On Passwords (Usability and Security)
Passwords have barely evolved since the early days of computing and are taken for granted in our daily online-lives. It’s time for change, says usability expert Jakob Nielsen, who believes password masking goes against basic usability principles and should be stopped (via Kottke).
Providing feedback and visualizing the system’s status have always been among the most basic usability principles. Showing undifferentiated bullets while users enter complex codes definitely fails to comply.
Most websites […] mask passwords as users type them, and thereby theoretically prevent miscreants from looking over users’ shoulders. [However], there’s usually nobody looking over your shoulder when you log in to a website. It’s just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue.
Nielsen suggests that password fields should be plaintext by default, with a checkbox available for when a user would like to turn masking on. Ignoring the usability issue of adding a new and unexpected item to a form, and ignoring the social ramifications of such a change (explicitly displaying lack of trust by turning masking on around friends), do lengthy, supposedly ‘strong’ passwords increase online security anyway? (pdf, via Schneier)
Strong passwords do nothing to protect online users from password stealing attacks such as phishing and keylogging, and yet they place considerable burden on users. Passwords that are too weak of course invite brute-force attacks. However, we find that relatively weak passwords, about 20 bits or so, are sufficient to make brute-force attacks on a single account unrealistic so long as a “three strikes” type rule is in place. Above that minimum it appears that increasing password strength does little to address any real threat.
Secret questions aren’t much better, either.
4 Comments
Phising and keylogging devices will break any username/password dialog (apart from the ones that ask you for the fourth and seventh letters or use GUI keyboards).
Is Nielsen seriously saying that a person is engrossed in buying something on Amazon shouldn’t worry about people shoulder-surfing? (yes, this phenomena has a name in the security world!) Hmmmm. Let’s back up and take stock of what Nielsen’s about.
I never minded the guy when he talked about cleaning up cluttered websites — he was so right and I even bought his books ten years ago on the subject just to prove to myself how right he was.
But allowing usability issues to trump security issues is just plain dumb. I wonder if he’s not confusing ‘usability’ and ‘convenience’. I’d love to be able to throw my rubbish away in a bin on the underground in London, or be able to forgoe the pesky PIN number stuff when I pay for things, but they’re not possible if we want a degree of security.
Security should always trump notions of convenience if the countermeasure (like removing bins from the underground or requiring a PIN when you use your credit card) is proportional to the threat (terrorism, card misuse). Unless you have eyes in the back of your head or big wing mirrors attached to your screen, shoulder-surfing is *always*enough of an issue to require some sort of countermeasure.
Besides, I’m quite sure that masking the password forces you to remember it when typing too.
And leaving it up to users with a checkbox to toggle masking is asking users to make an immediate assessment of the security environment while typing their password.
If the default was toggled ‘on’ for masking this could work, but again, I think the tradeoff will be that people never remember their passwords. Much better the current way with password reset procedures.
And most of us lack knowledge about online security. I think education about this is our best defense for the monsters in online world. You may also want to check this article to learn more: http://www.articlesbase.com/video-games-articles/safety-in-the-world-of-warcraft-1014729.html
It appears we have a winner in this debate (I’m not sure how to post links here so I’m going to try normal HTML):
Schneier says he was ‘probably wrong’ on masked passwords