[WEB SECURITY] Jakob Nielsen's Stop Password Masking

Jim Manico jim at manico.net
Tue Jul 14 22:24:22 EDT 2009

I bet we could leverage existing secure token technologies and  
infrastructure to implement this design. The users gain significant  
usability without increasing risk. What's not to like? Get some VC and  
start a company around this. :)

Jim Manico

On Jul 14, 2009, at 12:02 PM, gaz Heyes <gazheyes at gmail.com> wrote:

> I've been following this thread with interest and here is Nielsen  
> once again stirring up controversy without providing any  
> alternative. So I thought I'd chip in with a possible solution....
> Key switching
> It could work in two ways with a hardware/software device, basically  
> the idea is that you type a keyword on screen which is replaced with  
> an alternative representation of the keys. So "password" becomes  
> 1L&d5xs@ visually "password" is displayed but once you've finished  
> typing and the letters are obscured either on form submit or after a  
> delay the keys are switched. This could be done either with the real  
> password, so you associate your key switching device with the  
> website and key switch keyword and the password is replaced or the  
> keys switched automatically when typing a password in a random order  
> that is defined once by the device. Obviously this would be no use  
> for MiM attacks but stopping shoulder surfing and improving  
> usability it would be good. Thoughts?

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list