Login or Sign Up to become a member!
LessThanDot Site Logo

LessThanDot

A Technical Community for IT Professionals

Less Than Dot is a community of passionate IT professionals and enthusiasts dedicated to sharing technical knowledge, experience, and assistance. Inside you will find reference materials, interesting technical discussions, and expert tips and commentary. Once you register for an account you will have immediate access to the forums and all past articles and commentaries.

LTD Social Sitings

Lessthandot twitter Lessthandot Linkedin Lessthandot facebook Lessthandot rss

Note: Watch for social icons on posts by your favorite authors to follow their postings on these and other social sites.

Highly Rated Users

Forum
No Posts Rated

Top 50
Given
Received

Links

Wiki
Blog

Forum Statistics

Users
Members:
1879
Members Online:
1
Guests Online:
41

Total Post History
Posts:
81448
Topics:
18714

7-Day Post History
New Posts:
0
New Topics:
0
Active Topics:
0

Our newest member
mwojcik

Other

FAQ
All times are UTC [ DST ]

Google Ads

Usability vs Security

Please wait...

Usability vs Security

Postby damber on Wed Jul 01, 2009 11:32 pm

... um... this one made me gasp a little, not the blog in the link, but the background to it - the statement from "Usability Experts" that Password Masking should be gotten rid of... yes, you heard me... make all passwords you type in visible to anyone looking at your screen. Just so you can 'feel comfortable' that you're typing the right password... apparently, the people who choose simple to remember passwords are really doing so because they can't see them, and if they could see it whilst typing all would be ok apparently... really... #-o wtf...

http://countermeasures.trendmicro.eu/

Maybe if there was a toggle visibility button which gives you the option of 'peeking', maybe, but still.. people choose easy passwords because they a) don't know any better b) couldn't care less or c) can't remember anything more complicated than their date of birth. Nice analogy from the blog post about door locks... such an inconvenience to usability... ;-)

So what would you prefer as a user? Can you think of any way of satisfying both requirements, such like the toggle button I mention above?
a smile is worth a thousand kind words, so smile, it's easy! :-)


CODE: $5
WORKING CODE: $500
PROPERLY DESIGNED & WORKING CODE: Priceless
User avatar
damber
LTD Admin
LTD Admin
LTD Silver - Rating: 663LTD Silver - Rating: 663LTD Silver - Rating: 663LTD Silver - Rating: 663LTD Silver - Rating: 663
LTD Silver - Rating: 663LTD Silver - Rating: 663LTD Silver - Rating: 663LTD Silver - Rating: 663LTD Silver - Rating: 663
 
Posts: 3138
Joined: Tue Oct 09, 2007 1:48 pm
Location: North Wales, UK
Unrated

Re: Usability vs Security

Postby Emtucifor on Wed Jul 01, 2009 11:59 pm

When I know the password before I type it, and the input device is familiar and hard to make a mistake (such as my computer keyboard) I don't need to see the letters.

However, if I'm inventing the password on the spot, I might change a bit here and there until I like it so I need to see it. Plus, when creating a password, I have made the same mistake twice in the main input and the confirm input, and then had the wrong password. So for these situations I already go to notepad or the Run prompt and type it there, then copy and paste. So I would like the option to unhide the field.

On the iPhone, they tried to get a mix by showing you just the letter you typed, then after a short delay masking it. But I hate this because it shows for such a short time it doesn't really help me as I'm trying to decide on the new password and see if I typed correctly what I am thinking.

