Engadget for the iPhone: download the app now
AOL Tech

Jim

Member since: Jun 27th, 2009

Jim's Latest Comments

Blog Activity
Blog# of Comments
Download Squad2 Comments

Recent Comments:

Password Masking: love it or leave it? (Download Squad)

Jun 27th 2009 9:29PM My apologies. You're correct that you didn't exclusively say they are sent unencrypted when unmasked.

There is an implied statement though in that you specifically mention in the "pro" side of your argument that when people don't see the masked passwords they assume that their password is sent unencrypted. My intent was to add clarity to this. The masked presentation of your password, or lack there of, has no barring on whether your password is being transmitted securely.

The masked password creates a false sense of security. Mentioning that it creates a sense of security (by means of pointing out that without it, it makes you feel unsecure) should really be followed up with the further explanation of how this is untrue.

Again, my apologies for not being more clear on this matter.

Password Masking: love it or leave it? (Download Squad)

Jun 27th 2009 5:15PM Umm wow. I won't even go into all the things wrong with this article. At the top of my list though is a terrible misconception that must be addressed. Just because the display of your password is masked to your eyes and any eyes looking over your shoulder does NOT mean that it is being encrypted during sending or in memory.

In the case of web applications it is even more common that your password isn't being sent encrypted. Unless great steps are taken, you can pretty much assume that your password will be sent over the wire unencrypted. The only exception to this is secured web pages (SSL) in which all traffic is encrypted unless told otherwise. I've seen more than a few web applications that store your password in their database unencrypted too. You never know how well designed a web site designed. This is why I try not to use the same password for any two sites. There are plenty of good external tools for tracking such passwords to assist you with managing them. My personal favorite is Keepass for example.