Comments on: On Passwords (Usability and Security) http://www.lonegunman.co.uk/2009/07/15/on-passwords-usability-and-security/ Mon, 19 Dec 2011 14:29:41 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Paul http://www.lonegunman.co.uk/2009/07/15/on-passwords-usability-and-security/comment-page-1/#comment-1747 Paul Sun, 19 Jul 2009 09:03:13 +0000 http://www.lonegunman.co.uk/?p=3280#comment-1747 It appears we have a winner in this debate (I'm not sure how to post links here so I'm going to try normal HTML): <a href="http://www.theregister.co.uk/2009/07/07/security_guru_password_retraction/" rel="nofollow">Schneier says he was 'probably wrong' on masked passwords</a> It appears we have a winner in this debate (I’m not sure how to post links here so I’m going to try normal HTML):

Schneier says he was ‘probably wrong’ on masked passwords

]]> By: Billy http://www.lonegunman.co.uk/2009/07/15/on-passwords-usability-and-security/comment-page-1/#comment-1742 Billy Thu, 16 Jul 2009 06:25:00 +0000 http://www.lonegunman.co.uk/?p=3280#comment-1742 And most of us lack knowledge about online security. I think education about this is our best defense for the monsters in online world. You may also want to check this article to learn more: http://www.articlesbase.com/video-games-articles/safety-in-the-world-of-warcraft-1014729.html And most of us lack knowledge about online security. I think education about this is our best defense for the monsters in online world. You may also want to check this article to learn more: http://www.articlesbase.com/video-games-articles/safety-in-the-world-of-warcraft-1014729.html

]]> By: Paul http://www.lonegunman.co.uk/2009/07/15/on-passwords-usability-and-security/comment-page-1/#comment-1738 Paul Wed, 15 Jul 2009 19:28:36 +0000 http://www.lonegunman.co.uk/?p=3280#comment-1738 And leaving it up to users with a checkbox to toggle masking is asking users to make an immediate assessment of the security environment while typing their password. If the default was toggled 'on' for masking this could work, but again, I think the tradeoff will be that people never remember their passwords. Much better the current way with password reset procedures. And leaving it up to users with a checkbox to toggle masking is asking users to make an immediate assessment of the security environment while typing their password.

If the default was toggled ‘on’ for masking this could work, but again, I think the tradeoff will be that people never remember their passwords. Much better the current way with password reset procedures.

]]> By: Paul http://www.lonegunman.co.uk/2009/07/15/on-passwords-usability-and-security/comment-page-1/#comment-1737 Paul Wed, 15 Jul 2009 19:20:31 +0000 http://www.lonegunman.co.uk/?p=3280#comment-1737 Phising and keylogging devices will break any username/password dialog (apart from the ones that ask you for the fourth and seventh letters or use GUI keyboards). Is Nielsen seriously saying that a person is engrossed in buying something on Amazon shouldn't worry about people shoulder-surfing? (yes, this phenomena has a name in the security world!) Hmmmm. Let's back up and take stock of what Nielsen's about. I never minded the guy when he talked about cleaning up cluttered websites - he was so right and I even bought his books ten years ago on the subject just to prove to myself how right he was. But allowing usability issues to trump security issues is just plain dumb. I wonder if he's not confusing 'usability' and 'convenience'. I'd love to be able to throw my rubbish away in a bin on the underground in London, or be able to forgoe the pesky PIN number stuff when I pay for things, but they're not possible if we want a degree of security. Security should always trump notions of convenience if the countermeasure (like removing bins from the underground or requiring a PIN when you use your credit card) is proportional to the threat (terrorism, card misuse). Unless you have eyes in the back of your head or big wing mirrors attached to your screen, shoulder-surfing is *always*enough of an issue to require some sort of countermeasure. Besides, I'm quite sure that masking the password forces you to remember it when typing too. Phising and keylogging devices will break any username/password dialog (apart from the ones that ask you for the fourth and seventh letters or use GUI keyboards).

Is Nielsen seriously saying that a person is engrossed in buying something on Amazon shouldn’t worry about people shoulder-surfing? (yes, this phenomena has a name in the security world!) Hmmmm. Let’s back up and take stock of what Nielsen’s about.

I never minded the guy when he talked about cleaning up cluttered websites — he was so right and I even bought his books ten years ago on the subject just to prove to myself how right he was.

But allowing usability issues to trump security issues is just plain dumb. I wonder if he’s not confusing ‘usability’ and ‘convenience’. I’d love to be able to throw my rubbish away in a bin on the underground in London, or be able to forgoe the pesky PIN number stuff when I pay for things, but they’re not possible if we want a degree of security.

Security should always trump notions of convenience if the countermeasure (like removing bins from the underground or requiring a PIN when you use your credit card) is proportional to the threat (terrorism, card misuse). Unless you have eyes in the back of your head or big wing mirrors attached to your screen, shoulder-surfing is *always*enough of an issue to require some sort of countermeasure.

Besides, I’m quite sure that masking the password forces you to remember it when typing too.

]]>