[WEB SECURITY] Jakob Nielsen's Stop Password Masking

Chris Varenhorst varenc at mit.edu
Sun Jul 12 21:13:28 EDT 2009


I thought this thread might be interested in two recent arc90 password
masking experiments.  The basic idea is to meet Jakob Neilson half way and
mask the password so that the casual observation won't be able to get much
information from it, but the user can still confirm they typed their
password correctly.

http://lab.arc90.com/2009/07/halfmask.php
http://lab.arc90.com/2009/07/hashmask.php


On Sun, Jul 12, 2009 at 4:39 PM, Matt Parsons <mparsons1980 at gmail.com>wrote:

> I have seen many threads on this topic of password masking.  I think you
> need to balance between usability and security.   If it was my way, I would
> mask all passwords on computers, laptops and monitors.  I think many would
> agree.  This could be an issue if someone was shoulder surfing or had a
> camera. It is also an issue if someone is presenting a presentation and
> their login credentials are on the screen.
>
> I think that on blackberry's and smart phones where there is less of an
> attack surface you should not have to mask passwords.  I have big thumbs and
> I have a hard enough time typing my password on my blackberry, nevermind it
> being masked.
>
> Thanks,
> Matt
>
> Matt Parsons, CISSP
> 315-559-3588 Blackberry
> 817-238-3325 Home office
> mparsons1980 at gmail.com
> www.parsonsisconsulting.com
>
>
>
> -----Original Message-----
> From: Bil Corry [mailto:bil at corry.biz]
> Sent: Sunday, July 12, 2009 4:34 PM
> To: Shawn K. Hall
> Cc: websecurity at webappsec.org
> Subject: Re: [WEB SECURITY] Jakob Nielsen's Stop Password Masking
>
> Shawn K. Hall wrote on 7/11/2009 8:56 PM:
> >> Two factor authentication.
> >>
> >> What I have - Smart Card  / FOB
> >>
> >> What I know - PIN
> >>
> >> Even if there is shoulder surfing or keystoke logging, unless
> >> they have physical possession of the smart card they cannot
> >> break in
> >
> > Unless they have the ability to clone "what you have".
>
> This is a somewhat recent example:
>
>        http://www.h-online.com/security/news/113126
>
>
> - Bil
>
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/archive/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090712/c17eef09/attachment.html>


More information about the websecurity mailing list