The Dramatic Password Reveal

As far back as I can remember-- which admittedly isn't very far-- GUI toolkits have included a special type of text entry field for passwords. As you type, the password field displays a generic character, usually a dot or asterisk, instead of the character you actually typed.

This is a companion discussion topic for the original blog entry at:

Not trying to troll here, but the hieroglyphics on Lotus Notes are not for distracting people looking above your shoulder. They change as you type the password, and their purpose is to prevent spoofing of the login window by a trojan or malware trying to capture the password.

When I need to make sure I’m typing my password correctly, I just open up an editor, type the password in the clear, and then cut and paste it into the password field. There’s absolutely zero risk, since I only do it if there’s nobody around who shouldn’t know my password. The “reveal characters” checkbox in Vista is much more convenient.

But you bring up another point – there isn’t one best way to protect a password. If I make a horrendously complicated password for my bank account, and then write it down and put it in my desk at home, that’s much, much safer than making a password that’s easy to remember so that I don’t need to write it down. If the criminal is sitting at my desk in my house, I’ve already lost.

The risk of copy pasting your password is that it ends up sitting in the copy buffer waiting to be shown the next time someone hits Ctrl-V at your terminal.

Just an interesting note, I installed linux (fedora 8) on my laptop a while ago, and I noticed it revealed my password for my wireless network (which I only enter once and store anyways). I don’t even think there was the option to hide the password. At least for a wireless network where you typically enter the password once on your laptop or PC and store it, I felt it was far more usable than the Windows XP model, which both hid the password AND required me to type it twice. This always seemed like a lot of extra work to me for a password that never needed as much security as something like a user login password. After all, any wireless password I was ever entering was inside my home or a friend/relative’s home and there was absolutely no chance of someone seeing the password who shouldn’t have.

Security is important no doubt, but I think the appropriate level of security for the job is also important.

I believe the username field should stay in the form. Not because of the added security but because of the convenience :
1- The username can be associated to the email address or be the user’s email address. Then a reset password could be emailed to this user.
2- Although this has little chance of happening, what if you try to set the same password as another person ? It would be stupid to warn you that the password is already in use.
3- By entering its username, the user should have stronger feeling of being identified (this is just a guess because I wanted to add a third reason ;))

Tell me when you find a way to fix faulty tab presses. There’s nothing quite like typing your password right next to your username for everyone to see.

I just remembered a college professor not hitting the tab during a lecture. All 100 students saw his uni password and he didn’t even realize he did it. Poor sap.

I just remembered a college professor not hitting the tab during a lecture. All 100 students saw his uni password and he didn’t even realize he did it. Poor sap.

Happened to me too when I was at school, the helpdesk boss was explaining how something worked, and typed his password in his username box since he was used to the program filling in his username. He changed his password when he did actually get in. Seemed like he had a few up in his head.

There is a firefox addon that allows the user to reveal ALL passwords… it could easily be tweaked to allow the user to select which boxes to reveal.

I’ve always wondered about the meeting at which that login window for Notes got approved… That said, I still use it at work everday and I’ve gotten used to it, sort of like an eccentric uncle :wink:

The standard dialog is better:
-Its simpler, without the “reveal” option.
-It helps keep the rules clear: A password is a secrete; you don’t reveal your password. People will confuse the issue; lots of people have trouble with anything computer related.
-Not displaying the text forces people to pay attention to what keys they’ve pressed and in what combination. (Is it a “iI1!|”? Thats only a question if you try to remember it by appearance.)

The above seems less compelling then when I started typing… but still better then a “reveal” option. If you’re not sure then cut and paste. Heck, if someone doesn’t understand the cut/paste option, can you really argue that “reveal” won’t confuse them?

And as for it being a trouble shooting aid, well, having the wrong password is much more common then mistyping it. When I worked on the help desk (Heaven help me) asking someone to slowly retype a password was a polite way to work through some stupid user mistakes, fixing or explaining other issues along the way.

