I had to change one of my passwords this morning. That means typing in the new one twice, presumably so that I don’t make a typo the first time and then not know what the typo was. Why might that be a potential problem? Because whenever I type a password in, it inevitably shows up as a row of dots rather than what I’m actually typing. Clearly that is supposed to be a security feature. But how useful is that feature? Other than someone looking over my shoulder while I’m inputing the password, does it prevent any other kind of password hacking? I assume that if there’s a keystroke logger on my computer, or if someone is using some kind of decryption, or any other kind of electronic password hacking technique, that the dots on the screen aren’t going to have any benefit compared to the passwords appearing on my screen as they actually are. Is that a correct assumption?
The nominal threat is called “Tempest”. Basically, everything that shows on your screen, has a signal from the computer to your screen. That signal can theoretically be detected and decoded.
It’s primarily to prevent shoulder surfing, yes.
EM snooping is a thing, but it’s not a concern specific to passwords and the dots are not a countermeasure (sufficient shielding is required).
The only protection is from shoulder surfing while providing visual feedback that you actually hit a key. Lotus Notes used to display hieroglyphics as you entered the password where you couldn’t even guess the password length from it.
Back in the 1970s I used a system called PLATO which masked typed passwords in a similar way, but for each character that you typed it would display a random number of X’s, between 1 and 3 X’s for each key press. This would prevent a shoulder surfer from seeing the length of the password. I don’t know why that never caught on. It seems a pretty simple and useful modification.
A compromised system can also be sending screenshots to the hacker’s system as a sort of remote over the shoulder snooping. It would also protect against that sort of (rare) vulnerability.
Yeah, that’s not been a threat since the CRT days.
I find my phone keyboard will remember and suggest autocompletion of passwords that are entered visibly, but not those that are entered obscured. Obviously a keyboard app suggesting your password is a security risk.
My mind wanted to drift along the “screen reading” line but any software that can do that can much more easily capture key strikes.
One alternate way to enter password-like stuff is to display some things on the screen and you have to click on things a certain way. Capturing both the screen and simultaneous mouse stuff is a bit harder. I don’t recall seeing a mixed up on-screen keyboard used this way in a while. It would take forever to hunt-and-click a password, esp. one that requires using the shift key.
It is really frustrating when the site doesn’t have a show-password thing. I’m just not that good of a typist (and less so Mrs. FtG) so we sometimes get into account locked to 24 hours or some such mode.
It has been a looong time since I had to enter a password where an over-the-shoulder thing would have been a threat.
Also, with cell phone cameras to good, people pretending to be on a phone while you enter a password/code are a big problem.
There’s nothing magical about the dots, as everyone else said. In the Windows era (I mean before everything moved to the web and phones), there were simple and useful apps that would reveal the text inside those fields for you, which was very useful for forgotten passwords etc.
These days, the tech industry is trying to move away from passwords altogether towards passkeys.
That term has multiple meanings, at least according to one of the systems I use, for electronic prescribing. The system uses “two factor authentication”, which is actually five factor authentication, and a pain in the butt to use. I have to first log in to my electronic medical records, which involves both a password and a 6 digit code generated on a 2 factor authentication app. Then I need a different password, as well as a passkey (which is also a password, just not the same one as the “password”), and another 6 digit code from the authentication app. All with those annoying little dots.
My god, how have your patients not died of old age while you were fighting all that? 
Still does, though it’s IBM Notes these days.
Ooh, I loved the hieroglyphics. As you type the password, you could see if it was correct even if you didn’t see the letters, since the same glyphs showed up each time. Question: if I typed the letter E and it shows me an eagle glyph, would you also get an eagle, or something else? Or did it change for each user?
Ahem.
Abstract. Electromagnetic eavesdropping of computer displays – first demonstrated to the general public by van Eck in 1985 – is not restricted to cathode-ray tubes.
The bigger threat than shoulder surfing is screen sharing, either during a demo or while getting remote support. In my job, at least a few times a week I’m either typing in a password or someone else is while we’re sharing a screen. The dots mask that.
(At least they do on a laptop/desktop. On most phones, you can briefly see the character before it changes to a dot. But screen sharing is less common on mobile devices).
I wish they would give me the option to dispense with this nonsense. Alone in my apartment behind a locked door, I’m not too worried about someone peeking at my screen.
Many, but by no means all, password boxes do just that. For the exact reason you say. When shoulder-surfing is impossible, the masking effort is just gratuitous user-pissing-off.
Also, with the popularity of wireless keyboards, you can sniff the keyboard traffic itself. For example:
Of course, the dots don’t help this case. But on the other hand, you can have an on-screen keyboard with randomized character placement that solves that problem–even if you could sniff the mouse traffic, you couldn’t reverse that to a password sequence. So which method is better depends on whether you consider your screen or keyboard/mouse to be less secure.
My fury is entirely reserved for the various sites and apps (cough TurboTax cough) that won’t let you paste a password.
Hint to moronic web developers: This is 2025. Those of us with a clue use a password manager that generates and stores 20 or 50 character gibberish passwords on demand. You refusing to allow me to use my manager to create or enter my password into your site reduces me to using the kind of password my fingers can type: “Passw0rd!” or the moral equivalent. My generator likes this one at the moment: 8SazK4$fE$5fQbW%$Mv%qY8B72teF9rfkmXPk%h8. Good f***ing luck I’m gonna type that correctly twice.
Knock that no-paste shit off. You are actively harming your own, and my, security. Not helping.