Rob Kraft's Software Development Blog

Software Development Insights

Archive for June, 2018

How To Protect Against “Man Over The Shoulder” Attacks

Posted by robkraft on June 24, 2018

Replacing the characters we type in a password field with asterisks or dots is so common that we don’t question the value or purpose of it.  Most people don’t realize that the technique serves just one purpose, and that is to protect people from “Man over the shoulder” attacks.

login-570317_1280

So when do we need this protection?  Only when we are in coffee shops, or airports, or other public places where someone is looking over our shoulders to find out what password we are typing.  And possibly also in our work environments when we are sitting with co-workers and one person is logging in to a system or application.  But when you are in your home alone, or when you are at your desk alone at work, or when you are out in public but in a place where no one is looking over your shoulder to see what you type, hiding the password you type is unnecessary.  In fact, hiding the password we are typing is sometimes worse than unnecessary, it is counter-productive.  How so?  Being unable to see the password we type causes us to choose passwords that are easier to remember and get correct.  A complicated long password is more difficult to enter correctly when you cannot confirm what you have typed than is a shorter password that meets the minimum criteria required by the application.  Thus people are more likely to use a simple password when they don’t have the ability to review it later as they type it again.

The best resolution to this conundrum is probably to have an option to allow the user to see the password they are typing.  Perhaps a checkbox next to the password field to show the password to the user as they type it.  Or, as we see in some browsers, a little eyeball icon that lets users reveal the password they have typed so far.

If you are concerned that revealing passwords assists hackers and spyware and malicious JavaScript that may be running on your computer to discover your password, your fears are unfounded.  That malicious code that is already running on your computer can reveal the password for itself without human intervention in just the same way that the application using the password does.  The one exception to this rule would be software that is recording a video of what you are doing on your computer.  Most tracking and monitoring software do not use this approach, but some do.

I recommend we keep masking passwords, but all password fields should also provide an option to allow the user to see the password they have typed.

GoodLoginScreen

 

 

 

Posted in Security | Leave a Comment »