Lately there has been a lot of discussion about this poor little character, the asterix: *. One example of this is this site. This character has been a very frequent site on every login screen you might encounter. It hides your real password (unless you actually had ******* as a password…) The question is whether this is good or bad practice. In this little post I’ll give you my opinion on it.

The original argumentation was to hide the password from peeking eyes. Look over someone’s shoulder and you know… then, you might look at what someone is typing on the keyboard and know as well. Especially if someone is typing slow. The added value is limited. In fact, security by obscurity isn’t real security. As it turns out, not seeing what you are typing increases the likelyhood of making mistakes. This is frustrating, but also costly. Unlocking accounts, retrieving passwords by e-mail etc. is timeconsuming and therefor pricy. Now we have two sides of the scales, which one is heavier?

In fact, that may not at all be the question. You could argue that the asterix’s make people feel good. They’re not only nice to look at, but also give a (false) sense of security, something people like (and not just after 9/11). The feel-good-factor hasn’t been taken into account in all the discussions I’ve read on the internet. Even if the added value in terms of real security is limited, what about making people feel safe (even if they aren’t. You want safety? Shut down that computer Now!).

Another factor that hasn’t been discussed is the simple fact that if we were to change this habit, it would take a very long time to reach an asterix-free world. There would be a mixed environment for years which might confuse people so much they call on the helpdesk anyway. No savings here. Is it really that bad? Or should people learn to type without looking and improve their skills that way?

Even further, one could (and I do) argue that the password itself isn’t a very good idea. There are better ways of securing stuff from unwanted access. Multifactor authentication, biometrics (although there are strong arguments against that one as well. maybe worth another post one day), smartcards, PKI, etc…. If we’re going to change at all, let’s not just do the superficial and aesthetics…

As you see, I don’t have the answer. do you? I hope you will comment on this post and give me your views on this little subject.

If you enjoyed this post, make sure you subscribe to my RSS feed!

Tags: Security