Do you think this guy (http://www.useit.com/alertbox/passwords.html)(*) has a point?

Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn't even increase security, but it does cost you business due to login failures.


Well, I had never seen the matter from that angle, so I still have to think about it. Any thoughts?

(*) Jakob Nielsen, usability expert - Link featured on Slashdot.

I've read his thoughts on not having a reset button on forms, and he made perfect sense there. (I even went through all my current sites and changed them, it hit home so much) I disagree on his opinion on masked passwords though, although I see his point. But some counter points...

If it's a site that requires logging in, it's a site you want to go to, not something you just ran across. So there's no direct scaring off of new visitors.

All (by now I would think) browsers support remembering a password and automatically filling it in for you, so except for some sites that somehow don't trigger this in the browser, rarely would you have to enter a password on a computer you always use.

While he's probably right that there's no one looking over your shoulder in an office environment, the internet cafes are a different story. Why would you not want a default higher security for those type places?

The worse case scenario, you type something and it's wrong, so you have to retype it a bit slower to make sure you type correctly. It's a lot different than the issue of accidentally clicking the reset button and clearing the whole form you filled out.

Added: I think his point is a valid one for mobile devices. I just don't think it carries over to desktop, for the reasons I mention.

The author makes some interesting points but I wonder if he lives in the same world as most of us...

...there's usually nobody looking over your shoulder when you log in to a website. It's just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue.

Okay everybody-in-the-whole-wide-world, show of hands! How many of you work in a private office? I have my own office nowadays but I did my time at open workstations and in cubicle farms. In my last position, 180° of my workspace was open to office passersby.

Overhead presentations are another story! I've seen nervous or inattentive folk type their password into the username field (no masking there), big laugh, big laugh. Some people's passwords are so ridic.

Back when I worked as a projectionist, the theater replaced employee timecards with a web-based payroll tracking system. Since only a few computers in the building were authorized for clocking in and out, during shift changes there was always someone looking over my shoulder while I typed my password.

Okay everybody-in-the-whole-wide-world, show of hands! How many of you work in a private office?

Office shared with one other. But how often do you come back from a coffee break, someone walks along, wants answer, and you need to unlock screen? Very often, in my case. Or have to login to some app to get answer, or login to some unix box.. etc etc. I understand there are situations where starring isn't helpful, but I'll take it whenever I can.

All (by now I would think) browsers support remembering a password and automatically filling it in for you, so except for some sites that somehow don't trigger this in the browser, rarely would you have to enter a password on a computer you always use.

Yeah, but people should avoid it.

Overhead presentations are another story! I've seen nervous or inattentive folk type their password into the username field (no masking there), big laugh, big laugh. Some people's passwords are so ridic.

I've not done that onto a projector, but everytime I accidently do that at my computer I get a worried feeling in the pit of my stomach. It's just weird seeing your password written down properly.

I've not done that onto a projector, but everytime I accidently do that at my computer I get a worried feeling in the pit of my stomach. It's just weird seeing your password written down properly.

Seconded!

Heh. I worked in a "private office" with 20+ kids all of whom are trying to figure out the teacher's "admin" password, and yeah, it's projected too.

I once wrote a login routine that went a step further than the bullets: I deactivated the interrupt for the screen echo completely. When you typed in the password, the cursor didn't move at all. That way not even the number of keystrokes could be seen, only heard.

This was for the university where loads of people were usually standing around or walking past.

One of my work systems takes an alternate approach. The bullets don't correspond to password characters on a one-to-one basis. One'll get you one two or three bullets, randomly.

Logins will never be secure until the system is removed from the computer via a separate CAC reader with it's own keypad and fingerprint reader, used to generate an encrypted response to an encrypted challenge from the authentication server.

The two-way encryption piece has been down pat for years, and is used in SSL-3, as well as PKI. The CAC, pin, and fingerprint provides a three-factor authentication with duress capability (via one's duress pin, or using other than your usual finger).

By separating the keypad, CAC reader, and fingerprint scanner, in a single, known, widely-used and heavily verified tamper-free device, you're removing the liklihood that something as simple as a keystroke reader has compromised one's password.

