Password masking: myths and truths

July 7th, 2009 by Vladimir Katalov
Category: «General», «Passwords & Human Factor», «Security», «Software», «Tips & Tricks»

Ever heard of password masking problem? To be honest, I have not – until I’ve read the Stop Password Masking article by Jakob Nielsen (somewhere referred to as "usability guru"), followed by a lot of other publications, blog posts and comments (see ’em all); so-called security guru Bruce Schneier wrote even two essays on that. 

Well, that reminded me of a very funny stupid CAPSoff Campaign

In brief, here is the "problem": for years (I think starting from Windows 3.0 released almost 20 years ago), the passwords are being masked as you type them (in most programs what have any kind of password protection, and an operating system itself), i.e. replaced with asterisks or black circles. What for? To prevent the password from being read by someone who stands behind you.

An implementation is really simple: all you have to do is set the ES_PASSWORD style for the given Edit control.

Does that feature add some security? Yes, I think so. Though it does not protect from keyloggers. Besides, the content of the masked edit control (i.e. the password) can be easily read by other software: e.g. look at Behind asterisks feature available in Proactive System Password Recovery – with it, you can "unmask" all controls in all programs currently running, and even enable disabled (grayed out) buttons and menu items.

However, Nielsen says that password masking causes more errors, and second, even reduces the security. I can see the first point: yes, if you don’t see what you type, it is easier to make a typo. But all well-designed programs (like PGP) have an option to [un]mask the password field, or at least ask you to enter the password twice (I doubt you can make exactly the same typo two times).

The second point is much harder to understand:

"The more uncertain users feel about typing passwords, the more likely they are to (a) employ overly simple passwords and/or (b) copy-paste passwords from a file on their computer. Both behaviors lead to a true loss of security."

True? Yes, definitely. But no connection to password masking. I don’t feel uncertain when entering something into the masked box, really. And most users select short/simple passwords anyway, and/or write them down – regardless the usability issues discussed here 😉

I see another problem, though – related to non-US keyboards. You may have the keyboard layout switched to other (than default) language… Or the CapsLock switched on. However, well-designed systems will bring your attention about layout and CapsLock (e.g.: Windows logon prompt).

And finally… Most (if not all) email clients and instant messengers have an option to "remember" the passwords (and yes, it is convenient – you don’t have to enter it every time when you connect). And if the password is saved, you can see the asterisks only (in program options, or in ‘connection’ window), so you feel secure – someone who get the physical access to your computer will be able to get your mail and connect to your IM account, but cannot get your password. Right? Wrong. Unfortunately, most programs save the plaintext passwords, or use ‘snake-oil’ encryption, and so can be easily extracted by programs like Advanced Mailbox Password Recovery and Advanced IM Password Recovery. The only (good) exceptions are ICQ version 6 and higher, Yahoo! IM version 7.5 and up, and all versions of Skype – they save not the password itself, but its hash (which is really hard – and sometimes impossible – to recover the plaintext from). This (stroring the passwords) IS the real security problem. Password masking is NOT.