Comic Update: The Dangers of Intentional Vulnerability (AKA Password Unmasking)
Posted by Kyle Weems on June 29, 2009Sometimes I find myself participating in a discussion or a debate that sounds like a theoretical exercise involving recreational intoxicants. The unfortunate part of such topics is that not only are the participants sober, they’re also well-informed.
As we’re about to learn, being wise and making wise choices do not always go hand in hand.
Today’s comic imagines Jakob Nielsen and Bruce Schneier intentionally exposing themselves to danger in a gladiatorial arena (overlooked by a Caesar-esque Dave Shea) with the predictable results. Sadly, this scenario reflects reality (with a little editorial excess) in a way that shocks me.
Let’s lay out the recent events.
Jakob’s Suggestion: Let’s Unmask Passwords
On June 23rd Jakob Nielsen proved he’s not done making poor recommendations in the name of usability. This time the victim is not design, however. Instead, he firmly takes a swing at security by recommending that passwords become unmasked, leaving naked all the strange alphanumeric combinations that we strive mightily to remember every time we want to visit naughty sites, check our email or bid on a rare 1920’s lampshade online.
He makes some assertions while recommending this course of action. First, that people rarely look over shoulders. Second, that you’re alone in your office. Lastly, he names two “costs” that these cause, one being that users don’t trust sites that mask password fields and the second that masked fields result in weaker passwords. He ends this list of errors by suggesting we do away with the masking altogether, and dance widdershins under the stars in a deep forest clothed in naught but our own sweat.
For the sake of avoiding a stoning at the hands of security experts, he does make an offhand suggestion of offering a check box to allow masking for public situations, but this is said in an afterthought that shows how little he worries about such a trivial thing as someone with both curiosity and eyeballs noticing you typing things on your monitors.
Dave Shea’s Suggestion: Let’s Have A Smackdown
I might have spent my remaining years ignorant of his “suggestion” (might I take some liberties and call it a mad raving?) of tossing away one of the final barriers of security in exchange for a marginal increase in usability. However, Dave Shea took the impetus to make a comment about Jakob’s strange post on Twitter, for which I thank him.
He then followed with a comment replete with inspiring concepts: “A Bruce Schneier / Jakob Nielsen smackdown would be, frankly, awesome.”
It’s moments like this that I wait for, mouth watering with anticipation as I crawl through the many tweets and blog comments of the web design sphere of opinion. Immediately I imagined a savage competition between these two notables where Jakob’s naivety costs him in a contest against the security expert Schneier. These sort of daydreams translate easily into a comic, and furthermore align with something about which I found myself holding a strong opinion. This sort of conjunction almost always sends me scrabbling to my mad laboratory, where I harness arcane shapes into vector imagery and stamp it with the mad wisdom of the stars.
The Twist: Bruce Agrees With Jakob
However, it was only on July 26th that Bruce did something I don’t think Dave expected when he made his tweet, and certainly wasn’t in my realm of anticipation. He agreed with Jakob.
Thankfully, I was able to adapt this change of circumstance to my comic’s needs.
However, I’m not about to alter my opinion on the topic. Namely, that I think this suggestion is madness.
In short, it appears to me that Jakob and Bruce assume that exposed passwords are a non-issue because firstly criminals don’t hover over shoulders and secondly that privacy when surfing a website is a guarantee.
Problem #1: Enabling Criminals Of Convenience
Let’s cross out the consideration of serious hacker types for a moment. These aren’t the sort of individuals that need to see you typing your password to steal your stuff. They’ve got mad skills, and are probably busy right now taking your credit card information off a hard drive the U.S. Government accidentally sold to a spare parts reseller. But amateur no-gooders and opportunists need all the help they can get. They may not plan on stealing wi-fi access, but if they see you typing a password in the cafe they just might take advantage of it.
Unmasking the passwords by default creates a situation where Average Joes are given a lot more temptation to misuse the information they’re casually overseeing. We’re a curious, slightly selfish race. Give us the chance and we’ll be exploring things we shouldn’t. This is probably why emergency room doctors drink heavily after workdays involving gentlemen walking funny who whisper about the need for extreme secrecy when dealing with their medical “emergency”.
Problem #2: Privacy In The Home Is An Illusion
We’ll jump past the criminal concern, however, to look at the privacy issue. For the average American (and even more so for the average human) privacy isn’t a guarantee, and rarely exists when accessing a computer terminal. On the home front you often have spouses, siblings, parents and children all about as you log onto email accounts, purchase music via iTunes, check your bank account, or make a purchase for a pizza or a movie. Although I’ll pretend that maintaining privacy between spouses isn’t a concern (although I suspect it is) we all know that kids will be kids, and that some siblings are less than circumspect in respecting your stuff.
