8

There is a practice of showing bullets, not characters when a user inputs a password. Is this security through obscurity?

My first thought was that it's not, it's not really a system, we know how it works, one bullet = one character. It's just not showing the password so I don't think the definition of security by obscurity applies here. However, I'm not sure about it.

Martin Maat
  • 18,435
Awerde
  • 327
  • 2
    Some systems output a random number of bullets/asterisks (within a short range of course) for each entered character to make it harder for over-lookers to spot the number of characters in the entered password. I don't encounter this anymore, for some reason it got out of style, yet it struck me as a smart thing to do. – Martin Maat Jan 17 '22 at 21:27
  • 1
    @MartinMaat I was just thinking alike. Then I thought of my mother and almost immediately I have realised that It could be seen as a misleading and confusing feature. Imagine a layman typing down 10 characters password but only half are printed. Cognitively it is disturbing. – Laiv Jan 18 '22 at 15:34
  • Someone could look on your fingers and keyboard... – Basile Starynkevitch Jan 18 '22 at 17:55
  • 1
    On [security.se]: Why do password creation/login screens hide the typed password? – Deduplicator Jan 18 '22 at 18:13
  • 1
    @Laiv I have never seen this with nothing appearing in response to a key stroke, it was always multiple placeholders per character. And my mother does not need any of this to be confused by her computer. – Martin Maat Jan 18 '22 at 18:21
  • 1
    There is nothing wrong with security through obscurity - as long as it isn’t the only security. I know one really big attack target where the “obscurity” stopped attackers for several years. – gnasher729 Jan 18 '22 at 19:42
  • 1
    Example: hiding services by changing the standard port address to something different is considered good practice among network administrators... yet, totally security through obscurity! – Martin Maat Jan 18 '22 at 20:20
  • @MartinMaat because it cuts down amount of everyday attacks performed by bots by 99.9+%. You have to specifically target some system to use port scanning. – user11153 Jan 19 '22 at 18:58
  • @BasileStarynkevitch Apparently you can simply record the sound of someone typing and use statistical analysis to determine their password. – JimmyJames Jan 20 '22 at 22:25

1 Answers1

14

Rather than the hand-waving "security via obscurity", I think you're best taking Kerckhoff's principle:

a cryptosystem should be secure, even if everything about the system, except the key, is public knowledge.

where the password is the "key" in this case. Security via obscurity is anything where the security of the system depends on something other than the key being kept secret.

As such, hiding the characters of the password as its is entered is absolutely not security via obscurity as it is protecting the one bit of the system which must be protected for it not to be security via obscurity. It is designed to protect against one very specific attack vector (shoulder surfers), and does that well.

candied_orange
  • 108,538
Philip Kendall
  • 24,083
  • I would say it protects somewhat, rather than very well. Reading a password from keypresses is harder than from a dialog box, but at the speed that most people use for typing noise strings it is perfectly feasible. – Kilian Foth Jan 17 '22 at 21:42
  • @KilianFoth I didn't say it protects "very well", I said it was a very specific attack vector. – Philip Kendall Jan 17 '22 at 21:45
  • 2
    The bullets are not a secret of how the system works. They are part of how the key is kept secret. An opponent knowing that the system uses bullets doesn’t weaken the systems security. – candied_orange Jan 18 '22 at 13:34