Masked passwords don't work

"Masked" Passwords Don't Work the Way You Think

Masked passwords don't work

"Can TeamPassword mask passwords so that users can't see the password itself?" 

We get this question a lot. And the short answer is: No, we don't. 

And here's why: it doesn't work. At least not the way you think.

Other password managers advertise password masking as a feature; some even charge more for it. Their pitch is that by masking the password, users can use a password but won't be able to see what the password actually is, and therefore the password and the login are protected from unauthorized use. The truth of the matter lies somewhere in between. 

What does masking do?

Masking does visually block the password so that users can't immediately see what it is. This is useful to prevent someone from looking over your shoulder and seeing what the password says. But it doesn't stop a user from finding out what that password is.

Why doesn't masking work?

There are simple ways a knowledgeable user, or a user with half-decent web search skills, can uncover a masked password. In some cases, users can copy and paste the masked password into a text file to do the trick. Or, users can run a javascript function. There are many ways to reveal masked passwords, many of which can be found through a simple web search.

So what does this mean? It's simple; masked passwords are no safer than unmasked passwords from users that want to know what they are.

How can you keep passwords safe?

At TeamPassword, we do mask passwords as the default view so that users and non-users can't immediately see the password. That makes sense. But any user can unmask the password and see what it is.

However, TeamPassword doesn't believe in selling a false sense of security. Instead, we think it's better to maintain good password hygiene by resetting passwords regularly. That's the best way to keep your passwords safe.

Don't want a team member to access a login? Don't share it with them. Want to know who has used which login? Check the activity log. Don't want a team member who has left the company to access accounts they had access to? Change the passwords on those accounts after they leave. 

Password management is critical to keep you, your business, employees, and customers safe from cyberattacks, especially if you have a remote workforce.

Masked passwords may make you feel safe, but that false sense of security may make you vulnerable because you are less likely to practice good password hygiene. 

Don't be suckered into paying more for a feature that doesn't work. Check the logs, update your passwords, and be sensible about who has access to what.

Don't know how? Ask us; TeamPassword is happy to help!


Long cta
Request a demo cta