You do know fingerprint scanners are easily fooled, right?

And that they aren't usable by everyone as there are professions (such as pottery) where people have regular abrasion of their fingers so they have no discernible fingerprints, right?

You do know that this is yet another simple, easy to understand, wrong answer to a complex problem, right?

And that they aren't unusable by everyone as there are professions (such as pottery) where people have regular abrasion of their fingers so they have no discernible fingerprints, right?

You do know that this is yet another simple, easy to understand, wrong answer to a complex problem, right?Aren't unusable? I'm confused.

Aren't unusable? I'm confused.
Nice catch. I rewrote that sentence several times and missed removing the un-.

Fixed in my post.

I don't understand how masking my password characters makes me suffer in any way. Yes, I might miss a typo; but that's why any good system gives you a few chances to type it in.

And my screen is visible to anybody who is standing at my desk, which is where customers tend to stand when they're making payments or changes or whatever.

One of my work systems takes an alternate approach. The bullets don't correspond to password characters on a one-to-one basis. One'll get you one two or three bullets, randomly.

The web interface to my Verizon router works like that--disconcerting at first...did I hold the key down THAT long?

You do know fingerprint scanners are easily fooled, right?

Yes.

And that they aren't usable by everyone as there are professions (such as pottery) where people have regular abrasion of their fingers so they have no discernible fingerprints, right?

Yes.

You do know that this is yet another simple, easy to understand, wrong answer to a complex problem, right?

You do know what is meant by x-factor authentication, right? The premise behind it is that any single factor can be fooled, but the choice of factors makes it exceedingly unlikely to get all three correct.

How many times have you been asked by your bank while on the phone with them to verify your account by providing your mother's maiden name, the last four of your SSN (ok, Henrik - you're over there, so...), and your birthdate?

Here in the US, all of that information is found on our birth certificates (well, those who were born after a certain date).

No good!

But what about the last four of one's social, the make of their first car, and an intrinsic physical feature (like a fingerprint)?

By the way - fingerprints are easy (and cheap). Retinas are hard (and expensive). But both can be spoofed, as can DNA (Gattica).

Using multiple, thinly-related factors, however, increases security, even when one of them by itself can be easily copied. It's the unrelated mix of the three which provides the security, not the robustness of all three (or any one of them).

One of my work systems takes an alternate approach. The bullets don't correspond to password characters on a one-to-one basis. One'll get you one two or three bullets, randomly.

I've heard well-placed bullets do make for a good deterrent...

I have these things called 'friends' that might sometimes be next to me when logging on somewhere, especially in school. Now, they might be friends, but I wouldn't want them to know my passwords.

I... don't really get how it costs much business if someone takes 3 extra seconds to retype a password after getting it wrong.

Typing blindly really bothered me all those years when I was the only one in the house, the room, or the only one who could see the screen. But, more and more lately, I've been logging into a display projected on a wall in a meeting room, and it finally makes sense.

I do deplore the trend to make the passwords longer and trickier and have them expire more quickly. Some clown in Security doubles this and halves that and announces we're four times more secure! But he's just crippled productivity by inconveniencing hundreds of workers.

Yeah, sites like that are 'interesting' exercises in how security has failed. Want to know what I mean? Lift the mousepad of any random (workplace) user. Their desktop password will be there. If it's not there, it'll be under the keyboard.

Passphrases are better than passwords anyway. They tend to be longer, and even a three (useful) (english) word passphrase with predictable capitalizations and exclusive use of the space key beats an 8 character perfectly random password. Even if the attacker knows you're using a passphrase and can automagically guess what prepositions and articles you'll use, and which words are in your "dictionary" ahead of time.

Here's why: Assume each word is an atom in a passphrase, and that you have only a thousand valid words in your "dictionary", while each character is an atom in a password.

password: 8^75 = 5 x10^67 valid passwords.
passphrase: 3^1000 = 10^477 valid passphrases.

In fact, your dictionary of "useful words" only has to have 142 words in it in order to beat passwords.

