[Sigia-l] Obscuring passwords, or not...

[jon at spin.ie]

> Typically forms use the password input which displays an asterix or dot 
> as the user enters the password. This is done so that no one can look 
> over their shoulder and discover the user's password.
> 
> Sometimes this is a usability problem: you can't determine whether 
> you've correctly entered your password at a glance.

PGP allows users to turn of passphrase obscuring - one the other hand when obscuring is turned on it just moves the caret rather than displaying asterisks, so it is even more obscured than is usual.

While this might appear at first glance to sacrifice a degree of security (and the people who use PGP include some paranoid enough to worry that even in the privacy of their own home someone might use Van Eck preaking to read the screen) it is also true that making it difficult to enter passphrases encourages people to pick very small and very simple passphrases - with a resultant detrimental effect on security.

Offering people the ability to turn of the passphrase obscuring might be worth considering. The one problem with this is that people generally overestimate when such features are safe to use. So any usability advantage will come with a security disadvantage - even if that security risk is nil in most use cases, if it exists in some then it must be considered.

So, how much does this increase usability? Do those usability benefits decline once people are more used to the system? (I've a few passphrases I can't remember but I can type them without even thinking) Will your users understand why they should obscure passphrases if anyone is around - even if it doesn't look like they can see anything, or even in an empty cyber cafe? (it's not rare to have webcams looking at the screens, so illegal activity can be tracked).

Finally, what's the worse that will happen if a passphrase is compromised; a bit of mild embarrassment, serious data loss, financial fraud?