Bruce Schneier has written a blog about the fact that passwords should not be hidden, which has stirred quite an intense controversy (over 100 comments in a few hours). Some of the issues and solutions pointed in the comments are in fact quite interesting.
Let’s make a little synthesis here.
Mechanisms to enter passwords and other secrets
There are several mechanisms available to enter secret data:
- Old-style Unix password field. You get no feedback whatsoever, as no text is displayed (not even asterisks).
- Standard password entry. You type the password, and you see asterisks or similar characters. There are variants in which you see more characters than you actually type. The idea is obviously to keep the value secret, while giving some feedback to the user.
- Mobile password entry. You see the last character typed until some delay expires (one second?) or another character is typed. Previously typed characters are replaced by asterisks. The idea is to mitigate the fact that mobile keyboards (real and virtual) are cumbersome and lead to numerous errors.
- Optional visible password entry. The password is hidden by default, but the user has the option to make the password visible. This is used by systems that require passphrases such as PGP, or long keys (like WEP or WPA keys).
- Visible password entry. Actually, I don’t know any system that works exactly like this, but some password entry systems (like many bank login forms in France) show a scrambled numerical keyboard, with which you enter a few digits. The password itself is usually concealed, but the actions during its entry are visible on the screen (but not on the keyboard, which is one of the advantages of this approach).
- No actual entry. When some kind of password safe is used, there is no actual entry, but possibly a copy-paste, or even an automated input. In such a case, not seeing anything would be the best option.
Conditions that require some level of secrecy
- Secret entry in a public area. This is definitely a hard issue, and the secret should not be easy to see. However, simply hiding the screen is not sufficient, as real attackers know how to look at keyboards surreptitiously, or even to interpret hand/arm movements to guess your PIN code.
- Secret entry in a private area, with people overlooking. That’s the crowded office situation, where somebody enters a password with other people around. This is interesting, because it means that a private area is temporarily public. Definitely not a good time to look at the Post-it note on which your passwords are written.
- Shared/projected desktop. That’s the ultimate situation where you want your passwords hidden. Your screen is shared with other people, or projected in front of a room full of people. Definitely a moment where privacy is required.
Conditions that require some help for usability
- Entry of a long passphrase. Entering a long passphrase can be difficult, especially if you don’t use the passphrase often. I personnally face the issue with one of my PGP passphrases, that I use at most once a week (often less). I quite often mistype it and end up toggling the “visible” option.
- Copying of a password (typically, from a configuration sheet). The best example is a connection to a WiFi point, for typing the WEP/WPA key. These passwords are specific, because we don’t know them by heart, and they are often not that secret in the current situation. In a meeting, all attendees usually have access to the same information.
- Unusual settings, typing problems. When visiting a foreign country, you may need to type on a keyboard with an unusual layout (for you). If you are right-handed and have a bandage on your right hand, you will need to type with your left hand, which will impair your ability to type correctly, especially for frequently used passwords, that our fingers type “without thinking”.
Is there a conclusion for all this? Well, some awkward situations are well-handled, like WPA keys, mobile entry, and PGP passphrases. The main situation that is not correctly handled is when, for a reason or another, one would really like to see the password as it is being typed. In that case, the option offered by PGP (toggle the visibility of the password, with the password hidden by default) would be an interesting compromise. What about changing the default? I would not do it on my work laptop, which gets connected to projectors and used in public areas; but I would consider it at home, where my desktop PC doesn’t move, and where I usually trust the people around me.
There are also alternatives beyond passwords. My work laptop includes a fingerprint reader, that I often use to authenticate myself in public settings. I really think that the problem with passwords today come from a lack of federated identities (too many passwords), and the fact that passwords are used almost systematically instead of other authentication factors.