I generally like the idea of providing users the choice to reveal their typed password; many apps and sites have done so over the years. However, I have no idea how the original idea of entirely removing the "password masking" passed the "shower thoughts" phase, let alone made it into an academic research project.
> How often is someone looking over your shoulder when you type a password?
When I'm in the privacy of my own home? Rarely. When I'm using a mobile device (arguably where "unmasking" provides the most usability improvement) in public? All the time. No, random strangers are most likely not paying attention to your phone, but look around next time you go out there are cameras _everywhere_.
Even the helpful mobile keyboard feature that shows you the last entered character is a risk. Not to mention merely watching the interaction with the onscreen keyboard. However, both of those require a moderate amount of attention, versus just prominently displaying the full password unobstructed all at once on the screen.
You may not think those cameras matter, but let's be honest, many people have access to the data feed through those cameras. From the near-minimum-wage "security" guard (or loss prevention) employee to the corporate security teams storing the backed up footage.
Logging into your Hacker News account may present a low risk, but certainly, this could be catastrophic when logging into your bank account. It's one of the less acknowledged benefits of fingerprint readers and password managers (combined). Unmasking that password entered by the password manager would defeat this entirely.
Let it be an option, but don't do this by default.
We got a laptop at work. It's an Acer gaming thing which we bought becuase it was the cheapest thing we could find with a GPU in it. It also has an RGB keyboard (which is terrible, half the keys stick). The default setting is to flash a key when you press it, which then fades out over a second or two.
See the problem? Whenever you typed a password, you would see all the letters you typed lit up on the keyboard conveniently in brightness order...
At least you can fake that out by pressing the wrong keys. Similar to how I enter my PIN into ATMs, I have my fingers covering all the keys at once with my hand open and my palm down. All the keys get touched, albeit with different amounts of pressure, but picking up that sort of difference would be error prone.
I work with infrared cameras, I'll check this out tomorrow! Useful for things like seeing if someone's just left the office for lunch because their chair's warm.
Reminds me of the scene in one of Dan Brown's books where they catch the protagonist by noticing a conveyor belt has warmed up (which he lay on to escape). The first time I read that I thought it was nonsense, but having used decent cameras I'm inclined to believe it now.
like... i get that this is technically true, but you see how the addition of an infrared camera to the mix makes things much more cumbersome? or rather, do you see how obviating the need for an infrared camera makes discovering the password much easier (because you don't have to acquire and place an infrared camera, you're just handed the info via the visible spectrum)?
clever trick with the infra cam, but i don't think you've showed the equivalence of the situations in any practical sense. maybe that wasn't your point, and you were just offering a sorta-similar-but-not-really detection technique?
The infrared camera is not something exotic. Anyone who is interested in discovering passwords will have one. Most people do not care - if I would post my bank account password here most people wouldn't attempt to login to see if it was real, and of those that do most wouldn't do anything bad. I still don't post my bank info because of the tiny number of people who would abuse it: they are mostly the same people as who would buy the infrared camera.
> Let it be an option, but don't do this by default.
Fully agree, and found the "As for what you should set the default to. Well that’s another question..." conclusion quite stupid to be honest; "80% were not expecting to see the password as clear text" and "60% said they had become suspicious of the site", on those metrics alone surely it's obvious the default should be masked with an option to reveal.
They were suspicious because it looked like an error when there was no control. The second half seems to have been conducted with shown as the default, so you should perhaps pick quotes from that section instead. While hidden is the more conservative approach, since users will not have to think about it, this paper suggests that with a control it's not too scary to default to shown.
> this paper suggests that with a control it's not too scary to default to shown.
I’d rather have password masking be the default everywhere.
Consider for example lecturers using the computer in a room full of people, prominently displaying their screen on the projector for all to see. Or anyone in a business meeting for that matter, using a projector or sharing their screen through teleconferencing.
If you are fast at typing you could type out a lot of your password before catching the fact that everyone is seeing your password.
And if you are a hunt-and-peck typist you might be slow but you might also be looking at the keyboard the whole time as you are typing out your password, and therefore not catch the fact that everyone is seeing your password.
It took me a long time to jump on the password manager bandwagon, but one of the big positives IMO is that I almost never need to type or see my password to enter it correctly - precisely for the reasons you mention. I do occasionally need to see if I made a typo or I don't need the privacy but as you say - it shouldn't be the default.
What's wrong with doing research on something everyone "already knows"? There's always a chance of finding something unexpected, and even if you get the predictable result, people can use your study to argue against really bad ideas.
> but look around next time you go out there are cameras _everywhere_
> You may not think those cameras matter, but let's be honest, many people have access to the data feed through those cameras. From the near-minimum-wage "security" guard (or loss prevention) employee to the corporate security teams storing the backed up footage.
yeah, this is a thought that has crossed my mind a lot the last couple years, and i find it really unnerving. i now consciously try to keep my typing out of the sight line of cameras, though i don't always remember to do that, and i'm sure there are tons of cameras i don't notice.