How would you like to come home only to discover you’ve spent $40 on purchasing a couple of Brittany Spears albums? How about learning someone (probably a young someone) bought access to an adult movie on the cable box with your account? I’m not saying that kids can’t get access to something with enough effort, but I think that it’s a big step in the wrong direction when you remove such a simple barrier to that access, and by doing so it requires no effort on their part to act on a poor decision.
Problem #3: Private Office? What Private Office?
So privacy in the home is an issue. What about the workplace? I have a great job. I don’t work in a cubicle farm. But many office workers do, and have hundreds of co-workers with easily five or six sitting in cubes across the aisle who can see their screens.
School teachers often have their computers in the classroom next to students. Should they trust all their pupils to respect their privacy and not try to access staff-only functions or answers to an upcoming test?
Furthermore, more and more people are accessing websites in non-traditional spaces. When you’re packed on a subway car with dozens of commuters and you need to access a site on your smart phone, do you want to have to decide if you can trust the people squeezed up next to you?
I could come up with dozens of other scenarios. Jakob is trying to cast his recommendation in the light of saving us from “legacy” design by implying that we live in an era where security won’t be risked by removing masking. Bruce seems to agree, stating that shoulder-surfing is an uncommon activity and that the risk is outweighed by the annoyance of typing blind.
The Root Of The Problem: Outdated Assumptions On Where Websites Are Accessed
I say that instead these two are making assumptions about website usage that are outdated. Computers are being used by younger children with more sophisticated skills. Websites are increasingly accessed more by other devices like smart phones, in non-private spaces with dozens of potential observers. Privacy is a vanishing commodity, so to presume that an average scenario doesn’t involve potential prying eyes is foolhardy and risky.
Jakob said the following: “Users make more errors when they can’t see what they’re typing while filling in a form. They therefore feel less confident. This double degradation of the user experience means that people are more likely to give up and never log in to your site at all, leading to lost business. (Or, in the case of intranets, increased support calls.)”
I’m going to call you out on this one, sir. That’s outright backwards. I feel less confident when I am entering a naked password in any environment, and strongly doubt the security of the site in question if required to do so. In fact, I’m likely to not use it at all. Why should I trust their other measures if they can’t even protect the password from passing eyes?
Perhaps username/password security truly need to be replaced by something both more secure and simpler to use. I’m not sure what that replacement technology should be. But I do know that we shouldn’t decide that usability trumps security and retrograde to exposing our passwords to John Q. Public.
No offense, John.
[Edit: Fixed the jump from #2 to #4 in the problem subtitles. Thanks, Elaine!]
Tags: bruce schneier, Comic, dave shea, jakob nielsen, passwords, privacy, security, usability
I can’t agree more with this, most notably with the erroneous suggestion that masked passwords will lead to lost business. I feel downright naked when I type out my password, only to look up and see it staring me in the face. So much so that I will double check the URL — twice! — and re-type in the URL just to make sure I didn’t get snaked to a phisher.
The day passwords are unmasked on principle is the day I join a nude convent and celebrate the rebirth of humanity as an inherently good, criminal-less, Pollyanna society. Because, clearly, that is the basis of the suggestion to unmask them.
Yeah, this is pretty much the worst idea ever. There’s also the issue of saved passwords. I’m sure technology can get around that — mask passwords that have been saved I guess — but obviously something would have to be done, or guests using my browser would have the pleasure of seeing my auto-populated passwords. Sure, saving passwords is a security risk in itself, but I still don’t want people actually KNOWING them.
Then there’s the idea of providing a checkbox to mask the password. I guarantee you that gets used very often. The only time I wouldn’t use it, personally, is when I’m sitting at home and there is not another soul in my loft. So congratulations: by unmasking passwords you’ve just made usability arguably WORSE because I now have to click an extra box.
This is utterly ridiculous (yes, I just used the word “utterly”, isn’t it great?). Even after reading the whole post, I couldn’t help but zone in on one specific part:
“one being that users don’t trust sites that mask password fields”
I, for one, have never been to a site that doesn’t mask a password field. And, if I did go to a site that didn’t, I would probably stare at it dumbfounded, wonder why I was there, and then go head off to someplace that I considered to be actually secure.
I don’t think that users would trust a site without a masked password field. No matter how secure you are in your home, your work place, etc… (and I was definitely secure in my home, but even I had a lock on my diary despite knowing my sister didn’t go through my stuff) removing that protection is just going to cause an over-the-shoulder sense of paranoia.
Ohhh something else just dawned on me. When I first started using an iPhone it bothered me that password letters very briefly show up as you type before being masked. And it’s for a split second on a tiny screen! So I can’t even imagine being okay with plain text passwords on my 24″ monitor.
Aside from the fact I’m in the comic (and purple is really my colour, who knew?) I really like the arguments you fleshed out above. They seem immediately obvious to me, as someone who fairly frequently has to login in public places. I can’t shake the feeling that anyone taking the counter argument usually uses a computer in a room by themselves.
Schneier’s response was particularly baffling, as he’s usually so good at thinking through unintended consequences.
