Response to Nielsen's "Stop Password Masking"

I just ran across Jakob Nielsen's Alert Box post titled Stop Password Masking and wanted to provide some feedback from a security vs. usability perspective. I have great respect for Nielsen's contribution to the usability of the web. Back in the early days of the internet (mid 1990's), his books were gospel at my consulting firm, ATGi.

My initial reaction to his article was 'that's a crazy idea' - but after some reflection, I really felt like it was a good mental exercise to actually consider what he was saying. If I hadn't known who Nielsen was, I probably would have dismissed his suggestion outright. Sometimes it is a good exercise to go back and review why we do the things we do - especially as it relates to information security controls. Nielsen questions the real security benefit of password masking - something I haven't given a second thought to...well, ever.

"Typically, masking passwords doesn't even increase security, but it does cost you business due to login failures."

Nielsen's probably right: It might be costing you business. The question is, how much business? Security shouldn't be the be-all, end-all goal. It's there to serve the organization first and foremost. Viewing the cost of security controls with respect to the function it's protecting is the correct perspective. Enter risk analysis - risk analysis is an important process that helps determine if the cost of having (or not having) a security control mitigates threats, while not adversely affecting the business (too much). It's about reducing risk to an acceptable level, not about 100% security. It's a balancing act. Why not target 100% security? Well, if an organization attempted to implement absolute security, it'd go out of business - it's just too expensive. For example, it doesn't make sense to spend a million dollars on security solutions that will protect a web site that only earns a few thousands dollars a month.

Again, Nielsen pretty much has it right- except for the 'true loss of security' statement:

"The more uncertain users feel about typing passwords, the more likely they are to (a) employ overly simple passwords and/or (b) copy-paste passwords from a file on their computer. Both behaviors lead to a true loss of security."

Next Nielsen gives a nod to the importance of security and provides an option for masks that takes security into consideration:

"Yes, users are sometimes truly at risk of having bystanders spy on their passwords, such as when they're using an Internet cafe. It's therefore worth offering them a checkbox to have their passwords masked; for high-risk applications, such as bank accounts, you might even check this box by default. In cases where there's a tension between security and usability, sometimes security should win."

Though I would go further than Nielsen: Users, unless forced, won't use a complex password even if there is no mask, unless complexity is enforced. If complexity is enforced, a non-masked textbox would certainly help the user meet complexity requirements more easily - which is probably what Nielsen means. Likewise, when presented with an option for masked password or not masked - users typically chose convenience over security so in most cases I would want to default the option to show the mask.

Using simple passwords or 'copy-paste passwords' is not NECESSARILY a 'true loss of security', but the devil's in the details.

The loss of security for 'copy-paste password' scenarios (which assumes users are storing passwords locally in a file of some sort) assumes a local computer or local network compromise. If so, he's correct - the gig is up, but that's not necessarily a true loss of security...well, it IS for the ONE compromised user (or network of users) - but not for all the users of that web site. The main reason we insist on password complexity is increase the keyspace of a password which helps stop brute force and dictionary attacks that originate from attackers "out there" who don't require access to the user's computer to begin with. The attacker attempts to find a collision with a password for a known account through a dictionary attack and if they have more time, a brute force attack. Additionally, Password Manager Software (KeePass or Password Safe) will encrypt password stores locally and even associate them automatically with the appropriate web site. Though I suspect the use of password management tools is the exception, not the rule.

As for users choosing too simple of a password: If the site allows users to pick an insecure password, that's already a failure of the site. But it's possible to have both a simple password as well as a secure password. Contrary to common belief, good passwords don't necessarily have to contain symbols, digits, upper and lower case characters. The reason these complexity requirements were introduced was to protect against brute force attacks as well as dictionary attacks on shorter passwords. Humans have a natural propensity to use simple dictionary words that are easy to remember - such as names, meaningful numbers/dates, pet names, etc., as passwords - hackers take advantage of this seemingly reasonable behavior and use it to their advantage. By adding complexity - that is, the symbols, digits, upper/lower characters - this makes the dictionary attacks more expensive (time consuming) to the attacker since each time we increase the length and the number of possible combinations, this increases the keyspace of the password. So if instead of increasing the combinations, instead increase the password length and use a simple phrase or sentence as the password. These long passwords with less complexity are called a passphrase. Dictionary attacks are useless against passphrases since they are not made up of a dictionary words. By increasing the keyspace by requiring a minimum of 30 normal alpha characters (including spaces and maybe an optional period or comma) we've also made it very expensive (time consuming) to brute force. So my passphrase could be "my name is jason and this is my password." - this is 40+ characters and no more difficult to remember than a dictionary word - but it's not found in any dictionary so it will stop dictionary attacks and it has a very large keyspace so it will slow down brute force attacks considerably, making them impractical.

A true loss of security? It doesn't have to be - at least not for the organization. However, I can already hear Nielsen groaning on the usability of typing 40+ characters blindly into a masked password box. This is where two-factor authentication can solve the problem of passwords and passphrases completely - which can really improve usability.

Nielsen's observation about typing in passwords on mobile devices makes the most sense to me. It is more difficult to shoulder surf someone on a mobile device. It's also much more difficult to type a password with complexity requirements correctly on a mobile device unless you're a profession texter. There's probably not as much risk here by unmasking, so we could probably forgo the mask on mobile devices. It's trivial to detect mobile devices, so simple choosing to use a non-masked text box in these situations would be okay for most situations.

But before we go running to dump the masked password box, there's a few questions we must ask - what are the unintended side-effects of this change? Are there good workarounds to these issues? How much education do developers need to implement this? Remember, we've known about and had solutions to SQL Injection for over 10 years now, yet there's still a constant barrage of developers who still don't know how to protect against this properly - this is an education problem.

Here's my initial pass of issues I see by displaying (not masking) passwords to end users:

1. Accidental observation - in the enterprise there are many opportunities where someone else will be at your computer and may accidentally see your password. A great example of this is when using older command line programs that required the password as an argument. I've on occasion seen others' passwords and others have seen mine.
2. Autocomplete Web Forms - Modern web browsers now remember and prefill text boxes with previously used input. This is a usability feature at the expense of privacy/security. This means the password is stored not only in the OS somewhere for retrieval later, but will pop-up anytime a user starts typing in the textbox. This has the most serious implications on public systems. Developers, if aware of the issue, can prevent this data from being stored by setting the autocomplete attribute to off in the form. This is a developer educational issue.
3. Compliance - I don't want to get into all the details here, but bad password management practices can cause compliance issues. Lack of compliance can affect business. Not masking passwords may be in violation of certain security requirements for the organization.
4. Nuanced Issues - there are potentially a variety of issues for every masked password box implementation - for instance, in .NET for Windows Applications, there's a way to encrypt passwords in memory (using the System.Security.SecureString object). Displaying the characters in the textbox first may completely defeat the security provided by this control.
5. What else? - Are there other issues here?

Certainly a usability guy isn't going to or need to understand all the ins and outs of security, just as I won't understand the broad range of usability issues. We should be cautious when recommending broad sweeping changes that affect security. Additionally, us security folks should not resist usability improvements that affect security just because we've always done things another way - we should have a good solid business reasons why we do things the way we do. We need to make sure changes can continue to protect our customers/users. Changes to security functionality can often cause unintended side-effects that can put us at risk. Not that there isn't a good solution - to me, the most IDEAL solution to improve usability would be to dump passwords as the authentication mechanism all together - there are some partial solutions to this problem, but Identification is a difficult problem to solve - we're definitely not there yet. Personally, I look forward to the day where authentication, passwords, and password management all become a thing of the past, but that's a completely different conversation.