Comments on: Why Masked Passwords Are a Serious Security Hole

By: Francesco

Francesco — Mon, 11 Jul 2011 20:36:01 +0000

@Fabio, it is correct to scramble a password field to protect it from “bad eyes”. Passpack does this in the entry popup. But this is a different thing.

By: Fabio

Fabio — Mon, 11 Jul 2011 20:15:09 +0000

If the masking is implemented in a safe way, the control won’t have the actual password, it will be stored somewhere else and the masked password will be just ‘*’ characters.

By: Oscar

Oscar — Thu, 23 Jun 2011 00:02:46 +0000

Nice post. I wasn’t really aware of PassPack, but it looks like a very nice piece of software. I think I’m going to sign up for an individual account!

By: Why Masked Passwords Are a Serious Security Hole

Why Masked Passwords Are a Serious Security Hole — Wed, 22 Jun 2011 20:00:56 +0000

[...] When I respond that this isn’t possible to implement in a secure way, and that I don’t want to open a security hole in the Passpack experience, people have pointed out to me that other software offers this feature. Unfortunately, several users have left Passpack for this missing “feature”. So I’d like to explore the matter further with you.continue [...]

By: Francesco

Francesco — Wed, 22 Jun 2011 19:11:18 +0000

@Chris, maybe there is a misunderstanding. What you are talking about is different from the subject of this post. Specifically, masking password fields against shoulder surfing makes sense (Passpack adopts this approach with passwords and notes). This post is about something else.

By: Chris

Chris — Wed, 22 Jun 2011 18:44:50 +0000

It’s only to stop those who are peering over your shoulder (who also can’t read your fingers as they type on the keyboard…)

By: Andre P.

Andre P. — Wed, 22 Jun 2011 18:25:28 +0000

I just tried the same technique on a bank site (note: with “https” this time) and while changing the ‘type’ attribute didn’t work, I noticed that the input value was revealed with the “value” attribute. Even easier!

By: Andre P.

Andre P. — Wed, 22 Jun 2011 18:21:24 +0000

I went to facebook.com with IE9, entered a few characters into the username and password fields, then hit F12 to get into the developer tools. I found the DOM node for the password field:

I was able to change the ‘type’ attribute to “text” and the DOM type was changed immediately, revealing the password. Nothing to install, nothing to copy and paste.

By: joequincy

joequincy — Wed, 22 Jun 2011 16:42:14 +0000

Password fields are just masked text fields. Change the Type attribute to text, and you’ve got yourself a readable password field.

I wrote a Greasemonkey script ( http://userscripts.org/scripts/show/71825 ) quite some time ago that added a button to toggle just that after every password field. It’s totally inelegant, but it does the work quickly and easily enough. I absolutely agree with you; passwords masking is a security flaw because it induces a sense that it is secure, and thus promotes insecure practices.

By: austin

austin — Wed, 22 Jun 2011 16:35:54 +0000

if you have netcat you cna just listen on a certain port and set a proxy in your browser to use localhost:that port and the http request, presumably with your pass, will be shown.
also if you have firebug in firefox.

ive never heard of masked passwords but i certainly would NOT support such a silly idea.