I couldn’t agree more with your views. Whenever I access the web through my phone I give furtive looks around to check that no-one is looking at the very tiny screen to pick up on my almost invisible passwords.. ^_~
A thought on the discussion topic, though: if the unmasking was to come to web-life, I would suggest that the box is to be ticked by those who want the password unmasked, whereas everyone else just blind types as they have been doing since the internet has reached the world wide population and no-one is hurt
You said almost exactly what I was trying to get my brain together to say. I just have three additions, two of which come from experience as a web person at a financial institution:
1) Customers of my org would FREAK OUT if we did something like this. For a while, we had our online banking login on a non-SSL page, and even though it went through SSL to the actual online banking, a number of people were quite upset. (This was before my time.)
2) I imagine our security folks, and probably our auditors, would just nix the idea out of hand w/out another word. None of this “opt-in/out” checkbox stuff, just “no.” I think the phrase “head would asplode” was the first thing that came to mind.
3) I have some personal experience with someone I’m close to stealing an ATM PIN by the looking-over-the-shoulder method. Just because big baddies can’t look over your shoulder, doesn’t mean there aren’t people with bad intentions who can.
(BTW, you’re missing a #3 in there.)
In the comic: I’m not sure a shield would have saved them from the lions.
Personally I love the option to have my password shown to me whenever I “feel safe” (some OSX dialogs already have this option—just bring it to the web as well)
You know, I’m relieved that I wasn’t the only one who disagreed with Mr.Nielsen when I read his latest article on useit.com. As I finished the article I was squinting a bit as I tried to go through all of the possible positives and negatives of unmasking password. Still, in the end, I came out feeling like unmasking isn’t the answer.
For me my main concern about unmasking passwords was this: Even if I’m in a “secure” location such as my home or have the door shut in my office, what happens when I walk away from my desk and, say, either forget to log out of my account or forget to lock the screen? If someone walks by and I’ve left gmail open and it has my username and password saved, all they have to do is look at the monitor and see all the information they need to access my private data.
And let’s not forget the unfortunate people who use only one password for everything and never change it. Once they’ve left their workstations unsecure, that’s it, they’re a hair away from being hacked.
Anyhow, great post, great comic!
How long are you going to sit at a password prompt with the password fully typed out where others can view it? Do you just hang out at login screens? Sure, if you stay logged in to something, someone can take advantage of cached credentials, but this isn’t new. And if someone can shoulder-surf a pin pad, they can surely do the same with the keyboard, hunchbacks notwithstanding.
If it’s a given that displaying this information is bad, should more extreme measures be taken, such as not showing even a bullet for the characters typed (like a Unix prompt)? After all, if someone knows the number of characters in a password, a brute force attack suddenly becomes much easier. So if we’re advocating obfuscation, why not take it all the way?
Part of the problem is that people associate bulleted characters with a secure password, even if the thing is passed plaintext via HTTP and stored unencrypted in a database. At least displaying the password (or even having an option to) causes people to (hopefully) think more critically about the security involved.
No, I don’t work alone in an office, I work in a cubicle “pod” with my monitors all exposed to whomever can sneak up behind me. Personally, I like the iPhone compromise of just displaying the last character typed, because then you get your interface feedback as well as your warm fuzzies.
[...] at one of the best responses to Mr. Nielsen’s Alertbox post, which came from Kyle Weems at CSSquirrel. He also posted a hilarious comic to go with his response. Both are totally worth reading. [...]
To those that mentioned the iPhone last-character method, that does seem like the “safest feeling” of an alternative to full masking. Granted, that would almost certainly require user-agent support unless you had a clever coder carefully program in that (which is doable, but probably time-consuming and thus costly).
@Tkincher – I think the problems at hand are (1) People feel less safe with no masking, contrary to Jakob’s assertions. So regardless of the actual effectiveness, making people feel safe enough to use a site or application is an important consideration for a developer’s commercial success. And (2) Even if it’s not the best layer of security, masking provides enough to help protect against casual password-theft; and as Elaine mentioned, as rare as some may think it is, shoulder-surfing does occur. Yes, people can watch the keyboard, but it requires a bit more effort and is easier to physically block.
Ultimately I object to Jakob claiming that unmasking increases security and improves user trust when in fact it accomplishes the reverse.
I’d just like to see Mr.Nielsen substantiate the claims that he made on this particular post. I’m usually a pretty big fan of what he advocates but in this particular instance I think he needs to back it up with hard numbers.
I’m actually going to (partially) disagree. I don’t think passwords should be unmasked by default, but I think having a “mask password” checkbox that’s checked by default (as Nielsen suggests for high-security applications) is a good idea. I’ve certainly fat-fingered a password enough times to be frustrated with having no other option.
I think having it unprotected by default is a lousy idea, though, mostly because people are so used to seeing it masked that they’ll probably have heart attacks if they start keying in a password and it comes out unmasked. And it’s also iffy security-wise, of course.