[WEB SECURITY] Jakob Nielsen's Stop Password Masking

gaz Heyes gazheyes at gmail.com
Tue Jul 14 15:02:39 EDT 2009

I've been following this thread with interest and here is Nielsen once again
stirring up controversy without providing any alternative. So I thought I'd
chip in with a possible solution....

Key switching

It could work in two ways with a hardware/software device, basically the
idea is that you type a keyword on screen which is replaced with an
alternative representation of the keys. So "password" becomes
1L&d5xs at visually "password" is displayed but once you've finished
typing and the
letters are obscured either on form submit or after a delay the keys are
switched. This could be done either with the real password, so you associate
your key switching device with the website and key switch keyword and the
password is replaced or the keys switched automatically when typing a
password in a random order that is defined once by the device. Obviously
this would be no use for MiM attacks but stopping shoulder surfing and
improving usability it would be good. Thoughts?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090714/062dfe30/attachment.html>

More information about the websecurity mailing list