Usability guru Jakob Nielsen said last month that sites should show most passwords in clear text as users type them. Nielsen is the web's most famous usability expert. OUT-LAW put his observations to Schneier, a widely-respected expert on IT security. He backed Nielsen's view.
"Password masking has annoyed me for years," Schneier told OUT-LAW.COM at the time. "Shoulder surfing is largely a phantom problem, and people know to be alert when others are nearby, but mistyping a long password happens all the time."
Schneier shared his observation on his blog. Over 160 comments were posted in response, mostly arguing that he and Nielsen had made a mistake. Schneier has now admitted that he probably made a mistake.
"I was certainly too glib," he wrote on Friday. "Like any security countermeasure, password masking has value. But like any countermeasure, password masking is not a panacea."
He repeated his argument that the risks of shoulder surfing are overrated; but he added: "This is not to say that shoulder surfing isn’t a threat. It is. And, as many readers pointed out, password masking is one of the reasons it isn't more of a threat."
Schneier now backs an approach taken by BlackBerry devices and iPhones, which display each character briefly before masking it. "That seems like an excellent compromise," he said.
"So was I wrong?" wrote Schneier. "Maybe. Okay, probably."