10 September 2008

Protecting us from our own passwords

Very early in the history of interactive logon with passwords, the big brains noticed that if someone was looking over your shoulder, they might see what you were typing. So they decided that whenever any system, anywhere, asks for a password, it has to be replaced by blobs or asterisks.

We've all become so used to this, that we don't realise how inappropriate it is for 99% of our daily interactions with computers. The vast majority of us will never encounter anyone trying to steal our password by looking over our shoulder, but I'm guessing that almost everybody reading this has been locked out of a system, site, or application to which they had legitimate access by a problem caused by not being able to see what you're typing.

There are many reasons why people type the wrong password. They forget which site they're on, they forget that this system forced them to change their password last month, maybe Caps Lock is on, whatever. (If you're typing the right username but the wrong password into a site, you'd better hope that the site managers don't capture your wrong attempts and then try them on other sites which they might learn that you're signed up for...)

It's also possible that your keyboard layout may not be what the operating system thinks it is. All keyboards are electrically identical, so the only way Windows (etc) has to know what the top-left letter key means, is the keyboard settings which you gave it. If someone replaces their QWERTY keyboard with an AZERTY one, without informing the system via some obscure part of the Control Panel, the top-left letter key might look like an A, but the system will see a Q. And the person typing will still see the same blob or asterisk. (In our environment, we use 15 different keyboard layouts, and people tend to move around and take their keyboard with them. And even if they know how to set up the layout for their current Windows session, they usually don't know that they should also change the default layout so that the new keyboard works correctly at logon time as well.)

This "security feature" must cost millions of dollars in helpdesk calls every year. Eevryone who has ever worked on a support phone line has had people call who are "convinced" that they are typing the right password. Sometimes you can get them to type the password in another box and then paste it across, but that's not always possible, and explaining it to a confused user is often a nightmare in itself ("Don't click OK when the password is in the username box!").

It doesn't even make you very much more secure. Someone who really wants to steal your password while being in the same room can observe your keyboard while you type, perhaps keeping up some conversation to distract you, and after a couple of times they'll have a pretty clear idea of your password, especially since so many people choose insecure ones (hmm, did anyone think that maybe some people do that precisely because it's easier to type "rosepetal" than "h4%tfr3q" when you can't see what you've typed?). Now that we all have LCD screens, it's getting harder to sell us the fantasy that someone is parked outside our offices in a van examining the electromagnetic field from our monitor. And of course, the password-stealing spyware inside your PC gets a full view of every keystroke, unobscured by blobs. It's more than slightly ironic that the bad guys can see your password more clearly than you can.

So imagine my delight when I first saw this feature in an admirable free ZIP/RAR program called 7-Zip:

Yesss! Provided of course that there are no spies in the room, you can check the box when opening a password-protected RAR or ZIP file, so that you can see what you're typing in the password box!

Question: why isn't this feature available on every non-military password dialog box in the world?


  1. TrueCrypt has this feature as well (being able to choose to see the password that you are typing) which I love as I make very long passwords for TrueCrypt volumes. Or perhaps I create very long passwords for TrueCrypt volumes because this feature makes it easier to do so? Either way, you make a very good point.

  2. the password box in the wireless connection dialog in Windows 7, now shows passwords by default.

  3. After having had all kinds of imaginable and unimaginable troubles with the asteriks and dots, I finally found this nifty bookmarklet that shows you the password typed in a webpage - [Show passwords] Its bookmarklet #4 in the list on that webpage.