Two main points -- masked passwords are a very standardized UI convention, so everyone has a strong assumption that passwords will be masked, even in situations that the author hasn't considered (when yes, in fact lots of people will unavoidably see your password), and second, there are common situations the author hasn't considered.
Most of the meetings I'm in nowadays use screen sharing in some way; that means my screen is intentionally large & visible enough that plenty of other people can see exactly what I type. I do need to occasionally sign into something, which gives away my password lengths but that's it (and that's not too serious; I use a password manager so they're long & random).
Pair programming? A manager authorizing some action for an employee? Any kind of demo, or giving technical support? Training?
There are lots of reasons why someone else would be legitimately closely watching what I type. Masked passwords are not an archaic holdover from mainframe days.
That said, the option to show password text is useful, for all the reasons mentioned -- this should not be site-specific (ugh, I can imagine the "show password text" being just to the right of the password field, so username-tab-password-tab-enter will show the password...), but a button in the toolbar would be nice.
Also, below: gweinberg had a good point: the people who you should fear shoulder surfing from are not the ones who you would want to type a password in front of even if it was masked.
Edit: not implying that we should set up security procedures based on implicit trust of those we work with, but if you're talking about a global internet wide convention then likelihoods are more informative than exceptions.
I do it (make a point of not facing the keyboard & screen of someone typing in their password) as a point of politeness, however in retrospect I find it a little odd. I've noticed other people doing it too (and yet when there is a presenter logging into a machine, nobody cares as much).
I always look away when someone else is typing in a password, as my eyes are drawn to the keyboard and I can pretty well read what they type just from the keys. So out of respect, I turn my head. If the password were actually on screen, it would be many times harder not to see it.
I don't think I'm unusual. I'm at computers with other people usually once or twice a day when they enter a password. I don't want to know their passwords!
And as the system admin, I don't want them seeing the password when I have to type it in to fix stuff for them.
It's not malicious people who might be installing keyloggers and all that that masked passwords help against, it's simply day to day privacy and permissions.
I don't have a problem popping round to a team-mate's office to enter a password to let them install some basic software package, or a hardware driver update, or whatever. But if they saw the password, then soon they would know it, and for sure would use it once or twice, and more and more random crap would get installed, and soon malware, and so on.
On the other hand, being able to turn on visibility occasionally is useful. (Ah! No wonder it's not working... your keyboard is still in Korean mode... Oh, right, British mode, the double-quote doesn't live there...)
Entering passwords with people standing behind me would be slightly nerve racking without password masking, and during a presentation would be essentially impossible.
Password masking is a good default and greatly limits password exposure.
http://www.cs.berkeley.edu/~tygar/papers/Keyboard_Acoustic_E...
but then we should just show the passwords on the screen we enter? That's just insane. Linux command line doesn't even show a * when entering a password. That's how it should be.
We should be paranoid about passwords and not display them.
Having said that, when I write a script that needs to be provided with a password, I just make it hide what I am typing. "read -s" is so much easier than whatever I would have to do to make it show * s.
This has nothing to do with being able to see the password and is entirely to do with stupid password restrictions. It's ironic he uses 'correct horse battery staple'.
http://security.stackexchange.com/questions/33470/what-techn...
Password-masking has its flaws, but one major UI benefit is that it unambiguously distinguishes password fields from other text inputs. Breaking that convention invites people typing passwords into the wrong field by mistake, which creates a greater security problem than unmasking passwords would solve.
And you can't check a 'mask password' checkbox before entering your password?
Seems the more secure default would certainly be preferable.
For many of us, the point is invalid because we know how to choose good passwords, and we don't need to see them in order to do so.
So instead, think about this from the perspective of the average consumer. A unobfuscated password field makes it a lot easier to use a long and complex password. If the field is hidden, users are more likely to choose something short and easy to remember, making their password vulnerable to dictionary attacks.
But the default should be to mask (or not echo at all). The option to unmask should be easily available in the UI, but it would be foolhardy to make it the default.
I feel sorry that the author is so socially isolated that he never shows anyone else anything on his computers. Instead he invokes papparazo and cold-war imagery with telephoto snoopers hiding to get snapshots of small tablets (ipad mini - not even a full ipad) and yet never thinks of "hey, check this out"
This isn't about having a different workflow, it's about the author having a pain point and engaging on a rant instead of bothering to think it through properly.
Now let's wait a couple of months for someone to post the same thing and then have everyone agree that not masking passwords is indeed a horrible idea!
That's now how I use the computer, that's not how all my friends use their computers and that seriously now how the next generation is using their computer.
When I am on youtube, I have up to 5 friends behind me. I don't want them to see my youtube password. When I log into steam, I most likely have someone behind me. When I log into my Evernote account, it's most likely to show a quote or some information to a friend. I don't want them to see the password.
To make it short, I believe that most young people use the computer as a social activity. Showing the password by default makes NO SENSE.
I wouldn't want a client to see my password when I screenshare during a presentation. Nor my coworker to see it on the big screen in the conference room.
I very, very strongly disagree with that article.
It is exactly because that we as humans can take the visual snapshots easily that we still need the most basic masking. Because we can take snapshots. If one of my coworker has a a long phrase password(high entrophy, but very memorable and therefore the coworker has employed) and I happen to take a glance at his screen, then notice his password as a tangible sentence, I will remember it. Even if I don't memorize it on spot, if it happens frequently enough you'd be damn sure that I will.
> Masked passwords come from the age of mainframes. And when we're talking about mainframes, that makes sense -- they were secure, private systems, used by specialists.
Again, it still makes sense to have masked password, just as it made sense in the mainframe age; we can take snapshots.
Having said that, I do see the merits of his point; an option to unmask would be a vast improvement on UX, for which I laud Microsoft on.
It's especially difficult for me to type 30-character-long masked password, from my native language layout, on top of English keyboard visuals. I can do it with my eyes closed on keyboard, but it's not very easy to do it on smartphone and much easier to screw it up.
The best UX experience collides with the best security experience, we need to find the middle point. This is not the middle point. Passwords are now broken from concept, that's why we are evolving into two factor authentication. Making a broken security method easier to crack (even if it may only happen when certain circumstances are met, like doing it in an airport of coffee shop) is not the way to go.
Nowadays, just looking at the last character briefly before it gets masked is enough for me to correctly type in my more complicated passwords.
I'd like arbitrary password restrictions to disappear before things like default masked password fields. I can never remember whether this unfrequented site required 6-8 characters, or a special character, or no more than three alphanumeric characters, etc. in the password. I just usually reset the password each time I need to log in, in such cases.
I note that PGP Desktop has a checkbox to disable masking. I always tick it. It helps me to get the pass phrase right and to burn it into memory.
But the default should be mask!! (OK, maybe the default should be configurable. But the default default should still be to mask.) In public situations, it would be too much to have to remember to turn on masking.
But of course it would be no good for a machine I use in a public place.
