7/6/09

Masked passwords must go

This article in The Register, Masked passwords must go, reports recommendations from "Usability expert Jakob Nielsen and security expert Bruce Schneier" saying that "both think websites should stop blanking out passwords as users type them in. They say the practice inconveniences users and delivers no security benefits."

I certainly find this to be true, and not just because I am getting older. I suspect I am not different than many of us here. I have to remember (or security hide) 6 passwords including 2 on a sponsor network. I have to change them all regularly, though not, of course, on the same schedule. And the password rules for our more secure systems and uses means I’ve had to be creative.

The idea is creativity = security. Yes, but not when it also needs to include "usability." That is always the tug-of-war, and equilibrium between the two is a good thing.

Anyway, back to the article. 1) It would be great if I could see what I type into systems and web pages here. 2) No matter what experts say that it is both secure and usable, I don’t believe that we will ever get changes as suggested in the article.

Schneier has clarified his position on this in The Pros and Cons of Password Masking.

No comments: