Let me just say, as retarded as I think this whole masking kerfluffle is, play with it or don't play with it, but if you don't mask passwords in your login box, expect to spend $10,000-$20,000 extra to your PCI auditors (and then restore password masking) when you decide to accept credit cards.
I don't think anyone has suggested individual sites should override the browser behavior.
The interesting question is whether client software (browsers/add-ons) should offer another option. And if it did, would the Payment Card Industry auditors demand a site override the user's choices, for example by simulating a masking password field outside the default HTML widgets?
I agree, this should be a user choice rather than site-specific.
The HTML 4.01 spec doesn't dictate how passwords should be obscured, although it does suggest asterisks. I think it would be reasonable for browser vendors to provide an alternative means of obscuring passwords.
If the PCI auditors aren't happy with this, and given the leniency of the HTML 4.01 spec (I haven't checked any other specs), should they take this up with the W3C?
I think it's an excellent idea to spend tens of thousands of dollars to make a stand against the security industry with your startup's web application, and I too think password masking is sure to be their Waterloo. To the barricades!
PCI stands for "Payment Card Industry", and is a shorthand for the PCI Data Security Standards, which are a set of rules that every vendor above a certain size has to follow in order to process payments with a Visa or Mastercard.
PCI auditors are people working for one of the 20-30-odd firms that are certified by Visa to audit compliance to the PCI DSS.
Hey guys, I'm the author of HalfMask - please let me know if you have any feedback, or you can check out the source on google code: http://code.google.com/p/halfmask/
Forking to try new things is heartily encouraged - I'd like to see new approaches to password masking.
I typed a password, It "stood out" so I had my wife see if she could read it and she couldn't. I had her type a password and I could read it no problem. once she had typed it she could read mine no problem as well. It seems once you've "seen it" it stands out. Sorry, maybe I missed something?
This is a good thought - I had implemented character set matching (uppers to uppers, numbers, etc) before, but I worried that it made it almost too hard to read for the user.
You'll notice that I'm only using lowercase letters currently - that was an intentional choice as it seemed too obscured when using a fuller character set.
I'll give this another look though and see if there may be a good middle ground.
There is an argument in the whole masking argument that doesn't really have anything to do with security- it is that filling out a box and having the characters masked is a well known usability metaphor for users- implying the content should be kept hidden and implying (though it's not always true) that in the backend it is also kept secure. The metaphor comes from ATMs etc. All security aside, when the vast, vast majority of casual computer users finally have a computer metaphor nailed down it's usually very counterproductive to try to change it. Like trying to move the "File" menu to the far right of the menu bar for your next desktop app...
If you highlight this, it pretty much reveals what the password is.
I know that isn't what you're talking about, but it is close. I know that I couldn't read this even when I knew what I was typing until I highlighted it.
I like the idea.
But how about LCD screens where the angle changes everything?
Right now it's difficult to read from the side, but "a piece of cake" from above.
Nice try, but I think this is the worst of both worlds. Still insecure in many situations (screencasts, presentations, or any time you might be recorded), and it's harder to character count than normal asterisks.
the whole point of masking is so that you don't give away your password when you are using a projector(giving presentations etc)...this is no different than not masking the thing at all
Well, that's certainly part of the point, but it's also to prevent casual shoulder surfing/people walking by/etc...
I guess I'd prefer to see something like how the iPhone handles it, where each char is shown for split second before being masked. It lets you see that you haven't typo'ed, and yet ensures that your whole password is never sitting on the screen.
My main issue with this solution is that it takes the decision out of the user's hands. Granted, in some cases it is potentially beneficial to unmask the password, but I would not want a site to assume that I'm okay with this approach. Imagine if you have to type in a password presenting in front of a crowd of 100 people. Do you feel secure with this solution?
Whatever solution you implement, it's important to give the user explicit control to override the mask.
nice idea and nice realization, too! it works pretty good! if you can't read the password after you've typed it in, try to mark it with SHIFT + LEFT-/RIGHT-ARROW or SHIFT + HOME/END :)
