Sunday, May 05, 2013

Masking Passwords:


Slashdot reports that the Fedora 19 release will not mask passwords, in accordance with a recommendation that Bruce Schneier made, that he has since, perhaps, recanted. It is very clear to most of us that not seeing the passwords we type leads to frustrating errors, and rarely improves security. As we continue to argue about masking passwords, I would like to add an obvious alternative that is not on the table. Our current choices are:

  1. Mask passwords
  2. Show passwords
  3. Briefly show the last password letter typed, a practice that Bruce Schneier seems to like. But how about this:
  4. Add an “unmask” button to the left of a password field.

Those of us who have struggled with laptop keyboards that get stuck in unusual shift modes would be happy to have this alternative. Those of us who type passwords into tiny phones and iPods – seriously, who is monitoring what we type there – will also be delighted. (On phones and small devices, the gesture to unmask a password might be: pound the screen with your fist.)



No comments: