On Sat, 2013-05-04 at 19:23 +0100, Richard W.M. Jones wrote: > Another opinion. > > It is possible to study such things, and even give caveats and error > bounds to show uncertainty. I went looking, but as T.C. Hollingsworth said, it doesn't appear that either side has produced anything much in the way of empirical research to support its view. Given that, it would seem most prudent to continue with what we've done in the past; the onus would seem to be on the 'don't mask passwords' side to make a convincing case for change. I haven't found anything much beyond the initial pretty small study (62 participants) cited (and conducted) by Nielsen, and that didn't seem to be widely accepted at the time. It was a study of mobile users, and we don't design anaconda for cellphones (someone has noted that there's a significant difference between cellphone and 'regular PC' text entry). It was also tightly focused on web use, and Nielsen seems to have been thinkign about the case where you enter an existing password for authentication, rather than the case where you initially set the password. So it seems dubious to consider it applicable to the case of anaconda. I'm also not sure that it's easy to design a study that takes into account all the factors here. We can easily measure the usability of various masking approaches, but I think everyone would accept that in *usability* terms, unmasked passwords are best: I think it's generally accepted that this is a case of a usability versus security trade-off, and the questions are a) exactly how much security does masking provide and b) once we have agreed on the terms (exactly how much more usable are unmasked passwords? exactly how much more secure are masked passwords?) where do we decide Fedora should fall? Measuring the *security* consequences of each approach seems much more difficult; it'd certainly need to be some kind of large-scale experiment, if only to make sure the many other factors that affect password security were evened out. It doesn't seem to be something you can easily test in a day just by sitting 30 people down in a usability lab, at least, because the practical risk of shoulder-surfing is a 'real world' thing you'd have to try and measure somehow. So far as I can tell, no-one's really tried this yet, all the debate seems to be just people citing their wild-ass guesses as to how big of a problem shoulder surfing might be as if they were gospel. And then there's the argument that, if shoulder surfing isn't much of a problem in the real world at present, that's *because passwords are usually masked*, which complicates the question even further. b) is not something you can measure at all, it's a judgement call. There will inevitably be an element of subjectivity in any decision made on this topic, even if we can perfectly measure the usability and security of each approach under consideration. If we find that, say, one-character-at-a-time masking is almost as usable as unmasked and almost as secure as masked, the subjective decision might be an easy one, but it'd still be subjective. Nielsen seems to have updated his pages and links over time, so the dates don't really add up, but I'm _pretty_ sure that http://www.nngroup.com/articles/mobile-usability-first-findings/ is the write-up of the actual study he mentions in passing in http://www.nngroup.com/articles/stop-password-masking/ (the note that started all the fuss; it seems to have been updated in places). That write-up does not mention password security at all, so it doesn't seem to have been the focus of the study. Really, his password masking piece seems to be mostly just opinion; he doesn't cite references for most of it, and a lot of it seems like if it was based on actual data at all, it was heavily extrapolated. To throw some more very inconclusive data on the pile, I'll note that - IIRC - Android's 'pattern lock' feature initially did not have the option to disable the display of the pattern as you enter it. This was added in a later update. It would be interesting to know if that was in response to user demand, or some kind of empirical data, or just some coder's arbitrary decision. (Correct me if I'm wrong there, though...) -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora http://www.happyassassin.net -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
