The people who identifed that the hieroglyphics have nothing to do with are spot on.
The reason they exist is the same reason many banking sites now display a picture that you have previously selected, it’s to show that the password dialog you are entering the password into is not a spoofed one. It also has the side benefit of helping many people realize they have entered incorrect password before hitting enter.
Not sure how well his would work in the “remember my password” world that we enjoy today. In theory it sounds like a nice feature. Just like the “remember my password” feature, if used conscientiously it would be great. I’m sure from time to time people would use a public computer and use the computer’s “remember my password” feature, so what’s the diff really whether someone logs onto your website with a remembered password and changes it versus clicks the “display characters” for a remembered password.
You mean to tell me that you actually emtype/em all your passwords? a href="http://keepass.info/"Keepass/a does it for me.
The only thing it can’t do is the windows login, and the password to keepass itself. Thankfully those are taken care of by my laptop’s fingerprint reader.
I used to use the ‘Remeber my password’ and all of that since I was the only person who used my laptop at work and I took it with me when I left at night. However one day I to completely clean out all of my history and saved passwords etc. It probably took me 3 hours to remember all of the passwords for various subsystems I interact with on a daily basis at work. Now I usually use a password 12 characters long that is a combination of letters, Numbers and special characters. For other passwords I use a slight variation on the first and always type it in. People at work laugh at me but I don’t forget them now that I am typing them in 10 times a day.
I don’t use remember my password. I just use a long pass phrase with a simple set of rules that are easy to remember.
This could change everything! I am for the open password movement! Let’s do it! Yes We Can!
Thank you for this insight Jeff!
We have quite a few government intranet users working from the confines of their offices whose hardest task in life seems to be correctly typing their assigned passwords without being able to see the screen.
Any ideas how one would best simulate the ‘display characters’ functionality in a web interface? Preferably without a postback? 
This is another thing I like about the daskeyboard (aside from being a great keyboard to type on), looking at my fingers while I type my password will be much less useful.
Thanks Jeff,
I had such a horrible flash back to Lotus Notes that I couldn’t sleep and I spent an hour ranting about the subject on my blog.
http://www.coderjournal.com/2008/02/lotus-notes-aol-corporate-world/
Just thinking of brings back memories that I would desperately like to forget.
I’ve come to agree that “show password” should be around more often. Especially on mobile devices, where typing a complex password can be exceptionally difficult
If it defaulted to not showing, it might not be a problem. I think it is likely to be more like Hotmail’s “remember my password” that is checked by default.
Want some fun? Go to your local library and send the browser to Hotmail. Two out of three times, someone’s account is logged in, because they fail to uncheck the box. These sort of shortcuts need to be off by default, so that failing to check/uncheck something doesn’t leave the account open to whomever.
I’ve implemented something like this for a site I’ve developed.
Using Ben Nolan’s Behaviour JS Library http://www.bennolan.com/behaviour/ , I attach a behaviour to all input fields which have a type attribute of “password”. I have it set up to change the field to a regular text field on mouse over, and switch back on mouse out. You could set up your own events if you wanted (double click, press a certain key after mouse over or whatever), but this is pretty simple.
“input[type=password]” : function (el) {
el.onmouseover = function() { this.type = ‘text’; }
el.onmouseout = function() { this.type = ‘password’; }
}
You could easily make this into a GreaseMonkey script too, if you wanted the same functionality on all the sites you visit.
Well, Jeff, others have already pointed out the true purpose of the hieroglyphics, so I’ll just add one more thing.
For all the UI faults for which it is appropriately criticized (many of which are cured in the current verions 8, but not all of them), one of the things that Lotus Notes is really good at is security. As the first commercial software package to offer a full PKI-based authentication, signature and encryption package, it was adopted quite early by a number of federal agencies with three letter acronyms. That’s public knowledge. And though I have no direct knowledge of this, it seems very reasonable to me to conclude that if Lotus put a lot of extra effort into the password dialog – something that seems on the surface to be quite trivial, which most vendors put almost no effort into, and which most customers would never care about, but which is obviously of great interest to those who value security the most – then they probably had some very specific requirements and advice from people at those three-letter agencies. And, no disrespect intended, but those three-letter agency folks know quite a bit more about good security design than you or I do, and they care very little about what we are used to or whether users will think that their security design goals make some aspects of the user experience worse.
I think “reveal password” feature is ok for wireless securities since it requires a long passphrase or key (e.g., 13 characters long). But for other softwares which usually have a limit of a minimum of 6 , people usually keep a password they can remember (unlike in wireless, where the pass key can be a 10-digit long number)
Not trying to troll here, but the hieroglyphics on Lotus Notes are
not for distracting people looking above your shoulder. They change
as you type the password, and their purpose is to prevent spoofing
of the login window by a trojan or malware trying to capture
the password.
And since as much as, oh, two percent of users know this, they’re essentially worthless.
I’ve always wondered about the meeting at which that login window
for Notes got approved.
The Lotus corporate culture is pretty strange:
It’s been a few years since I dealt with them but I haven’t seen any sign that this has changed recently.
If Windows were to implement this, I would hope that there would be a way to turn it off via group policies - I can just imagine some malicious person sneaking in and checking the “show password” box while someone wasn’t looking, then watching while some person who didn’t know enough about computers to notice puts in their password and… bang! It would be useful at home, sure, but for corporations, schools, government, etc, it would be too big of a security risk.
The hieroglyphics are indeed a feature. Think of them as a one-way visual hash of your password. They’re not random; if you type in the same password, you see the same glyphs, so it lets you know you did not mistype without having to use clear text.
I totally agree; I’ve said before that allowing the user to reveal the password actually increases security, because it can give the user the confidence to use more secure passwords: http://www.exubero.com/blog/20060823_Unmask_Password.html
If the Lotus Notes symbols prevent spoofing, don’t they come a bit late? A spoofed dialog could still remember your keystrokes even if you didn’t hit enter.