In Mac OS 10.5 (Leopard) the join network has a show password checkbox too.

I’ve got a different take on the Lotus Login Glyphs. I don’t know that I’m right, but I’d bet $5 on it.

My take is that it’s designed as a one-way hash to let you know if you typed your password in correctly. Certainly, I learned to recognize the pattern just before I hit enter, and if I mis-keyed, I saw a drastically different set of characters.

I don’t have the Crypto-Fu to know if it’s a security weakness or not. I suspect a bad implementation would be, but I don’t know how many distinct images you need and how strong a hash you need before it’s not a problem.

RE “reveal password” thing, from somebody who has spent a lot of time in large cold rack-rooms at various broadcast facilities at 3am in the morning trying to figure out why (eg.) the primary sports streamer falls over inside a minute or two of it’s 16 sources connecting to it… and I have to check them all, including the redundant’s, their logs, etc. before I can go home to bed…

The room is sealed from the outside world by 2 levels of badge scan doors, 2 human guards and an 8-foot chain-link fence… there is nobody in this freakin’ room with me, wooly jackets only work when you aren’t sleep-deprived, sliding rack keyboards and avocents of dubious quality, and if I mistype another unfamiliar 18-character password I’m going to throw a wobbly.

There are times when I don’t give a flying-rats-quince about security for the simple reason that: if an attacker is able to read the password of my screen, the attacker MUST BE ME.

What’s all this nonsense about the glyphs in that Notes logon?

It’s a pictorial hash of your password. Jeesh…

It doesn’t take much effort to notice when you type in your password correctly that you always END UP with the SAME GLYPHS. I’m not sure how good it would be at defeating any trojan trying to steal your password, if the trojan knew the algorithm for producing the glyphs (although there’s probably a “salt” based on your environment, never tested that). BUT, it does give you enough info to ensure you entered your password correctly without actually revealing the password, by giving you a unique “confirmation” glyph.

I guess this misunderstanding is probably why they changed the glyphs to a “key fob” pic that changes as you type in 6.5. It’s easier for the unobservant catch on…

I agree about the reveal password option though. There’s often no reason to “hide” the password, and as often (for us IT guys anyhow) a need to see what it is while troubleshooting. I also frequently end up typing a complex password into the “username” field so I can verify it is correct before pasting it into the “password” field.

Hey Now Jeff,
Good Point, since we are now moving to more passphrases (usually longer) from passwords it’s helpful. PGP (it’s pretty good) does offer this option as well.
Coding Horror fan,

password reveal is incredibly useful. especially for wep and other “hex” keys. on the iphone/touch the wep key is never revelealed and thats frustrating. i probably typed the original wep key for my home router 8 or 9 times because my stubby fat fingers would randomly hit the wrong key and there was no way to know it.

I prefer the “Display characters” option, personally. Like the guy in the cold server room, I am typically alone (and certainly know when I’m not), so there is no good reason whatsoever to not be able to see what I’m typing or at least be able to double-check when entering those long complicated passwords that I use once per month.

Ubuntu has several dialogs that allow this, and I am thankful for it. It’s pretty easy to just not hit the “Display characters” textbox if you don’t want to reveal the password :slight_smile:

G’day Jeff - I’m all for showing passwords, especially on forums I’ve signed up for once and never used, and IE remembered my password and now I need to change it and enter the old password first which I don’t remember (or something similar)!

OK, breathing normally now.

I chuckled when I read your quote “If criminals really want to get your password, they’ll be watching your fingers on the keyboard, not the screen.” If a criminal can get to my PC physically, I think I’m already gone.

Cheers, Thomas

I can’t remember where I saw this, but I ran into a web page that did some kind of pre-processing of your password as you typed. Rather than put the data in a hidden field they just intercepted the keys and put something different in the password field. The result was that you saw TWO dots for every keypress. I spent several minutes trying to figure out what was wrong with my keyboard, which was obviously typing double for some reason!