Comments on: New in the Lab: HalfMask – a Password Masking Experiment

By: Matt

Matt — Thu, 07 Jan 2010 00:26:45 +0000

While this is an elegant technical solution I think you’re going down the wrong path. The issue I see is that every website that uses the un/pw model follows a different standard which forces each person to come up with variations of the same password. In the end a user should be able to arrive at a website and using visual cues on the site be able to easily remember a password that is unique to that website. For example, I create unique passwords for each site using the first and last letters of the website. Only I know what words equate to the letters so it’s pretty secure as long as I don’t use a commonly used set of words as my secret words. It’s about 90% effective and I have about 50 unique passwords.

By: Patxi

Patxi — Mon, 04 Jan 2010 14:08:50 +0000

Brilliant idea!

I’d love to have HashMask as a ‘Firefox Extension’, and activate it either on all my password fields or only on a subset.

This way, this would not be depending on the host, but on my machine.

Congrats!

By: Bill Rubin

Bill Rubin — Thu, 03 Dec 2009 21:12:09 +0000

I never type passwords on web pages. Never. I always use a password manager, which copies passwords (and userids too) into the appropriate fields, usually with just a short, fixed keystroke sequence. Never having to type a password means that all passwords can by cryptic, long, and distinct from each other.
The whole concept of passwords that you manually type in yourself suffers from major security issues in real-world usage. As Bruce Schneier has written (Secrets & Lies), the vast majority of users choose weak passwords, and then reuse them, share them, and write them on a Post-it. Using a password manager mitigates all these problems: Even the user has no need to know his passwords, because he never types them.
Full disclosure: I’m associated with the KeePass Password Manager project (free, open source), and have written a plugin for it.

By: Robin Laur

Robin Laur — Tue, 14 Jul 2009 09:13:46 +0000

Interesting response to Nielsen’s latest Alertbox! You might want to include some (more?) uppercase characters in the masking to improve masking or uppercase/numeral/symbol characters. Also, space characters will look different when masked since there is no visible character to mask.
One idea you might want to test is to incorporate the password masking method Nokia uses with their “smart” phones, which is to display the last input character and replace it with a bullet after a timeout or when the next character is pressed. Show the last character (masked) only until the next is pressed or until a timeout. Then replace it either with a mess of characters or with a bullet. This would give a possible shoulder surfer less time to read the password.
~llaur

By: Stephan Wehner

Stephan Wehner — Mon, 13 Jul 2009 01:51:57 +0000

Tom wrote in a previous comment:
“Very thoughtful though. I like that you even thought out basic copy/paste security!”
Not sure what this basic security is. Here with Firefox 3.0.11 I’m seeing
1. When pasting only the first letter is obscured.
2. It is possible to select the whole password, copy, and then paste to recover it without any obfuscation.
Doesn’t look like basic security to me.
I don’t find it easy to recognize what I typed. Still a nice idea!
Stephan

By: Tom

Tom — Thu, 09 Jul 2009 14:07:27 +0000

It’s a nice idea, but it’s kind of like one of those Magic Eye books. Once you figure out how to focus your eyes the correct way, the password is fairly easy to see.
If this technique gained widespread adoption, I think people’s eyes would become trained to see the password more and more easily and eventually it would even fail the over-the-shoulder test.
Very thoughtful though. I like that you even thought out basic copy/paste security!

By: Doug

Doug — Thu, 09 Jul 2009 13:10:45 +0000

Nice work Chris! I don’t think Nielsen has completely thought through the implications of his proposal, but regardless, HalfMask is a nice option for certain situations.

By: rpcutts

rpcutts — Thu, 09 Jul 2009 06:50:54 +0000

..it’s like typing when drunk.

By: Steve

Steve — Thu, 09 Jul 2009 05:10:07 +0000

When I press Command, a letter appears in the password box. When I release it, it goes away.
This seems weird, and Control/Shift/Option don’t do this.

By: Euphemism

Euphemism — Thu, 09 Jul 2009 03:21:40 +0000

I’m using chrome, and I can’t see it when I highlight it. In face, even as I type it, I can sometimes make out the letter I typed, but most of the time it’s masked by the other letters – I only see it when it sticks out underneath or above (the letter y, or g for instance).
Well, that’s good, because if I can’t figure out what my password is, no one else will either.
Seems like it’s strictly worse than the traditional masking approach: it’s hard enough to see that you won’t benefit at all from being able to make out what you’re typing, it’s visually distracting, and other people might be able to make out one or two of the characters in your password if they’re familiar with the system.
Of course, the way this works might be subtly different in Firefox or IE…