You’ll find that happening more and more often. Unless someone else could be looking at your screen, starred out letters are just an inconvenience. It’s probably a design choice in this instance, so you can be sure you’re typing it correctly. |
Reply privately, Reply in forum +quote
or View forums list | |
 |
By (user no longer on site)
over a year ago
|
"You’ll find that happening more and more often. Unless someone else could be looking at your screen, starred out letters are just an inconvenience. It’s probably a design choice in this instance, so you can be sure you’re typing it correctly."
A design choice to show a password in clear text? What fucking idiot of a designer ever thought that would be a good idea???? |
Reply privately, Reply in forum +quote
or View forums list | |
Well, as I said, it is only an issue if somebody other than you can see your screen. I think most people would agree that it would be unwise to sign into Fab while anyone else (other than maybe your partner) can see what you are doing.
Think about it. How often are you entering a password with somebody watching what you’re doing? Rarely.
Security experts are recommending defaulting to showing text because people incorrectly entering their passwords creates a lot of unnecessary work. However, generally, where it is removed, you’ll see the option to select it, for those signing in while they’re out in public.
But, I really, really don’t recommend logging into Fab while the general public can look. At your screen. |
Reply privately, Reply in forum +quote
or View forums list | |
|
By (user no longer on site) OP
over a year ago
|
"Well, as I said, it is only an issue if somebody other than you can see your screen. I think most people would agree that it would be unwise to sign into Fab while anyone else (other than maybe your partner) can see what you are doing.
Think about it. How often are you entering a password with somebody watching what you’re doing? Rarely.
Security experts are recommending defaulting to showing text because people incorrectly entering their passwords creates a lot of unnecessary work. However, generally, where it is removed, you’ll see the option to select it, for those signing in while they’re out in public.
But, I really, really don’t recommend logging into Fab while the general public can look. At your screen."
Can you give me some examples of security experts recommend we stop password masking? |
Reply privately, Reply in forum +quote
or View forums list | |
“I would be happy to see it go.” Schneier on Security https://www.schneier.com/blog/archives/2017/07/password_maskin.html
“Masking passwords doesn't defend against any likely threat, causes user frustration, and drives them to pick poor passwords.” ZDNet http://www.zdnet.com/article/we-need-to-stop-masking-passwords/
“Let's clean up the Web's cobwebs and remove stuff that's there only because it's always been there.” Nielsen Norman Group https://www.nngroup.com/articles/stop-password-masking/ |
Reply privately, Reply in forum +quote
or View forums list | |
|
By (user no longer on site)
over a year ago
|
No because the second time you enter it you are usually do careful that anyone watching could see the keystrokes anyway!
Plus I agree, fab where your screen can be seen is dangerous! |
Reply privately, Reply in forum +quote
or View forums list | |
It is not just that it is displayed in free text, it then also stored in the phone's dictionary in free text (not even hashed like stored passwords). My fab password is unique and after having to re enter it on fab, it then came up as a quick entry choice for a subsequent dialogue box. The user interface does not recognise it as a password, though the fab server clearly does. |
Reply privately, Reply in forum +quote
or View forums list | |
|
By (user no longer on site)
over a year ago
|
"It is not just that it is displayed in free text, it then also stored in the phone's dictionary in free text (not even hashed like stored passwords). My fab password is unique and after having to re enter it on fab, it then came up as a quick entry choice for a subsequent dialogue box. The user interface does not recognise it as a password, though the fab server clearly does."
This ^^^^ |
Reply privately, Reply in forum +quote
or View forums list | |
|
By (user no longer on site) OP
over a year ago
|
To be honest though the biggest issue with fab passwords are that they're not case sensitive.
Try this is your password contains any uppercase letters type it in all in lower case  |
Reply privately, Reply in forum +quote
or View forums list | |
"To be honest though the biggest issue with fab passwords are that they're not case sensitive.
Try this is your password contains any uppercase letters type it in all in lower case "
Holy f***, just verified this
The implications of this are mind blowing
1) the passwords are not hashed or 'hashed' in a very non-secure manner
2) if they are not hashed that means they are stored in plaintext and therefore insecure by design
3) do not meet th new GDPR regulations
Oh dear |
Reply privately, Reply in forum +quote
or View forums list | |
|
By (user no longer on site) OP
over a year ago
|
"To be honest though the biggest issue with fab passwords are that they're not case sensitive.
