potentially making this judgement for each interaction is staggeringly high. Unless you are a public figure, you likely never need to decide if what you say is appropriate or even remotely interesting to someone you went to grade school with, someone you went to college with, a work colleague, your aunt, your next door neighbor, and a dear friend. We should not force people to work this hard unnecessarily.

References

danah michele boyd. Friendster and publicly articulated social networking. In CHI ‘04 extended abstracts on Human factors in computing systems, pages 1279–1282, New York, NY, USA, 2004. ACM. Articulated Social Networks: An Ethnographic Study of Friendster

Erving Goffman. Presentation of Self in Everyday Life. Anchor Books, New York, 1959.

Francesca Grippa, Antonio Zilli, Robert Laubacher, and Peter A. Gloor. E-mail may not reflect the social network. In Proceedings of the North American Association for Computational Social and Organizational Science Conference, 2006.

Ido Guy, Michal Jacovi, Noga Meshulam, Inbal Ronen, and Elad Shahar. Public vs. private: Comparing public social network information with email. In CSCW ‘08: Proceedings of the ACM 2008 conference on Computer supported cooperative work, pages 393–402, New York, NY, USA, 2008. ACM

Kai Fischbach, Peter A. Gloor, and Detlef Schoder. Analysis of informal communication networks – a case study. Business & Information Systems Engineering, 1:140–149, 2009.

William James. The Principles of Psychology, volume 1. Henry Holt & Co., 1890

Hat tip to Gaurav Mishra whose similar titled article The World is Not Flat and Neither is the Social Web (site is currently offline), from 2008 I found after I finished writing this post.

You should follow me on Twitter.

OpenID Trends: Improved Usability and Increased Centralization

The OpenID authentication framework is the most well known of the federated user-centric identity systems. OpenID has effectively become the first commonplace single sign-on option for the Internet at large. Most sizeable Web-based service providers such as AOL, Google, Facebook, Microsoft, MySpace and Yahoo! have integrated at least limited support for OpenID. Services often run OpenID authentication side-by-side with their in-house developed authentication or as an alternate method of authentication. Once the user has authenticated via their OpenID provider, their credentials can be used to automatically sign the user into other services previously linked to their OpenID. Widespread support has made OpenID the de-facto authentication mechanism for low-value transactions on the Web.

Two quick and somewhat loose definitions. An OpenID Provider is part of the backend of an identity system that offers an authentication services to other systems known as OpenID Relying Parties. Say your favorite blog requires that you log into Google to verify your identity to comment on a post. In this case Google would be the OpenID Provider (Identity Provider is the generic term) and your favorite blog would be the Relying Party since it depends on Google to handle the details of authenticating you so you can post.

Usability

OpenID has made great improvements in usability in the last several years. Many people found early OpenID implementations confusing. Users needed to first enter the URL that served as their OpenID identifier such as http://username.openidprovider.com. Without an existing cookie, users would have to enter their email address and password to complete the authentication. In addition, the users browser window was typically redirected to the OpenID provider’s site and then redirected back to the service they were trying to log into resulting in further confusion. Service providers found that the combination of URL-based identifiers and a login sequence differed from the entrenched standard of a username and password combination confused many people.

Each of these factors significantly reduced the usability of OpenID. However, OpenID specifications and implementations have evolved to mitigate and eliminate many of the usability problems. In many current deployments, users simply click on the logo their OpenID Provider (e.g., Google or Yahoo!) and then log in with familiar credentials without realizing the authentication is OpenID-based. One significant unsolved usability problem is that OpenID offers no support for Single Log Out. In the case of public or shared computers this situation is a significant security risk, as well as a usability problem, as subsequent users may find themselves signed in under the wrong user name when navigating to new sites.

