Unmasking the Security and Usability of Password Masking
We provide empirical insights into the security and usability of password masking and offer recommendations for future use.
Our peer-reviewed study was presented at the 2024 ACM Conference on Computer and Communications Security (CCS)
Read the Paper
Our peer-reviewed study was presented at the 2024 ACM Conference on Computer and Communications Security (CCS)
Main Findings
Most People Chose Long Password
Participants mostly chose passwords longer than the minimum required length of 8 characters, with only 21% selecting the shortest option. Only 3% of passwords were longer than 20 characters, suggesting limited use of randomly generated passwords by password managers.
Masking doesn't Affect Password Entry Timing
There was no consistent pattern of timing differences between masking conditions, suggesting that masking does not significantly affect the time taken to enter passwords.
Entry Habits
Toggle Use was rare: A minority of participants used the masking toggle option, particularly during subsequent login attempts.
Character Deletion and Typos: There was no significant impact of masking on character deletions or the types of typos made during password entry.
Methodology
- Survey: The study used a mixed-methods survey to gather participants' perspectives on password masking, including both closed-ended questions for capturing preferences and frequencies, and open-ended questions for detailed views.
- Experiment: The experiment simulated a login workflow on a website to evaluate password entry under different masking conditions, including five variations: no masking, static masking with/without a toggle, and dynamic masking with/without a toggle.
