Password masking and PDAs

The current version (*) of:

section 3, says:

> It is the TAG's opinion that if a form field is a password, 
> password masking MUST take place to protect the user from 
> onlookers seeing what is being entered and stop anyone from
> later using the 'back' button to discover passwords.

and indicates a Good Practice:

> User agents MUST use password masking when passwords are 
> displayed in an HTML form.

I think the combination of "It is the TAG's opinion that..."
and "MUST" is a bit of an odd mixture.

More substantially, PDAs which use handwriting recognition
are good examples of devices where password masking is not
a good strategy.  Handwriting recognition is sufficiently
unreliable that the user will want to see the characters
entered to make sure they are correct.  At the same time,
with such devices it is easy to orientate the screen to
avoid shoulder surfing.

Avoiding revelation of the password with the back button
would, however, be an issue on PDAs.

Ed Davies.

* The document doesn't link a permanent URL for its current
version.  The "Previous version:" link is labelled with what
is presumably the current version but actually links to the
previous version.

Received on Saturday, 6 January 2007 15:42:43 UTC