The real problem here is that on-screen mobile keyboards are an atrocious input method compared to a real physical keyboard, in general, but in particular for passwords, where you are typically changing case and adding special characters.
My biggest pet peeve regarding password masking is when it’s used on one-time use MFA codes sent in texts. It’s completely preposterous that I need to be protected against an eves-dropper while typing a one-time use code.
My Indian bank even has two versions, one has cleartext, and is readable and responsive. The other was designed for 90's desktops and is a password field.
Reminded me of NIST's digital policy guidelines (from 2017, so quite a while after this page was published):
> In order to assist the claimant in successfully entering a memorized secret, the verifier SHOULD offer an option to display the secret — rather than a series of dots or asterisks — until it is entered. This allows the claimant to verify their entry if they are in a location where their screen is unlikely to be observed.
2) This encourages password re-use and the 2019 guidance really needs to focus on generating unique passwords for each site / property and storing it somewhere secure. The push to move to other forms of security has never been stronger.
I see the logic in point 2 and agree it's possible that this could be the net effect, but I think there's at least one more distinct possibility.
I use a good password manager with long, unique, random passwords.
The world is messy, though, and some small fraction of the apps/sites/devices/contexts I need to enter credentials stored in my password manager require manual entry. Some of these are on a device with the password manager, but fail to support auto-fill and block paste. Some of these are on other devices (such as TV streaming boxes). It also applies to every login I need to enter on a new device before my password manager is installed and unlocked.
When I have to enter dozens of high-entropy characters on mobile keyboards, TV remotes, or my sad 3rd-gen MacBook butterfly keyboard, a simple unmasking toggle is a lifesaver. Its absence is a misery/frustration multiplier. I'm not sure how the initial login on an iPhone is, but it took me 4 tries to log in on my newest Android because I had to enter ~40 characters while swapping between the stock alpha/symbol keyboards without an unmask.
I'm sold on the value of using a password manager and aware of the risks of not doing it, so these frictions won't deter me. But I'd be surprised if I'm in the majority, here. I suspect many people will fail into partial or complete non-compliance with the password manager if they regularly encounter these scenarios (or encounter them while the costs of abandoning the effort are still minimal).
When using a password manager you don't need to ”check the input” or “correct an error” or “see what characters have been typed" (the only ”usability problems” mentioned in the article)
I think OP mean that if you use unique passwords, you would typically use a password manager and randomly generated passwords. You don't need to know so there is no point in seeing the password.
I don't think showing the password would actually encourage to re-use a password, but hiding the password may encourage to use a password manager and unique passwords.
The most egregious example of this was the old Windows connect-to-WiFi password box, which not only masked the password, but made you enter it twice. Why you had to enter it twice (when connecting, not creating the password) is totally beyond me.
Any operating system-level measure to prevent keyloggers logging secure input fields is bypassed when input masking is disabled in the browser, except where the browser natively provides a Show password feature.
Would be pretty neat if we could establish a trusted path from the keyboard to the server using crypto-magic. Like the keyboard could encrypt using the servers public key or something.
What needs to be removed is the password system entirely. I cannot believe that in the age of public-key cryptography we are still using passwords for serious security.
I find Face ID such a pleasure to use where it auto-fills my password, and since the passwords are auto-generated they are like some type of key. I do agree that passwords will be removed, or at least rennogated to unlocking your login assistant.
A web page from 2014 summarizing an article not about the safety consequences of removing password masking, but the effect of removing masking on consumer trust. Performed and written by a UI guy. No link to the academic article it's referring to, at least that I found.
Summary: removing masking doesn't erode consumer trust if it's optional, but they get leery of you if it's off by default.
Interesting. I have seen password masking being used for OTP SMS codes. Correct me if I'm wrong, but the password field in this case, does not make it more secure.
It is just about giving the impression of being secure?
> How often is someone looking over your shoulder when you type a password?
When I'm in the privacy of my own home? Rarely. When I'm using a mobile device (arguably where "unmasking" provides the most usability improvement) in public? All the time. No, random strangers are most likely not paying attention to your phone, but look around next time you go out there are cameras _everywhere_.
Even the helpful mobile keyboard feature that shows you the last entered character is a risk. Not to mention merely watching the interaction with the onscreen keyboard. However, both of those require a moderate amount of attention, versus just prominently displaying the full password unobstructed all at once on the screen.
You may not think those cameras matter, but let's be honest, many people have access to the data feed through those cameras. From the near-minimum-wage "security" guard (or loss prevention) employee to the corporate security teams storing the backed up footage.
Logging into your Hacker News account may present a low risk, but certainly, this could be catastrophic when logging into your bank account. It's one of the less acknowledged benefits of fingerprint readers and password managers (combined). Unmasking that password entered by the password manager would defeat this entirely.
Let it be an option, but don't do this by default.