User centric identity theoretically offers the end-user more control over his own identifiers, however in practice the amount of control is dependent on the amount of control the user has over the domain name or service of the OpenID URL. Users may maintain multiple OpenIDs and OpenIDs may be delegated. For example, an individual may wish to use a personal domain as an OpenID URL. The problem is this requires the skills to run the OpenID server as well as the overhead of maintaining and securing the server. There are two straightforward solutions to OpenID delegation, both of which require some technical facilities. The first–and most common–requires inserting a block of HTML containing the delegation commands on a Web page on the site being delegated to the OpenID Provider. The second requires adding an additional DNS CNAME for a host on the site that is being delegated to the OpenID Provider. Most individuals are highly unlikely to have this knowledge; the desire to obtain it, or even the knowledge that it exists.

Centralizing the Decentralized

OpenID was designed as a decentralized, federated, user-centric identity system. The OpenID infrastructure as a whole is decentralized. There are no dependencies on any single piece of hardware, software, service, individual, or company. The independent OpenID Foundation holds the intellectual property for the OpenID standards. The lack of dependencies removes the vulnerability of a catastrophic single point of failure.

I would argue that the common use cases for OpenID are increasingly centralized and realistic options for individuals to have any real control over their OpenIDs is decreasing. I recognize that some may argue with the last statement, but I would like to use a simple metric, which is the answer to this question: Can you take it with you? In the vast majority of common use cases, the answer is no. I would argue that the only viable way to have a true user-centric OpenID is to own a domain name and to have control over its DNS. The lack of end-user control does not mean the system functions any less efficiently, the opposite is quite likely true, but it does mean that it is not particularly user-centric.

In practice, OpenID appears to be heading towards greater centralization for Web-based authentication. Many services that offer OpenID authentication only accept authentication from a very limited set of OpenID providers. Services that accept OpenID authentication from any OpenID provider often place the general authentication in a less prominent location. Service providers have an incentive to limit authentication services they accept as it can significantly reduce risk and complexity and most users already have credentials from one of the major service providers. I believe this situation is not inherent to OpenID and would likely occur with any successful user-centric identity system. For example, Twitter does not support OpenID, rather it uses OAuth for both external authorization as well as authentication. Many services offer support for authentication via Twitter OAuth in the same interface as other providers that use OpenID.

Furthermore, most large OpenID enabled services are Identity Providers meaning they offer an authentication mechanism to other services. Most smaller OpenID enabled sites are OpenID Relying Parties meaning they accept authentication from OpenID Providers. OpenID Providers typically offer authentication services, but do not accept outside OpenID authentication themselves. Effectively, a few OpenID Providers serve many OpenID Relying Parties. Delegating the development and maintenance of user account management systems and password reset flows are benefits for offering authentication as an OpenID Relying Party. In addition these services gain the benefit of any advances in OpenID security and usability.

OpenID Increasingly Popular

In the close of my 2008 article: “The Promise and Problems of OpenID,” I wrote: “OpenID is clearly gaining in adoption and importance. Currently, OpenID is both too lightweight for enterprise identity management and too insecure for sites with financial or other highly sensitive data. Some of the current problems will be mitigated by OpenID extensions and new more secure mechanisms for OpenID authentication and improved phishing protection. Businesses, especially those with consumer Web-based services, would do well to familiarize themselves with the technology and pay attention to its progress.”

When people authenticate to poplar services via OpenID without having to even know they are using it, this indicates OpenID is becoming a mainstream authentication infrastructure. The protocol is evolving rapidly and it appears that common implementations in the future may be hybrids of OpenID and the OAuth authorization protocol. Still, there are substantial costs to implementing, managing, securing, and supporting user account management systems. Offering authentication as an OpenID Relying Party can potentially significantly reduce these costs and the friction for new account signups for people with existing OpenIDs. However, this reduction in cost comes with a loss of control over user account information that must be weighed against the benefits. Even though long-term stability for OpenID may be a ways off, it is clearly a critical technology to monitor.

* This article originally appeared as OpenID Trends: Improved Usability and Increased Centralization in the August 2010 issue of Messaging News.

