"Masked" Passwords Don't Work the Way You Think

"Does TeamPassword mask passwords so that users can't see the password itself?" 

We get this question a lot. And the short answer is: No, we don't. 

And here's why: it doesn't work. At least not the way you think.

Masked or Hidden passwords give the illusion of security without any real security benefit.

Here are a few ways a user can get around it.

1. If the sign-in form has a Show Password box or the eye icon, the user can reveal the password once entered.

2. Even if the password manager automatically logs the user into the website when they click the credential, the user can turn on their browser's "Offer to save this password" feature and capture the ostensibly hidden password. Then, they can view the password in the browser's password manager with a few clicks.

3. Inspect the code and manually reveal the password.

This is true for 1Password, LastPass, Bitwarden, and anyone else that offers the ability to hide passwords within their vault. Once a password leaves our environment (i.e. enters a sign-up form to login), we can't control it.

Other password managers advertise password masking as a feature; some even charge more for it. Their pitch is that by masking the password, users can use a password but won't be able to see what the password actually is, and therefore the password and the login are protected from unauthorized use. The truth of the matter lies somewhere in between. 

What does masking passwords do?

Masking does visually block the password so that users can't immediately see what it is. This is useful to prevent someone from looking over your shoulder and seeing what the password says. But it doesn't stop a user from finding out what that password is.

Why doesn't masking passwords work?

There are simple ways a knowledgeable user, or a user with half-decent web search skills, can uncover a masked password. In some cases, users can copy and paste the masked password into a text file to do the trick. Or, users can run a javascript function. There are many ways to reveal masked passwords, many of which can be found through a simple web search.

So what does this mean? It's simple; masked passwords are no safer than unmasked passwords from users that want to know what they are.

How can you keep passwords safe?

At TeamPassword, we do mask passwords as the default view so that users and non-users can't immediately see the password. That makes sense. But any user can unmask the password and see what it is.

However, TeamPassword doesn't believe in selling a false sense of security. Instead, we think it's better to maintain good password hygiene by resetting passwords regularly. That's the best way to keep your passwords safe.

Don't want a team member to access a login? Don't share it with them. Want to know who has used which login? Check the activity log. Don't want a team member who has left the company to access accounts they had access to? Change the passwords on those accounts after they leave. 

Password management is critical to keep you, your business, employees, and customers safe from cyberattacks, especially if you have a remote workforce.

Masked passwords may make you feel safe, but that false sense of security may make you vulnerable because you are less likely to practice good password hygiene. 

Don't be suckered into paying more for a feature that doesn't work. Check the logs, update your passwords, and be sensible about who has access to what.

Don't know how? Ask us; TeamPassword is happy to help!