Try this is your password contains any uppercase letters type it in all in lower case
Holy f***, just verified this
The implications of this are mind blowing
1) the passwords are not hashed or 'hashed' in a very non-secure manner
2) if they are not hashed that means they are stored in plaintext and therefore insecure by design
3) do not meet th new GDPR regulations
Oh dear "
Been like it for years. |
Reply privately, Reply in forum +quote
or View forums list | |
|
By (user no longer on site)
over a year ago
|
"To be honest though the biggest issue with fab passwords are that they're not case sensitive.
Try this is your password contains any uppercase letters type it in all in lower case
Holy f***, just verified this
The implications of this are mind blowing
1) the passwords are not hashed or 'hashed' in a very non-secure manner
2) if they are not hashed that means they are stored in plaintext and therefore insecure by design
3) do not meet th new GDPR regulations
Oh dear "
They could be hashed by converting them to lowercase before hashing and then convert entered passwords to lowercase before checking them. |
Reply privately, Reply in forum +quote
or View forums list | |
|
By (user no longer on site) OP
over a year ago
|
"To be honest though the biggest issue with fab passwords are that they're not case sensitive.
Try this is your password contains any uppercase letters type it in all in lower case
Holy f***, just verified this
The implications of this are mind blowing
1) the passwords are not hashed or 'hashed' in a very non-secure manner
2) if they are not hashed that means they are stored in plaintext and therefore insecure by design
3) do not meet th new GDPR regulations
Oh dear
They could be hashed by converting them to lowercase before hashing and then convert entered passwords to lowercase before checking them."
Yes they could be but still a terrible thing as it weakens the passwords you can use enormously |
Reply privately, Reply in forum +quote
or View forums list | |
Yup. I just checked, and converting my password to all lower case means the time it would take to crack it dropped from 3,718,234,074,664,426,000 years to a measly 10,944,496,593,918,416 years.
.
We’re doomed! |
Reply privately, Reply in forum +quote
or View forums list | |
"
Can you give me some examples of security experts recommend we stop password masking?"
"“I would be happy to see it go.” Schneier on Security https://www.schneier.com/blog/archives/2017/07/password_maskin.html
“Masking passwords doesn't defend against any likely threat, causes user frustration, and drives them to pick poor passwords.” ZDNet http://www.zdnet.com/article/we-need-to-stop-masking-passwords/
“Let's clean up the Web's cobwebs and remove stuff that's there only because it's always been there.” Nielsen Norman Group https://www.nngroup.com/articles/stop-password-masking/"
Pwned    |
Reply privately, Reply in forum +quote
or View forums list | |
"It is not just that it is displayed in free text, it then also stored in the phone's dictionary in free text
Incorrect."
When my password is used nowhere else, it appeared as a personal dictionary entry on my phone after entering it correctly after a log-in error. |
Reply privately, Reply in forum +quote
or View forums list | |
|
By (user no longer on site) OP
over a year ago
|
"
Can you give me some examples of security experts recommend we stop password masking?
“I would be happy to see it go.” Schneier on Security https://www.schneier.com/blog/archives/2017/07/password_maskin.html
“Masking passwords doesn't defend against any likely threat, causes user frustration, and drives them to pick poor passwords.” ZDNet http://www.zdnet.com/article/we-need-to-stop-masking-passwords/
“Let's clean up the Web's cobwebs and remove stuff that's there only because it's always been there.” Nielsen Norman Group https://www.nngroup.com/articles/stop-password-masking/
Pwned "
Oh yes 1 example and 1 persons opinion must mean we should do it and all security experts agree, yawn |
Reply privately, Reply in forum +quote
or View forums list | |
|
By (user no longer on site) OP
over a year ago
|
"Yup. I just checked, and converting my password to all lower case means the time it would take to crack it dropped from 3,718,234,074,664,426,000 years to a measly 10,944,496,593,918,416 years.
.
We’re doomed!"
That's based on brute forcing whereas a dictionary attack is more likely and this way of storing passwords makes my dictionary much smaller. |
Reply privately, Reply in forum +quote
or View forums list | |
» Add a new message to this topic
