[WEB SECURITY] Jakob Nielsen's Stop Password Masking

Kevin Stewart kevin.g.stewart at gmail.com
Tue Jul 14 18:24:22 EDT 2009


If I recall, the newer Palms do something like this "key switching"
but after each letter. So for password, you'd type a "p" and when you
typed the next letter, the last would become a star "*". Personally, I
think the idea of not masking a password by default is revolting. I
love Mr. Nielsen's articles on usability, but a security guy he is
not. It certainly does make sense, however, at least on mobile devices
to use either a key switching pattern, or a checkbox that allows the
user to expose the plaintext password that is, by default, masked.

Kevin

On 7/14/09, gaz Heyes <gazheyes at gmail.com> wrote:
> I've been following this thread with interest and here is Nielsen once again
> stirring up controversy without providing any alternative. So I thought I'd
> chip in with a possible solution....
>
> Key switching
>
> It could work in two ways with a hardware/software device, basically the
> idea is that you type a keyword on screen which is replaced with an
> alternative representation of the keys. So "password" becomes
> 1L&d5xs at visually "password" is displayed but once you've finished
> typing and the
> letters are obscured either on form submit or after a delay the keys are
> switched. This could be done either with the real password, so you associate
> your key switching device with the website and key switch keyword and the
> password is replaced or the keys switched automatically when typing a
> password in a random order that is defined once by the device. Obviously
> this would be no use for MiM attacks but stopping shoulder surfing and
> improving usability it would be good. Thoughts?
>

-- 
Sent from my mobile device

Kevin G. Stewart

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list