Comment by letsdothisagain
2 years ago
I'm honestly seeing little value in asterisks with WFH and the move to passphrases. Feedback is important when you're typing a long phrase with complete precision. Plus shoulder surfing is simply not a thing when my physical security profile now involves a locked front door and a call to the police.
WFH also means Working From my backyard, the coffee shop around the corner, the library, a friend's house, a hotel room, etc.
Even for people who only work at home while working remotely, private homes can see a lot of traffic. I wouldn't assume all screens are kept and used in totally secure environments so we should probably still stick with masked passwords and telling users not to keep passwords written on a post-it note stuck to their monitor.
And now employees simply leave their laptop open with the SSH window up while getting their coffee because it's now so annoying to close the lid and correctly type the password.
>USB Rubber Ducky has entered the chat
If they can see the screen wouldn’t they be better off just looking at the keyboard to directly observe what’s being typed?
> the coffee shop around the corner
I would hope people in high leverage job roles would just avoid such behavior.
> I would hope people in high leverage job roles would just avoid such behavior.
I used to hope that as well. Then I met people and lost that hope. It's truly impressive how much stupid shit gets pulled by people that "should know better."
Plenty of value in confirming that you are hitting each key exactly once.
Why not just mutate a specific fixed-length line with every keypress?
You've never typed a password in while screen sharing?
I don't type passwords. My password manager fills them for me, or I paste them.
Unlocking the password manager means I need to type a master password in while in a public place. Feels higher risk when it is an unimportant website but potentially gives access to all websites. Still better than the passwords being accessible on disk but having individual passwords would reduce the impact of any password leak.
4 replies →
Oh god no, absolutely not. Always stop sharing for the duration of the password entry.
What if you're demonstrating a problem with a login screen? And yes, I've had to do exactly that more than once. I wouldn't do it with a particularly sensitive password (online banking etc) but there are enough passwords I use regularly for work purposes where it wouldn't be a significant risk for others to watch me type it in, certainly if the characters aren't revealed at all while typing. Though having password fields be able to detect your screen is being shared automatically and obscure what pixels are relayed would be nice.
2 replies →
Sadly I think security systems will have to accommodate the possibility that someone else can see your screen. And hope that they can't see your keyboard.
I'm going to suggest that is correct and also unusual behavior.
Are you describing your experience or implying that the industry should change this because you can WFH?
The latter. They seemingly meant "I can WFH, so asterisks are meaningless to everyone. F@&# asterisks!"
> I'm honestly seeing little value in asterisks
They're essential ! How else would we encourage the average user to use as short and and as simple a password as they can get away with ?