Add the full range of English, and/or other languages, and you can have your memorable passwords you don't ever have to write down, or change, and your security admin can have his security, too.

Yeah, sites like that are 'interesting' exercises in how security has failed. Want to know what I mean? Lift the mousepad of any random (workplace) user. Their desktop password will be there. If it's not there, it'll be under the keyboard.

My passwords for my most commonly used software are all on a sticker on my monitor, the rest are on the first card in my rolodex. I just have to cover them up when they come by to audit the office.

Granted, passwords still provide some layer of security from outside sources, but anyone could walk in and log on to most of the stuff I use. The main log-in password is not written down, but not for security reasons, rather I type it about 30 times a day so it's not hard to remember.

When I first started working here, I could use the two passwords that I've used for everything my entire life, and just go back and forth between them. Now, there's so many stupid rules about having to use x number of special characters, capitals, nothing that appeared in your last 20 passwords, and you must change passwords every 6 weeks or so. There's just no way to always have a password that's meaningful and easy to remember.

There's a nice little trick to make memnotic pws which conform to many complexity requirements.

Lets say I have a gf named Bess. Combine 1337 speak with a few capital letters and repitition and é voilà, a nice complicated pw:

B355001b35S

That's "Bess" written once as "B355" with a capital B, then a running number (001) that can be incremented everytime you are required to use a new password, then "Bess" repeated, but this time written "b35S" using a capital "S" at the end.

That's super easy to remember and one only has to make a note of the running number.

If you want to complicate it further, just add some punctuation, depending on what your system allows and/or vary the use of capitals or the position of the running number.

I'm pretty sure that, at my company, changing B355001b35S to B355002b35S wouldn't work. It'd get flagged as "too similar."

That's super easy to remember and one only has to make a note of the running number.
Most of our software will catch any string of 4-or-more letters that match from any of your previous 20 passwords and disallow it, so that wouldn't work.

Which just ups the redicu-meter another notch. Blah.

Now, there's so many stupid rules about having to use x number of special characters, capitals, nothing that appeared in your last 20 passwords, and you must change passwords every 6 weeks or so. There's just no way to always have a password that's meaningful and easy to remember.
This is a classic example of misapplied security thinking.

People who actually know something about security knows that such a password policy is counterproductive as a security measurement since no ordinary user can get any work done without having the password written down somewhere.

People who actually know something about security knows that such a password policy is counterproductive as a security measurement since no ordinary user can get any work done without having the password written down somewhere.

I completely agree. But the only consistent thinking in any of our IT (security, networking, software design, etc) is "counterproductivity breeds jobs!", methinks.

I'm pretty sure that, at my company, changing B355001b35S to B355002b35S wouldn't work. It'd get flagged as "too similar."

... Most of our software will catch any string of 4-or-more letters that match from any of your previous 20 passwords and disallow it, so that wouldn't work. ...
Ok, but the same method can be used with other memnotic things.

Say you have a poem on a piece of paper put somewhere on your desk. Use the words one by one, leaving out repetitions. A tiny pinpoint mark can help keep you in track.

Let's take "Jack and Jill":

pw1: J4ck01j4cK
pw2: 4nd024nD
pw3: Ji1103ji1L
pw4: W3n704w3nT
pw5: Up05uP
pw6: 7h3067hE
pw7: Hl11074l1L

etc. If a word is too short, use two words together, or repeat the number ...

I'd like to see IT guys complain about those.

You're getting back to the point where the passwords become so arbitrary that you have to write them down. Particularly since "l33tspeak" isn't a formal language, thus you can type the same word a dozen different ways. Then you have to either remember how you decided to mask it, or just write it down.

I've resorted to using my same normal passwords, but in different languages. If I usually use "Cheese123" in June, it's now "Queso123" etc. Funnily enough, for a company that wants you to use multiple character types (punctuation, capitals, numerals, etc.), they don't support foreign-language characters, like ñ.

You're getting back to the point where the passwords become so arbitrary that you have to write them down. Particularly since "l33tspeak" isn't a formal language ...
Unless you decide on a standard subset for yourself. You'd be surprised how easy it is once you get used to it.

