I am right now writing a primer on web security for a blog and doing my research on passwords I came across The Telegraph’s article Almost 16 million use same password for every website, study finds is actually full of cool figures and I was very tempted to use some quotes like:

The average internet user is asked for a password by 23 websites a month.

The research found 46 per cent of British internet users, 15.6 million, have the same password for most web-based accounts and five per cent, or 1.7 million, use the same password for every single website.

According to the Telegraph, the study was done by CPP:

This could lead to money being stolen from bank accounts, fraudulent purchases via online shops or identity theft, according to life assistance company CPP.

What puzzled me is that there is no link to be found on the CPP site. Their last press release is from November and a site search for password doesn’t yield any results.

The Telegraph does not list the source of the figures or where to see the original survey – actually this would mean the article would get deleted from Wikipedia!

It gets really interesting when you do a Google search for the same survery. You then find an article on based on data of chinaview.cn that reveals just how many people were asked in the survey:

More worrying was that of 1,661 Britons questioned, nearly 40 per cent of adults admitted that at least one other person knows their passwords, ranging from children, colleagues and friends. With phishing and smishing attacks, as well as malicious software attacks, on the rise, consumers and Internet users need to be more careful with their personal data.

I am all for scaling, but using 1661 people and multiplying that up to 16 million is a bit of stretch of the imagination, don’t you think? Seeing that the survey is from September also gives me the idea that there was a slow news day to cover. This is another annoyance as you cannot research what other news sites have said at that time as they delete content after 31 days. So much for “cool links never change”.

That said, I am happy that mainstream media is at least covering the topic of bad passwords. We can do a lot in security, but if end users still consider “password” or “letmein” a good idea as a password we are doomed.

I would love to see the CPP survey, and I’d also love to have a way to comment on The Telegraph. Alas…

Update As reported by marksteward on Twitter the Telegraph already reported about the survey in September – mentioning the 1661 number and there is a report on the CPP site talking about the survey in more detail – thanks!

Jakob Nielsen just posted on alertbox that we should stop password masking (you know, showing asterisks or dots instead of showing the password while the user types it in.

His argument is the following:

Most websites (and many other applications) mask passwords as users type them, and thereby theoretically prevent miscreants from looking over users’ shoulders. Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed. So, password masking doesn’t even protect fully against snoopers.
More importantly, there’s usually nobody looking over your shoulder when you log in to a website. It’s just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue.

Which makes me wonder when was the last time that Mr.Nielsen left his house to communicate with the real world. As a frequent traveller I am constantly seeing people logging into web sites in hotel lobbies (when they check in for their flight for example and enter their bonus miles account details), in Internet Cafes or when they use their laptop in a public space. While it is harder to spot the keyboard (especially with fast typers) there is no problem whatsover looking over their shoulder or – using my 10x optical zoom camera – even spot what they enter on the screen from across the room.

However, password masking is not a 100% security measure but anyone working in security promising you a 100% security is nobody you should trust anyways.

I do agree though that password masking can be very annoying on a mobile device, as is entering any form (my favourite bugbear is Opera Mini Uppercasing the first word I enter in any text field – no this is my user name, not a sentence).

As I am changing my passwords every few weeks I do get confused from time to time, too, which is why I have written myself a GreaseMonkey script that adds a link to any password field that allows me to toggle its display:

This, in my book, should be a standard feature of browsers (or a convention we should start to follow when we design forms) – not showing sensitive information as readable text on a screen just because we don’t think anyone would ever watch us.

Let’s also not forget that browsers deal with an input field with the type of password differently than with one that is text. For starters browsers do not collect previously entered information and offer them as options to autofill the field – something that would be terribly dangerous for passwords.

• The top 13 software development quotes have some gems in them with my fave probably being “Nine people can’t make a baby in a month.” – Fred Brooks
• EveningArwen on Etsy has a very dishy Star Trek inspired corset for sale that should get geek heartbeats quicken.
• Sophos has a good list of passwords used by a worm to brute-force access to servers and Modern Life is Rubbish has a top 10 most common passwords list. This makes me happy and very very scared at the same time
• Andrew Woods is confused about the spatial nature of the UK and its semantics and I got the Yahoo Geo team to tackle this – blog post to come
• Todd Hoff has a good piece on How to achieve scalability by doing essential work up-front based on what was done at Flickr
• I so want a cookie monster cup cake
• The work the New York Times is doing is exciting me more and more. Their Times Open idea is spot on and it was fun meeting them at the hackdays in London.