Do you think this is a security risk and if not is it a bad UI?decision?

Adam Williamson awilliam at redhat.com
Sat May 4 19:52:00 UTC 2013


On Sat, 2013-05-04 at 19:23 +0100, Richard W.M. Jones wrote:
> Another opinion.
> 
> It is possible to study such things, and even give caveats and error
> bounds to show uncertainty.

I went looking, but as T.C. Hollingsworth said, it doesn't appear that
either side has produced anything much in the way of empirical research
to support its view. Given that, it would seem most prudent to continue
with what we've done in the past; the onus would seem to be on the
'don't mask passwords' side to make a convincing case for change. I
haven't found anything much beyond the initial pretty small study (62
participants) cited (and conducted) by Nielsen, and that didn't seem to
be widely accepted at the time. It was a study of mobile users, and we
don't design anaconda for cellphones (someone has noted that there's a
significant difference between cellphone and 'regular PC' text entry).
It was also tightly focused on web use, and Nielsen seems to have been
thinkign about the case where you enter an existing password for
authentication, rather than the case where you initially set the
password. So it seems dubious to consider it applicable to the case of
anaconda.

I'm also not sure that it's easy to design a study that takes into
account all the factors here. We can easily measure the usability of
various masking approaches, but I think everyone would accept that in
*usability* terms, unmasked passwords are best: I think it's generally
accepted that this is a case of a usability versus security trade-off,
and the questions are a) exactly how much security does masking provide
and b) once we have agreed on the terms (exactly how much more usable
are unmasked passwords? exactly how much more secure are masked
passwords?) where do we decide Fedora should fall?

Measuring the *security* consequences of each approach seems much more
difficult; it'd certainly need to be some kind of large-scale
experiment, if only to make sure the many other factors that affect
password security were evened out. It doesn't seem to be something you
can easily test in a day just by sitting 30 people down in a usability
lab, at least, because the practical risk of shoulder-surfing is a 'real
world' thing you'd have to try and measure somehow. So far as I can
tell, no-one's really tried this yet, all the debate seems to be just
people citing their wild-ass guesses as to how big of a problem shoulder
surfing might be as if they were gospel. And then there's the argument
that, if shoulder surfing isn't much of a problem in the real world at
present, that's *because passwords are usually masked*, which
complicates the question even further.

b) is not something you can measure at all, it's a judgement call. There
will inevitably be an element of subjectivity in any decision made on
this topic, even if we can perfectly measure the usability and security
of each approach under consideration. If we find that, say,
one-character-at-a-time masking is almost as usable as unmasked and
almost as secure as masked, the subjective decision might be an easy
one, but it'd still be subjective.

Nielsen seems to have updated his pages and links over time, so the
dates don't really add up, but I'm _pretty_ sure that
http://www.nngroup.com/articles/mobile-usability-first-findings/ is the
write-up of the actual study he mentions in passing in
http://www.nngroup.com/articles/stop-password-masking/ (the note that
started all the fuss; it seems to have been updated in places). That
write-up does not mention password security at all, so it doesn't seem
to have been the focus of the study. Really, his password masking piece
seems to be mostly just opinion; he doesn't cite references for most of
it, and a lot of it seems like if it was based on actual data at all, it
was heavily extrapolated.

To throw some more very inconclusive data on the pile, I'll note that -
IIRC - Android's 'pattern lock' feature initially did not have the
option to disable the display of the pattern as you enter it. This was
added in a later update. It would be interesting to know if that was in
response to user demand, or some kind of empirical data, or just some
coder's arbitrary decision. (Correct me if I'm wrong there, though...)
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net



More information about the devel mailing list