... Funnily enough, for a company that wants you to use multiple character types (punctuation, capitals, numerals, etc.), they don't support foreign-language characters, like ñ.
"ñ" is in the so-called 'upper half' of the character table, i.e. character code >127 (decimal). Most systems only support pw characters in the lower half.

I just find it ironic that they forced us (a while back) to start including both a combination of upper/lower cases and numerals, because apparently all letters is too "weak", but I can't use characters that actually have meaning to me.

Now, if we were guarding some sensitive information or corporate secrets or something it'd make sense. As it stands, if someone "broke into" my system, the most they could do is change people's insurance coverage. And they could only do that if they knew how to use the software.

Of course, on the flip side, I understand that our "risk" of such at our small office is vastly different than, say, up in corporate or in a big office with 10 or 15 employees. I could see if I was at risk of being sued for errors-and-omissions, or some other criminal activity, how it would be bad if I got into a co-workers system and made it look like they were the one doing the activity.

But then we're back to the "If it's so complicated it has to be written down, what good does it do?"

At my location, the biggest threat is an outside attack, in which case they're going to bypass the password altogether anyway.

"ñ" is in the so-called 'upper half' of the character table, i.e. character code >127 (decimal). Most systems only support pw characters in the lower half.
And those that do support upper-half characters in passwords are a mess to use if the password is to be used across multiple systems, as the likelihood of them using the same encoding is not good.

I've got a scheme somewhat like that, drawing inspiration from a mathematical source and a poetic source and combining the two in so structured a manner that I (but only I) can figure out the next password in the series (I'll need 24* of them before I can re-use any) from a previous one. It has letters, numbers and nonsense, as required. I can't go into more detail, obviously. Really sad.

(*Until our Head Security Jackass earns a promotion by increasing the monthly limit from 2 to 3 years.)

At my (large) company, they were for a while trying to force use of special characters, upper & lower case, and numbers as well as passwords more than eight characters long. Fortunately, they still have apps running on IBM mainframes that won't take special characters or more than eight. And they've come up with a remarkably enlightened policy that actually encourages users to have the same password on multiple systems, even to the point of having a utility to change several of the commonest ones at once.

So the rule is exactly eight characters, no special characters, at least one upper case and one number. I can live with that.

I do kind of depend on the **** appearing when I type my password because it lets me know when I've fat-fingered something and gotten an extra keystroke in, as I pretty frequently do.

At one point the company had a password policy that said the password could not contain "any word, or part of any word, in any language". That's a little difficult! I haven't seen it lately.

I've got a scheme somewhat like that, drawing inspiration from a mathematical source and a poetic source and combining the two in so structured a manner that I (but only I) can figure out the next password in the series (I'll need 24* of them before I can re-use any) from a previous one. It has letters, numbers and nonsense, as required. I can't go into more detail, obviously. Really sad.

(*Until our Head Security Jackass earns a promotion by increasing the monthly limit from 2 to 3 years.)


Sorry but 314159 and 271828 are taken--Feynman opened safes with those as combos :)

Some years ago, I'm at a dinner with the local chapter of Baker Street Irregulars. One of our members has a handsome new briefcase with those 3-digit combination locks on it. "Here, let me guess!" I said, opening it at once. I figured that any Sherlock Holmes fanatic worthy of the title would use "221" (as in 221B Baker Street). I was right.

With those locks I tend to use any random combination, they're so trivially easy to open that it's faster to crack the code than to remember it.

Does anyone remember those 1970s computer terminals that were essentially an electric typewriter connected to a modem? There was no monitor: rather, you typed on the long roll of paper and the computer typed it's output right back at you.

When these prompted you for a password, they overprinted a bunch of characters into a dense pattern and reset the paper so that you got to type over a densely-inked field.

Most of us would cheat and manually rack the paper up a notch so that we could see what we were typing. (You had to remember to dispose of that part of the printout later, else your password became part of the record. If it was a public terminal, the next guy in line could use it.)