As you think about my answer keep in mind that I type over 100wpm and I can "feel" when I've typed the wrong letter. So I consider myself a skilled and accurate typist, and I still want to see the password the first time I type it. For logins, where I'm typing a password I already know, I don't mind masking.
God cries a little bit every time someone builds a database.
User avatar
Emtucifor
Guru
Guru
LTD Gold - Rating: 1033LTD Gold - Rating: 1033LTD Gold - Rating: 1033LTD Gold - Rating: 1033LTD Gold - Rating: 1033
LTD Gold - Rating: 1033LTD Gold - Rating: 1033LTD Gold - Rating: 1033LTD Gold - Rating: 1033LTD Gold - Rating: 1033
LTD Gold - Rating: 1033
 
Posts: 2835
Joined: Fri May 30, 2008 9:30 pm
Location: Bellingham, WA
Unrated

Re: Usability vs Security

Postby chrissie1 on Thu Jul 02, 2009 6:41 am

Well I have to say that if you surf the intertubes a lot you get to make lots of username password combinations. It is hard to remember them all and so people choose things that are easy to remember and then still forget half of them when they have to visit the same site next week.

So after a couple of years of this people start using the same username password combination over and over again because that makes it a bit eassier. Problem is that any malicious person only has to find that one password to get in. Then they start using passwordmanagers which gives the same problem hackers only need to get into your computer and they don't even need to hack the rest anymore because the system helps them. Then people use openid which has the same problem as before.

Now on to the password thing being visible or not. I think a password can be visible without a problem. Lets not forget that if a person is really malicious and the password is confuscated on the screen he just has to look at the keyboard and see what you are typing. That's how those ATM bandits do it, they didn't have to record the code on the screen they recorded what your finger were doing.

In Belgium we all have an e-id which is much better for these kinds of things as long as it doesn't get stolen.

Anyway the perfect solution doesn't exists just do the best we can. But apparently the banc in Belgium are doing something right. Last year only 230000 euro got stolen from online bancaccounts. Thats nothing.

Last not; every security system can be broken (just watch MI, MI2 and MI3. soon to come MI4) it's just a matter of ROI.
pink fuzzy slippers
User avatar
chrissie1
Senior Guru
Senior Guru
LTD Gold - Rating: 2135LTD Gold - Rating: 2135LTD Gold - Rating: 2135LTD Gold - Rating: 2135LTD Gold - Rating: 2135
LTD Gold - Rating: 2135LTD Gold - Rating: 2135LTD Gold - Rating: 2135LTD Gold - Rating: 2135LTD Gold - Rating: 2135
LTD Gold - Rating: 2135LTD Gold - Rating: 2135
 
Posts: 9475
Joined: Wed Oct 10, 2007 7:18 pm
Location: Belgium
Unrated

Re: Usability vs Security

Postby damber on Thu Jul 02, 2009 10:18 am

Of course no security is flawless - the only really safe machine on the internet is the one that is powered off and unplugged from the wall. With physical access, well, just give up. Just like having locks on your doors and glass in your windows.... it's all about deterrence from the 'easy-pickings' attacks - as you say, ROI. If you can tell what I typed for my password just by looking at the keyboard with your eyes, then you're doing pretty darn well (especially for an old man ;-) as I type pretty quickly - but if you watched the screen, you would pick it up quite easily. Of course, I've stood behind people and watched them type one-fingered-letter-at-a-time and easily seen what their password is, but you have to be quite close if it's in person and they have to type relatively slowly - or you have to watch them several times to focus on a few letters each time. Letting them see the letters on screen aswell, just seems like your hanging a key right above your front door lock.

Amusingly, I have seen people unlock their computer after it has locked during a presentation and not tab to the password field correctly, thus typing their password after the username - it was very obvious, and everyone in the room saw it. This is what it would be like all the time if we got away from password masks... and for what, for people who can't remember their passwords anyway, therefore have short, simple ones? It would only make their very easy password even easier to hack.

Having a toggle button solves the 'need to double check I typed it correctly' issue, but gives the user an explicit choice of when to show and for how long - it is a conscious action, that will immediately set them in the frame of mind that they have 'unhidden' something, therefore it is secret and should be re-hidden/treated sensitively.

