Head on over to the Arc90 Lab to get the details on a new experiment, HalfMask.
HalfMask is intended to be a middle ground between fully masked passwords (with bullets) and clear passwords, as usability consultant Jakob Nielsen recently suggested in his AlertBox article “Stop Masking Passwords“.
Please leave any feedback on this experiment here – we’re curious to hear what the community thinks!
Avi Flax said:
Very cool!
Did you actually test this with Safari 3? I’d think you’d be running 4.0.
Justin Thyme said:
I’m not so sure that “being all about compromise” is a trait you should strive for. Security vs. ease-of-use is a classic trade-off, and attempts to ‘compromise’ generally do — they compromise security. This is where careful risk assessment should be applied, so that tradeoffs can be accepted or rejected from a place of knowledge.
A locked door is indeed more cumbersome to use than beads, a screen, or simply an archway; however, did you want the entrance to be secured, or not? If so, how much? In what circumstances in ’semi-secure password authentication’ okay?
Ryan said:
Just want to say kudos on the graceful javascript degradation–I was sure it was not going to do the right thing with NoScript.
Tangent:
You blog doesn’t let me post a comment without an email address, but you make the email addresses of commenters visible (see Justin Thyme–tom.s.thomas@ieee.org above me). My email address is spoofed (Sorry, “Justin”!) to prevent spambots from capturing the real one. I’d suggest giving commenters the option to make their email visible only to you.
Justin Thyme said:
http://www.out-law.com//default.aspx?page=10152
pete gamache said:
I think the call to eliminate password masking is misguided at best, but I find this an interesting project. However, I suggest that most of the same haters (of which I am one!) would hate this too. I don’t want anyone seeing my password and if I can read it, someday someone else will too.
I see that the arc90 team has done a fine job anticipating that last complaint, because I can hardly read my password! Great job; if I were forced to use HalfMask, I would be glad it works this well at discouraging prying eyes, even my own.
Stephen said:
Awesome. Has Bruce Schneier seen this, it’s a brilliant solution.
gabe said:
when you highlight the password field, you can clearly see the password (in chrome).
Chris LoSacco said:
I’ve done some very informal over-the-shoulder tests, and I’ve been extremely impressed with how effective this solution is. When you’re typing, it’s fairly easy to spot and correct mistakes. However, when watching someone type over the shoulder, everyone I’ve talked to has found it impossible to make out the password, even given some time to study.
I don’t know if it’s a perfect solution, but what Chris D. has come up with seems to provide a substantial usability gain over masked passwords with no immediately perceived downside.
Euphemism said:
I’m using chrome, and I can’t see it when I highlight it. In face, even as I type it, I can sometimes make out the letter I typed, but most of the time it’s masked by the other letters – I only see it when it sticks out underneath or above (the letter y, or g for instance).
Well, that’s good, because if I can’t figure out what my password is, no one else will either.
Seems like it’s strictly worse than the traditional masking approach: it’s hard enough to see that you won’t benefit at all from being able to make out what you’re typing, it’s visually distracting, and other people might be able to make out one or two of the characters in your password if they’re familiar with the system.
Of course, the way this works might be subtly different in Firefox or IE…
Steve said:
When I press Command, a letter appears in the password box. When I release it, it goes away.
This seems weird, and Control/Shift/Option don’t do this.
rpcutts said:
..it’s like typing when drunk.
Doug said:
Nice work Chris! I don’t think Nielsen has completely thought through the implications of his proposal, but regardless, HalfMask is a nice option for certain situations.
Tom said:
It’s a nice idea, but it’s kind of like one of those Magic Eye books. Once you figure out how to focus your eyes the correct way, the password is fairly easy to see.
If this technique gained widespread adoption, I think people’s eyes would become trained to see the password more and more easily and eventually it would even fail the over-the-shoulder test.
Very thoughtful though. I like that you even thought out basic copy/paste security!
Stephan Wehner said:
Tom wrote in a previous comment:
“Very thoughtful though. I like that you even thought out basic copy/paste security!”
Not sure what this basic security is. Here with Firefox 3.0.11 I’m seeing
1. When pasting only the first letter is obscured.
2. It is possible to select the whole password, copy, and then paste to recover it without any obfuscation.
Doesn’t look like basic security to me.
I don’t find it easy to recognize what I typed. Still a nice idea!
Stephan
Robin Laur said:
Interesting response to Nielsen’s latest Alertbox! You might want to include some (more?) uppercase characters in the masking to improve masking or uppercase/numeral/symbol characters. Also, space characters will look different when masked since there is no visible character to mask.
One idea you might want to test is to incorporate the password masking method Nokia uses with their “smart” phones, which is to display the last input character and replace it with a bullet after a timeout or when the next character is pressed. Show the last character (masked) only until the next is pressed or until a timeout. Then replace it either with a mess of characters or with a bullet. This would give a possible shoulder surfer less time to read the password.
~llaur
Bill Rubin said:
I never type passwords on web pages. Never. I always use a password manager, which copies passwords (and userids too) into the appropriate fields, usually with just a short, fixed keystroke sequence. Never having to type a password means that all passwords can by cryptic, long, and distinct from each other.
The whole concept of passwords that you manually type in yourself suffers from major security issues in real-world usage. As Bruce Schneier has written (Secrets & Lies), the vast majority of users choose weak passwords, and then reuse them, share them, and write them on a Post-it. Using a password manager mitigates all these problems: Even the user has no need to know his passwords, because he never types them.
Full disclosure: I’m associated with the KeePass Password Manager project (free, open source), and have written a plugin for it.
Patxi said:
Brilliant idea!
I’d love to have HashMask as a ‘Firefox Extension’, and activate it either on all my password fields or only on a subset.
This way, this would not be depending on the host, but on my machine.
Congrats!
Matt said:
While this is an elegant technical solution I think you’re going down the wrong path. The issue I see is that every website that uses the un/pw model follows a different standard which forces each person to come up with variations of the same password. In the end a user should be able to arrive at a website and using visual cues on the site be able to easily remember a password that is unique to that website. For example, I create unique passwords for each site using the first and last letters of the website. Only I know what words equate to the letters so it’s pretty secure as long as I don’t use a commonly used set of words as my secret words. It’s about 90% effective and I have about 50 unique passwords.