[WEB SECURITY] Jakob Nielsen's Stop Password Masking

Matt Parsons mparsons1980 at gmail.com
Sun Jul 12 19:39:39 EDT 2009


I have seen many threads on this topic of password masking.  I think you need to balance between usability and security.   If it was my way, I would mask all passwords on computers, laptops and monitors.  I think many would agree.  This could be an issue if someone was shoulder surfing or had a camera. It is also an issue if someone is presenting a presentation and their login credentials are on the screen.    

I think that on blackberry's and smart phones where there is less of an attack surface you should not have to mask passwords.  I have big thumbs and I have a hard enough time typing my password on my blackberry, nevermind it being masked.   

Thanks,
Matt

Matt Parsons, CISSP
315-559-3588 Blackberry
817-238-3325 Home office 
mparsons1980 at gmail.com
www.parsonsisconsulting.com 



-----Original Message-----
From: Bil Corry [mailto:bil at corry.biz] 
Sent: Sunday, July 12, 2009 4:34 PM
To: Shawn K. Hall
Cc: websecurity at webappsec.org
Subject: Re: [WEB SECURITY] Jakob Nielsen's Stop Password Masking

Shawn K. Hall wrote on 7/11/2009 8:56 PM: 
>> Two factor authentication.
>>  
>> What I have - Smart Card  / FOB
>>  
>> What I know - PIN
>>  
>> Even if there is shoulder surfing or keystoke logging, unless 
>> they have physical possession of the smart card they cannot
>> break in
> 
> Unless they have the ability to clone "what you have".

This is a somewhat recent example:

	http://www.h-online.com/security/news/113126


- Bil


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list