Are passwords more secure when they are 'behind the mask'?
In a blog on his website at the end of June, Schneier said he was backing the opinions of usability expert Jakob Nielsen, who had claimed that it was ‘time to show most passwords in clear text as users type them', as ‘showing undifferentiated bullets while users enter complex codes definitely fails to comply'.
He also claimed that there was no real benefit to masking passwords as a ‘truly skilled criminal can simply look at the keyboard and note which keys are being pressed. So, password masking doesn't even protect fully against snoopers'.
So effectively the point that he was making was that when you enter a password, it makes more sense for you to be able to see what you are writing as anyone who wants to find out your details will be able to discover it because they are clever enough.
Now before I get a barrage of emails about it, yes I know that he later took a step back on his comments, as he claimed that he ‘was certainly too glib' and that the ‘costs of password masking need to be balanced with the benefits'.
Schneier wrote: “So was I wrong? Maybe. Okay, probably. Password masking definitely improves security; many readers pointed out that they regularly use their computer in crowded environments, and rely on password masking to protect their passwords.
“On the other hand, password masking reduces accuracy and makes it less likely that users will choose secure and hard-to-remember passwords, I will concede that the password masking trade-off is more beneficial than I thought in my snap reaction, but also that the answer is not nearly as obvious as we have historically assumed.”
So with Schneier not really showing that he has made his mind up, and adding that he had received 165 comments to his original post backing Nielsen's claim, this is a debate that is both open to opinion and is likely to hang around for some time.
The reason that I decided to cover this this week is because it came up in conversation the other night with Trend Micro senior security advisor Rik Ferguson. He had originally blogged on the subject at the end of June, and claimed that “password masking has always been the default because, given the choice between masked and unmasked, it is the most secure, and ‘secure by default' is a long established goal of system and infrastructure design.”
He further claimed that password masking is an effective method of defeating malware which is designed to take snapshots of the users screen.
When I was talking with Rik about this, it did seem that Schneier and Nielsen's comments had a degree of sense to them, which is what they were trying to put across. If you can see what you are writing you are less likely to use static passwords, something that security commentators have blogged about.
Another part of Schneier's original blog that caught my attention were his thoughts on password masking on public terminals with short PINs, specifically ATMs. He said: “The value of the PIN is large, shoulder surfing is more common, and a four-digit PIN is easy to remember in any case.”
As I was making my way to the Trend Micro event in central London on Wednesday night, I passed by several ATMs and as I approached them, I looked at the screen from an angle to see how much I could see of the display. I must firstly point out that the two ATMs in question were not being used, and secondly it wasn't until I was positioned directly in front of the screen that I could see it clearly.
A few years ago I remember a ‘skin' for laptop screens that was marketed towards frequent flyers and train travellers. Its intention was that only the person in front of the screen could see it and any shoulder surfing was eliminated.
Alternatively I read on Dark Reading this week about a new data-masking technology that filters sensitive data from unauthorised viewers on the fly before it reaches their computer screens from IBM.
Its researchers in Israel have developed the MAGEN (Masking Gateway for Enterprises) prototype for customer service or call centre users to see just the customer or patient information they need to do their jobs, not confidential information from databases, such as credit card numbers or patient health records.
Tamar Domany, project leader at the IBM Haifa Research Lab, said in a statement: “MAGEN finds and shields sensitive data on the fly, and is reconstructed into a new bitmap-format image with the appropriate masking.”
Quite if this could be adapted into password masking technology is unclear at this early stage of development, but perhaps there is a middle ground here between Nielsen's comments on unmasked passwords and the security consensus that says they should be protected.
One thing that is positive about this is that it is a debate that could go back and forth for some time and it will continue to engage the general public.