My program should display ‘*’ when entering a password to a text box by a user. How to do that?
The only snag is that for security reasons such applications have to be activated by entering a master password in the conventional manner.
Such a password would need to strong, and if the user has no trouble entering it, then he should have no trouble doing so in any other application.
If the user lets his master password be captured, he effectively gives away all his passwords.
One thing he doesn’t cover where it is still effective even if you have someone looking over your shoulder at the time is where you use a password vault program that can mask the passwords in the program but still provides a button next to the field to copy the password to the clipboard. With that setup you can then copy the password from your password vault and paste it into the web page with someone watching everything you do (including watching the keyboard) and they still can’t see your password. Since it is also impossible to mistype the password when you do that there is no problem for you in having the field masked.
So Neilen’s suggestion about offering your visitor the option of whether passwords should be masked or not is definitely a worthwhile one.
Of course any option that you give your visitor for being able to switch the field between masking and not masking the password will require JavaScript to perform the switch. For example http://javascript.about.com/library/blpass1.htm shows how to set up a self labelled password field that will mask the actual password when entered. Slightly modified that code could also provide for the checkbox processing for masking/unmasking the field that Neilsen mentions as a possibly more accessible solution.
What’s wrong with the good old <input type=“password” /> ?
The difference is that the password vault program runs as an application on their computer and there is no access to it from anywhere else. The master password doesn’t have to be particularly secure if physical access to the computer itself is secure.
Where others you don’t trust have physical access to the computer then yes that master password does have to be secure but provided you have entered that before the person arrives to watch you use the computer you can use the passwords stored there to log into various web sites without the watching person seeing you type a password which is the only instance where having the password field on the screen masked serves any purpose whatever.
Losing a password that is only ever entered on your own computer and never leaves that computer is far less likely than losing one that has to be transmitted over the internet and so the password vault method reduces the chances of your having all sites compromised by making it easier to use different hard to guess passwords for each site on the internet. The actual level of security isn’t that significantly different from if you keep the passwords on a written list on your desk (which is the only effective alternative way of using hundreds of different passwords for hundreds of different sites).
The only way a master password on a password vault can be captured without being physically there watching it being typed in is if there is a keylogger installed on the computer and if that applies then all of your passwords are compromised regardless of how you handle them.
That is my worry with any of the authentication systems which you can use to have one password for many sites, if a person’s password is captured/guessed/broken then they loose access to all sites. If they have different passwords for different sites and one gets comprised, they only loose access to that one site.
@albertkao, a couple of related threads where the topic of password masking as been discussed are in this thread and discussed a bit in this [URL=“http://www.sitepoint.com/forums/showthread.php?p=4361891&t=631491”]thread.
There’s nothing wrong with that at all, unless Nielsen has something worth listening to.
Stop Password Masking