It isn't really more secure in most cases

by Michael S. Kaplan, published on 2005/07/19 13:29 -07:00, original URI: http://blogs.msdn.com/michkap/archive/2005/07/19/440549.aspx


Sometimes, you go to log in to your Windows box. You see this friendly dialog (all screen shots c/o Virtual PC):

(adjust for your Windows version, of course!)

You do the requested three-fingered salute, and type in your password:

and at this point is where I cringe. Because at least for 2-3 attempts, the next dialog I will see is:

It is because my typing sucks. Not just for speed but for accuracy. And so for me (sitting in a private office where no one can read my screen) the only benefit to having astericks or black circles or whatever is that I just may screw up the password enough times that someone thinks I am a hacker trying to break in.

Now this is not just a Windows thing, every operating system does this. The belief that the password that I am typing and obviously must at least know what I am typing is more secure because it is obfuscated is everywhere.

But to be frank, from an accessiblity standpoint I would prefer that they just made the password visible in the dialog. That way I can see when I messed up and avoid worrying security people who probably have real issues to deal with.

Now I am sure there are worries about screen scraping programs and other such things, but something remembering my keystrokes seems oretty devastating too. But we think our way around those things usually. So why not make it an accessibility option to make the passwrd visible, for those people whose typing on a scale of 1 to lame has reached the point of lame?

Sorry for the rant, but it took me much longer to log on today then it ought to have....


# AndrewSeven on Tuesday, July 19, 2005 5:07 PM:

Annother option/preference on the login dialog.
Is key-logging easier than screen scraping or just different?

# Ciaran Byrne on Tuesday, July 19, 2005 5:10 PM:

This is probably the most idiotic think I have seen written about computers in my 23-year career. You can't type, so everybody else in the world must have their passwords shown in clear to every bod that happens to pass by.

I have worked on IT security, and campaigned to have individual responsibility, including post-it notes with passwords on and under PCs, to be culpable offences. You are giving the burglars the key to the front door. It's a simple as that.

Oh, Quis Custodiet Ipsos Custodes?

# petal on Tuesday, July 19, 2005 5:27 PM:

I think the visible password option is a very good idea but would need to be backed up with other security - maybe smartcards (this also has benefit of less typing...) and logon restrictions (limited hosts)

# Michael S. Kaplan on Tuesday, July 19, 2005 5:28 PM:

Hmmmm Ciaran.... I am just suggesting it could be an accessibility OPTION for those who needed it. Not that everyone would need it, or even want it. Geez. Though I suppose it is an honor to be the author of the most idiotic thing you have seen in 23 years. Do I get a trophy or something? :-)

# Michael S. Kaplan on Tuesday, July 19, 2005 5:30 PM:

Agree Petal, though of course the SmartCard PIN dialog has the same issue. :-)

# tlmii on Tuesday, July 19, 2005 5:31 PM:

I see that Michael has already responded...
but give the guy a break, geez.
It may not be the most suitable situation for all circumstances. But sometimes, its necessary. An option, and the ability to turn it on/off at the corporate level surely wouldn't hurt anyone, it would only help.

And for the record, if you think that that he is alone in this problem, you need to open your eyes a bit wider...

# Michael S. Kaplan on Tuesday, July 19, 2005 5:38 PM:

Thanks tlmii!

You'd think that people who are so quick to read here that they respond within minutes of something being posted would be a bit more sensitive.

Though it is cool to break a record. On the con side, if THIS POST is the most idiotic thing in 23 years, then this would suggest a somewhat sheltered view of security (especially since the feature itself has less to do with security in many places it is applied!).

# Michael S. Kaplan on Tuesday, July 19, 2005 5:41 PM:

Hi Andrew,

> Is key-logging easier than screen scraping or just different?

I think it may be easier if you were writing from scratch. Though if you have something running as a system service on people's machines then you already own the box and you could get either feature off the shelf from various hacking sites. Few people write new stuff for this kind of thing, these days....

# Suz on Tuesday, July 19, 2005 5:47 PM:

Hi Mike,

You should see our school. After one frustrating year in which we all got knocked off because after 3 wrong tries access was permantently denied until our tech support fixed it, which was never... all teachers have the password "teacher" and all students "student". So far, one year later, no one has "hacked" anything. So, really, that makes you one step up from the most idiotic. I claim that for our security system.

Suz

# petal on Tuesday, July 19, 2005 5:50 PM:

but with a *visible* PIN the card provides a second factor...

how about biometrics then?

as an aside, I use RDP from home a lot, and leave my workstation locked when I'm done - normally a locked workstation retains the logged-on user ID and defaults to the password field at next Ctl-alt-del, but after an RDP session when I log back on at the physical workstation the next day, the dialog defaults to a blank username field - I've had to change my password a few times having typed it in clear text for all to see! Fairly sure this counts as a bug.