Federal Digital Identity Proposal Lacking in Usability

The White House announced The National Strategy for Trusted Identities in Cyberspace (NSTIC) proposal and a NSTIC Fact Sheet on The White House blog. The NSTIC proposal (PDF) describes a plan to implement a federated online identity system with strong authentication. The document states the President expects to sign a final version in October 2010 and the strategy will likely significantly influence the government’s identity management efforts. In this post I will discuss the usability aspects of the proposal.

One of my primary concerns is that the proposal barely mentions usability factors within the identity system, even though they will be crucial for gaining public acceptance and critical to its effectiveness. Researchers studying usability and security have repeatedly shown that people are likely to resist or circumvent security in a system with poor usability. One of the guiding principles for the strategy is that “Identity Solutions will be Cost-Effective and Easy To Use.” However, the section is only a half a page long and largely discusses the potential benefit derived from reducing the number of username and password combinations individuals must remember. The section includes a few sentences that state that the new identity system should take advantage of as many existing widely used of infrastructure as possible and that service providers should conduct usability studies. The section leaves the reader with the impression that usability in actually unimportant even the proposal lists ease of use as listed as a major goal.

I would argue that most modern identity systems have been overly complicated for individuals to use and have required too much cognitive overhead for routine transactions. This is in no small part why it has been so difficult to move beyond the much-criticized username and password combination for user authentication. In order for a new identity system to provide significant improvements in reliability, assurance, security, and privacy, we must make significant improvements in usability. This is not a new problem. In his 1992 paper Observing Reusable Password Choices, Eugene Spafford, published research detailing problems with reusing weak passwords on multiple sites (Spafford 1992). In their 1999 paper Users are not the enemy, Adams and Sasse investigated compliance with security policies and in particular password management policies in several companies and found that compliance rates were substantially lower when policies conflicted with or prevented common work practices. In their 2006 paper Why Phishing Works, Rachna Dhamija and colleagues showed how individuals consistently fail to detect fraudulent web sites even when security indicators provided notifications that something was amiss.

Another component of usability is accessibility. The proposal made no mention of how the new identity systems will accommodate the less technically savvy and less able-bodied segments of the population. The strategy should consider those with limited vision, limited mobility, or other disabilities. The American Foundation for the Blind provides the following statistics of adult Americans with limited vision. Ages 18-44 8.0 million, ages 45-64 10.7 million, ages 65-74 2.8 million, ages 75 and older 3.7 million. This is a total of 25.2 million adults who have trouble seeing even with glasses or contact lenses.

The proposal promotes a federated and user-centric identity system. The common definition of a federated identity system is one that allows one service to accept authentication from another service. User-centric identity systems allow individuals some measure of control over their identities–typically a username or other unique identifier–and the attributes–age, email address, citizenship–attached to that identity. The usability problems for federated identities, user-centric-identities, and attribute exchange are neither trivial nor solved. OpenID is arguably the first widely adopted federated authentication mechanism for the internet with a user-centric model.

The history of OpenID is an excellent illustration of the usability challenges. Early incarnations required that users enter their OpenID URL to begin the authentication process. Their browser session was then redirected to the OpenID provider they used for authentication, which was often a different domain than the one they were attempting to log in to. Finally, after a successful authentication, the user would be redirected back to the original site. The change from the traditional username and password combination combined with a confusing authentication flow with multiple redirects left many users confused. OpenID specifications and implementations have evolved to mitigate and eliminate many of the usability problems. In many current deployments, most users will not even realize they are using OpenID for authentication, as they simply will click on a Google or Yahoo logo and then log in with familiar credentials.

This post is a revised version of the usability portion of the comments I submitted to the official NSTIC submission site. I based the critique on research from my dissertation Online Identifiers in Everyday Life, where I examined at the ways that social, technical and policy factors affect individual’s behavior with online identifiers.

