IT Guy Question: Dots on screen when typing passwords

[Tidewater]

I have a question that has been bugging me for a while and was hoping some smart IT guy could explain things to me.
When I type passwords for some sites, what appears on the screen is a series of dots where the characters should be.
My question is, does this provide some form of security as the password is transmitted or does the dot thing only provide security to prevent someone from looking over my shoulder as I am typing? I work at home or in a hotel room when on the road. 99.9% of the time I am typing my passwords there is no one in the room to see what I am typing. I do not work at a Starbucks or public library with folks looking over my shoulder.
Given the increasing complexity of passwords (must have upper and lower case, numbers and special characters, must include emojis and zodiac signs, etc.), it is increasingly important for me to see what the computer thinks I have typed (what I think I have typed is irrelevant). Some web pages give you the option of seeing what you have typed to check it is correct (most do not). A password that has been typed 95% correctly the computer considers 0% correct. I am about 10,000 times more likely to have typed a character wrong than I am to have someone looking over my shoulder to capture my password.

If this affords some sort of security for transmital of the password, I understand. If the "dots in place of characters" system is only designed to stop someone from looking over my shoulder, then it really ticks me off because nobody is looking over my shoulder.

So, IT folks, which is it?

 

[Bamaro]

It just shows you that you have keyed in a character, no additional security.

 

[TIDE-HSV]

I think all of them show the letter or character briefly, but that requires looking up. And more and more dialog boxes have a "show" command over in the lower right hand corner, which will display the password. Last, there's the option of having a password manager or the browser save the password...

 

[BamaNation]

It's really just to obscure the pw in case someone was sitting beside you as you type.

My random passwords look something like this: F48sl.=-R9se924}0s;#483;a8dF*jpmzbbr$

Below is based on some info I have posted before ... (you probably already know this but it's for anyone that doesn't or may be using a single or just a few passwords they can remember):

The best way is to have every password be UNIQUE for EVERY login you have. You do this by getting a password manager. Passwords are created as being nothing I could EVER remember. I remember the pw to my computer and the pw to my pw manager... and that's it. EVERY single one of my 1000 logins has a random, unique, long password.

I have used LastPass and 1password, among others. These two are very good password managers that will actually help identify if (a) your password is weak, (b) if you’re password has been found in a hack, and (c) if you have used a password more than once.

Having a password manager creates a UNIQUE password for each site you are registered with. NEVER use the same password on more than one site! Some password managers will even help you change the password INSIDE the web page you are logging into or registering through the password manager.

Using a top-level password manager (like http://1password.com) also integrates with the haveibeenpwned site to let you know if any of your emails or passwords are in a hacked dataset.

Watch the “how to” videos on whatever manager you choose!

The following links outline the tools and processes available for you to change all of your passwords IMMEDIATELY!

1. List of good password managers
2. How passwords are cracked and what to not use
3. Get organized: How to change all your passwords in 5 weeks (You’ll want to do much of this ASAP!!! and not wait 5 weeks) but this is a very good process to read about.

 

[Tidewater]

Apple products will show the character as typed for a second. That is better than nothing.

Some of the stuff I do won't allow a password entered by a password manager. It automatically rejects them, presumably to prevent users from using a password manager (because if the laptop gets stolen or compromised, the password is leaked).

I'm just not sure why "dots in lieu of characters" is the default, and especially why the "click here to show the characters" is not an option in every case.

 

[Tidewater]

IT is maybe the only field in society where the service provider gets to tell the customer, "I don't care what you want. Here is what you're going to get." Any other field that would get you fired as a service provider. In IT, it is just the way things are done.

IT guys in a company are like pre-historic shaman priests, they say, "Give me 10% of what you grow, and I will make the rains come." Nobody bothered to try and figure out how the shaman made the rains come, they just decided it was better to hedge one's bets and give them the 10%. Today, IT guys tell companies, "Give me 10% of your profits(or whatever) and I will make electrons flow." Then they proceed to tinker with every IT system that works properly until it no longer works.

 

[crimsonaudio]

Apple products will show the character as typed for a second. That is better than nothing.

If you have the admin pw you can use the kechain access utility to view any stored pw.

 

[BamaNation]

Even though I'm a technologist in the sense that I appreciate the amazing progress that IT and other tech has brought us, what it can do, how quickly it changes, etc. and have a PhD in Computer Information Systems / Process Innovation, I'm a big believer in "Never Trust Technology."

I'm not talking about "don't trust Facebook, etc" ... I'm talking about never RELY on tech to always work, always do what you want it to do, always be useful / usable.

There's a major theory of technology adoption called TAM (Technology Acceptance Model) which, simplified, says that actual system usage is impacted by perceived usefulness and perceived ease of use. Is it useful and is it easy to use? If so, more people are likely to use and accept it. Pretty simple concept. Really hard to get a lot of IT folks and engineers to implement.