As for ATM / Card PINs - they normally do that by hiding a small camera (usually fitted to a false card reader device) so they can replay it back and slow it down/repeat. Although some people are very very obvious (usually the ones that say it under their breath when they type too.. another sign to look for), many people will be reasonably quick for a casual observer... (e.g. those that are not really staring at your fingers from over your should or something). I make a lot of effort to obfuscate my pin entry and do it with two hands above each other and use multiple fingers with dummy pushes... I know, seems a bit paranoid, but the UK is one of the most surveilled countries in the world, and there are plenty of card copying scams in the news, plus it's pretty simple to do and avoids the visual aspect of the problem.

Of course, as they can now sense the electromagnetic discarges from a keypress from a fair distance (http://lasecwww.epfl.ch/keyboard/), no matter what you do, they can still 'see' if they really want (they can also do this to read your screen through the wall too http://www.cl.cam.ac.uk/~mgk25/ih98-tempest.pdf). There's no getting away from it, nothing is really fully secure, it's just a case of whether it is secure enough for what you're trying to protect... passwords to facebook, twitter, etc really don't matter (as long as they're not the same ones for your bank!).
a smile is worth a thousand kind words, so smile, it's easy! :-)


CODE: $5
WORKING CODE: $500
PROPERLY DESIGNED & WORKING CODE: Priceless
User avatar
damber
LTD Admin
LTD Admin
LTD Silver - Rating: 663LTD Silver - Rating: 663LTD Silver - Rating: 663LTD Silver - Rating: 663LTD Silver - Rating: 663
LTD Silver - Rating: 663LTD Silver - Rating: 663LTD Silver - Rating: 663LTD Silver - Rating: 663LTD Silver - Rating: 663
 
Posts: 3138
Joined: Tue Oct 09, 2007 1:48 pm
Location: North Wales, UK
Unrated

Re: Usability vs Security

Postby chrissie1 on Thu Jul 02, 2009 11:09 am

damber wrote: (as long as they're not the same ones for your bank!).


<Quickly changing password of bancaccount> ;-)

I agree with all your points. But I am getting older and I only remember 1 password now if only I could remember my username.

Since we are talking security last weekend I had another mail from BCC to tell me my VISA was once again being changed because of possible fraude. In the letter they state that it will not have any affect and that it is free of charge. They forget to mention that I lost another hour going to the bank picking it up and setting a new code and showing them who I am. Visa must be the most easy thing in the world to use fofr fraude but on the other hand easy to use too. Security versus ease of use.
pink fuzzy slippers
User avatar
chrissie1
Senior Guru
Senior Guru
LTD Gold - Rating: 2135LTD Gold - Rating: 2135LTD Gold - Rating: 2135LTD Gold - Rating: 2135LTD Gold - Rating: 2135
LTD Gold - Rating: 2135LTD Gold - Rating: 2135LTD Gold - Rating: 2135LTD Gold - Rating: 2135LTD Gold - Rating: 2135
LTD Gold - Rating: 2135LTD Gold - Rating: 2135
 
Posts: 9475
Joined: Wed Oct 10, 2007 7:18 pm
Location: Belgium
Unrated

Re: Usability vs Security

Postby damber on Thu Jul 02, 2009 2:34 pm

let me guess:

username: chrissie1
password: chrissieisgreat!

??

:-P


ooops, sorry... it should be:

password: thelordoursaviourchrissieisgreat!!!11111!!11!11!1!111

;-)
a smile is worth a thousand kind words, so smile, it's easy! :-)


CODE: $5
WORKING CODE: $500
PROPERLY DESIGNED & WORKING CODE: Priceless
User avatar
damber
LTD Admin
LTD Admin
LTD Silver - Rating: 663LTD Silver - Rating: 663LTD Silver - Rating: 663LTD Silver - Rating: 663LTD Silver - Rating: 663
LTD Silver - Rating: 663LTD Silver - Rating: 663LTD Silver - Rating: 663LTD Silver - Rating: 663LTD Silver - Rating: 663
 
Posts: 3138
Joined: Tue Oct 09, 2007 1:48 pm
Location: North Wales, UK
Unrated