# Frederik on Tuesday, July 19, 2005 6:04 PM:

The solution is simple: Type the password in the username textbox and then use the magical CTRL+C, CTRL+V keys to copy it to the password field!

Afterwards, type your username in the username box, clik OK and there you go!

# Wayne Steele on Tuesday, July 19, 2005 6:21 PM:

The security risk isn't so much from screen-scraping, but from other eyeballs.
Someone would probably have to standing right next to you to follow what keys you're typing by watching your hand. But to see the text on your screen is much easier: from across the room, binoculars through the window, archival security tapes, TEMPEST receivers, etc.

What you WANT is to have a local echo of your keyboard, right? How about if there was a little LCD display at the top of your keyboard that echoed the last 15 keystrokes? It seems like someone could fab that up.

-Wayne Steele

# Maurits on Tuesday, July 19, 2005 7:12 PM:

A preference setting is always better than mandating a particular option.

I'll just point out some situations where obfuscating the password is a good idea:

Suppose your monitor faces the entrance to your work area, or a window. Someone passing by could observe you entering your password.

Sure, they could observe it just as well by watching your fingers, but that's harder.

Suppose your computer has VNC installed, or there's a remote desktop connection initiated, or some other such remote viewing.

Suppose the computer is a conference room machine, and the monitor is projected onto a large projection screen in front of hundreds of people.

# Mike Dunn on Tuesday, July 19, 2005 7:23 PM:

It could be worse, it could be like Notes and have those animated hyro... heiro... pictures on the login dialog that change every time you type.

What annoys me is web sites where they say "enter email address" then "confirm email address" (meaning, enter it again even though it's not hidden behind ***)

# Maurits on Tuesday, July 19, 2005 7:35 PM:

That annoys me too, especially since it doesn't confirm anything... other than that the user knows how to copy and paste.

The only way to *really* confirm an email address is to email it a GUID and instructions to enter that GUID on the "email confirmation" page.

# Dean Harding on Tuesday, July 19, 2005 8:15 PM:

> I have worked on IT security, and campaigned to have individual responsibility,
> including post-it notes with passwords on and under PCs, to be culpable offences.

All that encourages people to do is to use more "easy to remember" (read: easy to guess, easy to dictionary attack) password. I think having a good strong password, *and keeping it written down in your wallet* is a good idea.

Even Bruce Schneier agrees: http://www.schneier.com/blog/archives/2005/06/write_down_your.html

As for displaying it on screen, I wouldn't imagine there'd be any real problem. The chance of people stealing your password by watching you type it in is rather slim. Much simpler to install a tiny hardware key logger between the keyboard and the PC. They don't need to install any software, they don't need to be there when you type it in. You've just got to leave your PC unattended for 2 minutes.

# kevinowen on Tuesday, July 19, 2005 8:29 PM:

> It could be worse, it could be like Notes and have those animated hyro... heiro... pictures on the login dialog that change every time you type.

Actually, those are provided as a solution to this very problem. They are generated based on your ID file (and hence are unique to you), and will always be the same for any particular sequence of characters that you enter. This gives you a visual cue as to whether you've typed your password correctly or not, without revealing anything to someone who is looking over your shoulder (or whatever).

-Kevin Owen

# Andrew M on Tuesday, July 19, 2005 11:24 PM:

The cellphone people have a decent workaround, since the problem is even worse on cellphones without a keyboard, where you have to multi-tap for each letter:

Show the letter for a couple of seconds, before obscuring it.

# Andrew van der Stock on Wednesday, July 20, 2005 1:20 AM:

I am currently working through getting rid of passwords for a project I am working on. However, the solutions are not always obvious.

For blind users, we are evaluating token calculators the size of desk blotters which read aloud the text on the LCD and have braille markings on the keys. The LCD screen itself is approximately 10 cm high, so hopefully those with partial site can read them.

Security folks often forget the accessibility aspects of their designs. the people who came up with CAPTCHAs are first against the wall in my book.

Here's a paper I found yesterday (from 1999) which proves that most security policies that implement tough passwords are stupid and counterproductive:

http://www.ftp.cl.cam.ac.uk/ftp/users/rja14/tr500.pdf

Couple with Bruce's comments above (which I read yesterday and agree with), honestly, the vast majority of password policies produce insecurity.

The OWASP Guide 2.0 (the webappsec standard I write and am releasing at Black Hat next week will contain some of these details).

In my view, if you consider accessibility in your security solution design, it generally produces a far more robust outcome.

Andrew

# J. Daniel Smith on Thursday, July 21, 2005 3:06 PM:

Also see this article:
http://www.theregister.co.uk/2005/07/19/password_schneier/

It seems that passwords in general aren't that secure these days.

How is it that an ATM card and 4-digit PIN works pretty well most of the time for securing my MONEY, but we've got to jump through hoops to secure a computer?


Please consider a donation to keep this archive running, maintained and free of advertising.
Donate €20 or more to receive an offline copy of the whole archive including all images.

go to newer or older post, or back to index or month or day