In my System Analysis and Design course we spend a huge amount of time on trying to understand what USERS want and need and how to design that. It's not always easy (or possible) but it is important.

 

[Tidewater]

If you have the admin pw you can use the kechain access utility to view any stored pw.

A lot of the stuff I do will not allow me to use a stored password. The systems will automatically reject any stored password

Even though I'm a technologist in the sense that I appreciate the amazing progress that IT and other tech has brought us, what it can do, how quickly it changes, etc. and have a PhD in Computer Information Systems / Process Innovation, I'm a big believer in "Never Trust Technology."

I'm not talking about "don't trust Facebook, etc" ... I'm talking about never RELY on tech to always work, always do what you want it to do, always be useful / usable.

There's a major theory of technology adoption called TAM (Technology Acceptance Model) which, simplified, says that actual system usage is impacted by perceived usefulness and perceived ease of use. Is it useful and is it easy to use? If so, more people are likely to use and accept it. Pretty simple concept. Really hard to get a lot of IT folks and engineers to implement.

In my System Analysis and Design course we spend a huge amount of time on trying to understand what USERS want and need and how to design that. It's not always easy (or possible) but it is important.

Thanks.
I appreciate your comments. I agree on TAM.
I had a job in the military in which IT guys sat down right next to users and said, "What do you want this program to do?" Then the IT guys wrote some code, presented the program to a user (a Ranger Sergeant Major, so he was a computer user, but not a computer scientist). The sergeant major told the writer what he liked and what he did not like. The code-writer went away, wrote some more code, and came back to the user and showed him what he had changed. This process repeated for a few iterations, and each time, the product better answered the needs of the user. It was a great experience watching that process.

That said, it seems software writers have little fear that their modifications will cause catastrophic results, even after they have done so. A patch gets pushed out to users. It makes the web browser .003% faster. But now, the email server no longer functions. The IT guy's insouciant response is, "That's not my problem. Call the help desk."
The silly analogy I use is this: I buy a Ford. Serviceable car. It does what I want it to do. Ford pushes out a patch that gives my radio 3 feet more range. I did not ask for 3 more feet of radio range, but whatever. The problem is, the patch also made my wheels square. When I call to complain about my square wheels, Ford says, "But I gave you 3 additional feet of radio range." I tell them, "I did not want or ask for 3 feet increased radio range, but I do insist on round wheels. You never explained to me that if I installed this patch, my wheels would turn square. You just did it."
Ford says, "Not my problem. Call the help desk."
If a car company did that, I'd find a different car company. Software designers do stuff that that all the time, however, with seeming impunity.
I realize it is a system of systems. Any change will react differently in Windows, Mac, Linux, etc. And different users have different versions of all of those OSs. I just wish folks would slow down a bit and test what they are doing before publishing changes.

Alright, I'm off my soapbox. I love my computers, bottom line.

 

[TIDE-HSV]

Microsoft has started, with their major update process, rolling them out in stages. There's a major one, version 2004 of Windows 10, being rolled out now. Basically, what they're doing is extending the beta testing phase, using unwilling users. On the plus side, MS used to be a real bully about updates, eventually just installing them, whether you wanted them or not. Now they let you delay indefinitely (without using the metered connection loophole). I delay while I monitor what's going on with the public, what complaints are being lodged. After those die down, I then update. Of course, security updates get installed promptly...

 

[crimsonaudio]

A lot of the stuff I do will not allow me to use a stored password. The systems will automatically reject any stored password

Sure, but you can still see what it was to re-type it instead of having to remember dozens of unique pws.

 

[Tug Tide]

A friend recommended this system to me:
Use a set sequence of numbers and characters, with the the last 4 letters (reversed) of the site name every other spot. That keeps your passwords unique for each site you visit and you only have remember the initial sequence:

For example: 12!34
Tidefans= snaf
PW= 1s2n!a3f4

Facebook=koob
PW= 1k2o!o3b4

 

[TIDE-HSV]

A friend recommended this system to me:
Use a set sequence of numbers and characters, with the the last 4 letters (reversed) of the site name every other spot. That keeps your passwords unique for each site you visit and you only have remember the initial sequence:

For example: 12!34
Tidefans= snaf
PW= 1s2n!a3f4

Facebook=koob
PW= 1k2o!o3b4

I use a similar system...

 

[AUDub]

I use a similar system...

I've adopted this one.

 

[Tidewater]

I've adopted this one.

What I would prefer would be a fingerprint or an iris scan.
To my knowledge, I have never left home without my right index finger or my eyeball. Maybe, but I doubt it.

 

[TIDE-HSV]

What I would prefer would be a fingerprint or an iris scan.
To my knowledge, I have never left home without my right index finger or my eyeball. Maybe, but I doubt it.

That's available. MS has Windows Hello. If I install it, my webcam recognizes my face. My Galaxy phone begs me to let it scan my iris. I have another dumb problem. Windows Explorer periodically grabs 100% of my CPU, freezing my computer. I can't find the cause...