Simple Package Tracking with TrackMyShipments

The web-based interfaces offered by the shipping services allow you to schedule shipments, manage billing, store addresses, and track packages online. Some third-party services offer simplified interfaces and allow you to track shipments from multiple shipping carriers at once. Still, the process of entering multiple tracking numbers into multiple services can be cumbersome. I prefer the email-based input method used by the TrackMyShipments service.

TrackMyShipments is an email-based online package tracking service I used for more than year and half to as a streamlined method to track packages. TrackMyShipments takes advantage of the fact that you already have the tracking numbers sent to you in email. I wrote about another email based interface in my review of how TripIt Shows the Value of Combining Email, Web and APIs. The signup process is very quick. After registration, you simply forward an email messages with tracking numbers to track@trackmyshipments.com and the service will send you a notification when the shipping status of you package changes.

Say you want to see when the new hard disk you ordered will arrive so that you could finally get around to your New Years resolution to make regular backups. The most common way to find out the status of your package is to search through your email to find the confirmation email from the store that has the tracking number for your drive. If you are lucky the store has formatted the message so you can simply click on a link and it will take you directly to the page on the shippers site that has information about the state of your package.

Unfortunately, many stores do not give their customers such an easy path and so must copy the number from the email and paste it into the web form for your package carrier. You might even already have an account on the package carriers web site that lets you save the number for future reference or set up email or SMS alerts to let you know when there is progress or problems. So you sign into the service and paste in the tracking number you found. This somewhat cumbersome process is the norm.

TrackMyShipments has a few options to configure the level of detail about the status of the shipment. If you choose, the service will notify you about every hop the package takes along the route, but in my experience this is far too much information. I configure the service to notify me on the day of delivery and for any exceptions. This means I get notified that the package is out for delivery and when it is delivered or if there are any problems with the delivery. All of the package carriers have pretty significant lag in their delivery status information and TrackMyShipments can not give you any more information than the carriers have, it’s just more convenient.

The TrackMyShipments iPhone and iPod Touch application allows mobile users to see the current status of all packages tracked and the ability to remove any packages from tracking. Previously the service offered both free and paid versions of iPhone application. TrackMyShipments for the iPhone is now free and advertising supported with iAds. The application includes push notifications, unlimited shipments and the ability to associate users, which were previously paid add ons. The iPhone application works with both free and pro accounts.

Overall, I find TrackMyShipments is the most convenient way to track packages online. The service is simple to use and in my experience it just works. While neither the TrackMyShipments web site nor the iPhone application will win any design awards, there is little reason to use either unless you want an overview of all shipments at once. TrackMyShipments supports tracking DHL, FedEx, UPS, and US Postal Service packages. The basic TrackMyShipments service is free for tracking up to 10 shipments at a time. You will receive email updates about that status of your package or you can log on to TrackMyShipments to see the status and location of all of your shipments. TrackMyShipments Pro costs $20 a year and gives you the ability to track unlimited packages and receive notifications about the shipping status via SMS. I suspect most people will find the basic more than adequate, although those with greater package tracking needs will find the pro service a bargain.

* A version of this article originally appeared as TrackMyShipments Offers Simple Email-Based Package Tracking in my Messaging News “On Message Column.” Revisions and iPhone application updates on September 13, 2010.

You should follow me on Twitter.

Trends in Password Masking Security and Usability

John Gruber’s Daring Fireball pointed me to Jakob Nielsen’s Alertbox column Stop Password Masking, which resulted in a thoughtful and interesting thread of conversations and a few experimental solutions. Password masking refers to the practice of displaying an alternate character, usually a star or a bullet in place of the actual characters typed into a password field. The idea is that this prevents another party from viewing the password while it is entered. Nielsen argues that in most cases masked passwords are not needed since should surfing is not a major issue and that this is even less of an issue on mobile devices. He says masked passed passwords often reduce usability by increasing the number of errors since users cannot see what they are typing. This problem is further compounded on mobile devices where typing is more difficult and slower. Since users are less certain about what they are typing, they are much more likely to choose passwords that are simplistic or copy and paste the passwords from less secure locations. Nielsen says that high value password forms should offer an optional checkbox for masking passwords so that they can be used on an as needed basis.

