You guys don’t watch your fingers as you type?
There is a big problem with the “show password” option, especially on web pages. If the browser automatically remembers your password and fills it in next time you visit the page, anyone with physical access to your computer could find it out very easily.
Then, since people re-use passwords, it would be all too easy to guess their logins on other sites all over the place.
I liked the way some mobile phones do password entry, where you can see the last typed letter for a second. I mocked this up in quick flash demo here: http://polygoon.esken.net/tests/maskingpassword/
You can see that when in reveal mode, you can see the letter just typed, and also reveal previous letters when moving back with cursor.
I think this is better from security standpoint, because you don’t reveal all of the password at once, instead you can go back and doublecheck letter by letter, thus lessening the threat that somebody sees the full password over your shoulder.
Does anyone know why Windows XP ask me to enter twice the security key when I want to join a protected wi-fi network? It makes sense to ask for a password confirmation when you’re creating a new password, but why when I am just entering a password which was defined somewhere else?
…remember Snadboy’s Revelation?
Handy tool to de-encrypt those asterisks, just point your mousepointer at the box and you can read…
That’s why you shouldn’t save passwords in windows 
I simply use a small utility called showpass.exe for situations where someone forgot a password and all we get are *******…
Just drag a cursor over your *****s and it displays the password!
XP security at its best!
even at home, I won’t reveal my password. I’m worried about TEMPEST contraptions looking at my screen.
Revealing the password is actually quite usefull and there is one situation where I find it invaluable: Where the system language/keyboard settings differ from the keyboard I am using.
I use systems with spanish, german, swiss, greek and english (UK and US International) keyboard layouts.
Safe password rules mean you’ll definitely get a couple of @ or $ or pound signs in the password (depending on who setup the system).
Ever tried to enter a @ for a german system with a US-International keyboard? Hint: It’s not shift-2
So you end up typing the password in the username field to see which character came up wrong (and experiment with key combination to get the right character).
Oh yes, I’d love a reveal password option.
I remember when friends came home to play one of my online games. The login had a password reveal checkbox AND remembered my password. The very first clic one of my friends did on the login form was on that checkbox, revealing my password to 5 of my friends watching the screen at that moment. Very frustrating.
Please, oh please, never place the “show password” on an auto-populating field.
Am I the only one who strikes it as odd that first you complain about the login window, and then belittle Lotus for trying to “reinvent[…] a perfectly standard dialog” ?
I’m an occasional LotusNotes user and even tho I like your writing Jeff, I must disagree: theyr login box is great IMO.
The picture tells me if my password is correct before submitting, the images don’t come random as far as I can tell (I always get the same if my password is correct), though there are more keys that produce the same image, if I miss a key I’ll know it fast.
The random XXXs are also great, they give you confirmation that you indeed pressed the key (you might not even realize it but you will notice when you missed one) while protecting your password lenght. While I’ve been working a while in IT it seems highly unlikely to me to guess someone’s password just by length (even tho it really helps shrink down a keyspace for bruteforcing (especially if you mix it with character eliminations like QAZ, 1-9 from shoulder surfing)), however I have some non-IT-related bored friends (lol) who have amazed me in the past.
Seriously, if the NSA are using Van Eck phreaking on you, it would in fact be easier, faster and cheaper for them to simply bribe the janitors, IT support and… torture the info out of you.
I know Van Eck “did it for $15” but firstly, that’s uncited, and secondly, that was under controlled conditions, with only one computer. On an office block? Forget it.
7-Zip had the reveal password thing in it quite a while ago, and it’s come in handy a few times. I did always think it was stupid that you had to enter your password twice for it to extract and then have it check to see if you entered the right password, but eh. Compression security isn’t really my area.
BTW, do you ever change your captcha? I swear I get ‘orange’ every single time I come to this site.
Password reveal is an obviously useful feature, and yet of the dozens of utilities I use, only two include it: a href="http://www.winzip.com"WinZip/a and a href="http://www.sparkleware.com/superbot/"SuperBot/a. What gives?
For those wanting to implement the password reveal in ASP.NET web apps, see my post at http://weblogs.asp.net/traviscollins/archive/2008/02/13/dramatic-password-reveal-in-asp-net.aspx
The worst kind of fault tab press problem is the one where the GUI sits there showing you your username (and in this case password too) while it decides your password is incorrect. You know the ones that waste a few seconds of your time so you can’t try too many passwords too fast? I’ve done that a few times in front of people, and I feel like such a n00b.
there’s no need for an addon in firefox to display your password(s). Firefox just does it!
Password could be displayed as you type, but… scrambled (non randomly). That’s an easy way to spot typos without revealing much.
i.e. Display something more useful then *****, but secure.
Display characters: * | scrambled | plain