I’ve often confused by the idea behind password fields displaying dots instead of the actual characters when typing them in. This design choice seems to contradict user-friendliness, as they can’t see the results of their keystrokes, potentially leading to errors in password entry. Although some websites use a second field to verify passwords, this doesn’t eliminate the risk of copying and pasting the same typo twice.
This feature made sense in the past when computers were commonly used in public spaces, but nowadays, most people input passwords in private settings. Is it still necessary to shield passwords from onlookers, or could someone be remotely monitoring your screen? The situation becomes more perplexing considering the increased complexity of password requirements. When you’re far more likely to mistype a password than have someone spy over your shoulder, the utility of this security measure becomes questionable.
So, I’m curious: does this method offer substantial security during password transmission, or is it primarily a safeguard against shoulder-surfing? Is it even a need in the password manager and PassKey world?
It’s not needed, but we should keep it, let’s talk about it.
What Are The Dots When Typing Your Password?
Dot placeholders seen while typing passwords are known as “masking.”
These dots aim to conceal the password with each typed letter. Each dot represents a character, but that’s the only information revealed about the password.
Stops Shoulder Spying
Hiding passwords behind these dots prevents onlookers from seeing them, especially useful in public spaces or when someone is nearby during login.
Even if there isn’t someone physically close, security cameras in public areas can pose a risk, making this feature helpful in these few cases.
It Doesn’t Protect Anything Else
Besides safeguarding against over-the-shoulder observers, the dots don’t provide additional protection.
If your computer is infected with malware, the dots offer no help.
Although invisible to the user, the browser and computer see the actual text so it can log the user in.
One thing I’ve learned over the years is that you can go into the source code of the webpage and remove these dots. Being able to remove these dots with a few keystrokes really puts into perspective of how little protection they give.
There are methods to remove these dots by going into the webpage’s source code, useful when a website lacks a “show password” option.
Operating systems are getting better about secure textbox areas like the password fields. The macOS operating system blocks other applications from reading your keystrokes when you’re entering something into a secure field such as a password. While it won’t stop most malware, it’s a step in the right direction.
See my post on better securing one’s self: “15 Rules for Better Computer and Internet Security“.
Other Ways To Know The Password?
While the dots on the screen prevent others from glimpsing a password, they don’t halt other methods of password acquisition.
For instance, if someone is peering over a shoulder, they could easily observe the keyboard during typing to discern the password.
You can even go spy-like and use the sound of you hitting the keys on the keyboard to figure out your password.
The dots in the password field primarily protect against “over-the-shoulder” scenarios. Their continued use might be more about habit; society has been conditioned to recognize dot placeholders as indicators for password entry. Avoiding the mishap of entering a password in the username field, which isn’t always hashed or encrypted, is crucial.
Therefore, the primary purpose of these dots is to signal the correct field for password entry. They serve as a reassuring cue that this is the designated spot for entering passwords.
Use A Password Manager
The most effective strategy for securing passwords is utilizing a password manager.
This tool saves all passwords and stores them in an encrypted vault, which is then secured using a master password.
We have a video on how to get started with a password manager here.
If you don’t trust the password manager because of “keeping all your eggs in one basket,” then we have a solution here.
If password managers are not your thing, then a password book is the next best thing. Just make sure to use random passwords for every account.
For optimal security, a password manager is the top choice. It only fills in the password when the URL matches its records. Additionally, it auto-fills the password, preventing others from hearing or seeing the typing of the password.
Just make sure to write down the master password and other important information. We have a post here that goes over the password manager emergency sheet that you should set up.