Jason Montgomery’s Response to Nielsen’s “Stop Password Masking” on the SANS Institute’s The Application Security Street Fighter Blog that provides a more nuanced commentary on the tradeoffs between security and usability for password masking. Montgomery argues that Nielsen’s points are valid and suggests that password managers, pass phrases, and two factor authentication can sidestep some the problems by increasing the security of stored passwords as well as the ease of recalling them. Earlier I reviewed, 1Password, a password manager for Mac and iPhone that I use daily.

Bruce Schneier, a respected security expert, agreed with Nielsen in his brief response, The Problem with Password Masking. His post generated a large number of comments, which caused Schneier to temper his opinion in a later article The Pros and Cons of Password Masking. Schneier concludes that even though there are significant downsides to password masking, the practice is less problematic than either not masking passwords at all or complicating the interface with an optional password masking checkbox. The second article also generated a thoughtful discussion in the comments. In Strong Web Passwords, Schneier summarizes the Usenix HotSec07 article Do Strong Web Passwords Accomplish Anything? by Florencio, Herley, and Coskun, which argues that complex passwords do little to increase security when adequate policies are in place to limit the number of password attempts. Schneier suggests that the password masking feature on BlackBerries with SureType (non-QWERTY) keyboards and the iPhone (see: iPhone 2.0 password masking) that shows the current character and masks all previous characters is a reasonable alternative.

Farhad Manjoo’s Slate Magazine column, Fix your terrible, insecure passwords in five minutes, offers a solid set of suggestions for creating better passwords and describes why this is important in light of the recent Twitter break in. Macworld’s Joe Kissell offers his own set of suggestions for creating better passwords in a series of articles listed in Top password tips

The ongoing discussion led several developers to create prototypes that demonstrate password masking techniques. Each implementation has an online demo and source code publicly available. All prototypes are currently written in jQuery.

  • Stefan Ullrich’s iPhone-like password fields using jQuery and Oliver Storm’s Mypass each implements a password masking field similar to the iPhone and BlackBerries with SureType that displays the current typed character, but masks all previous characters by replacing them with bullets.
  • Byron Rode’s showPassword is a jQuery plugin that implements a password entry field that defaults to fully masking the password with bullets, but also includes Nielsen’s proposed checkbox to display the password when requested.
  • arc90 created two experimental password masking implementations. The first, HalfMask creates a masking effect by placing translucent random characters on top of the original password characters. This allows the person entering the password to view the original, with some concentration, but makes it far more difficult for another person to casually observe the password. The second implementation, HashMask, masks the password in a standard way by replacing each character typed with a bullet, but adds a visual representation of the password in the form of a Sparklines. This way the person entering the password has a visual indication that the password is correct, although they need to remember the Sparkline.
  • Mattt Thompson’s Chroma-Hash was inspired by arc90’s HashMask and masks passwords in the standard way, but adds a visualization of the password as it is typed using colored bars generated from a hash of the password. This allows users to quickly check that the visual representation is correct before entering submit. It has the side benefit of allowing fast comparisons when password confirmations are required for entering new or changed passwords. Lee Gao created pyChroma, a Chroma-Hash implementation in Python, which has source, but unfortunately no online demo.

Finally, Kevin Vigneault describes considers several other related options in his post Confirming Passwords Is Annoying: Is There a Better Way?, which was a result of a thread on IxDA “Confirm password” field – Superfluous? that appeared several months before Nielsen’s column.

* This article originally appeared as Trends in Password Masking Security and Usability in my Messaging News “On Message Column.” Article updated July 31st, 2009 to add additional references.