If you think you mistyped a password into a password field in your browser, a simple JavaScript trick can help you find out by unmasking the password.

In Masking passwords: Why it's not a good idea, Michael Kassner discussed what Dr. Jakob Nielsen had to say about it from a usability perspective.

I get Nielsen's newsletters, and the man knows more about usability testing than any two other people I've encountered put together. Considering that in many ways interface design is security design, applying the principles Dr. Nielsen discusses to making the secure way to use a piece of software the easy way could be a great boon to many software developers.

In June this year, however, Dr. Nielsen published an article in his Alertbox newsletter titled Stop Password Masking. The summary at the top of the article reads:

Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn't even increase security, but it does cost you business due to login failures.

I was (predictably) concerned with how people would take the advice he offered. The truth of the matter is that masking passwords is an essential security feature in many circumstances, such as any time I use my laptop to log into a Web site at a coffee shop where random strangers might shoulder-surf to see my passwords, or any time I do so where there may be cameras overhead that can record what appears on the screen, such as an airport waiting area or library.

Even sitting in your cubicle at work, where you might type passwords more times per day than you do anywhere else in the course of a week, can be an important place for password masking.

On the other hand, there are times it can be nice to see your password, and where you can be reasonably certain nobody else is going to see it on your screen. For those times, it would be nice to have a way to unmask a password.

A snippet of JavaScript is here to save the day:

  var els = document.getElementsByTagName('input');
  for(var x = 0; x < els.length; x++) {
    if(els[x].type.toLowerCase() == 'password' ) {
      var test = els[x].type = 'text';
    }
  }

If you put javascript: at the beginning of that, and delete all the newlines so that it becomes a one-liner, you can delete the text in your browser's address bar and paste the JavaScript snippet in the address bar instead, then hit the Enter key. This will cause masked passwords to be revealed.

If you expect to need to use this often, you can create a bookmark button in your Firefox Bookmarks Toolbar easily enough. Start by creating a new bookmark--any bookmark will do, though you may want to choose one for a page without a favicon. Then:

1. Right-click on the new bookmark button and select Properties. The title bar for the bookmark's Properties dialog will still show the name of the bookmark's original Webpage while you make edits, but don't worry about that.
2. Change the text in the Name field to Unmask (or whatever else you want it to say).
3. Change the text in the Location field the same way you would for the browser address bar, as described above.
4. Clear the Keyword and Description fields, and fill them with whatever you like (or nothing at all).
5. Click the Save Changes button.

Voila. Any time you want to see the password text you type into a masked password field, now, you can just click the Unmask bookmark button in your Bookmark Toolbar.

In Firefox, you can also just drag and drop this link to your Bookmark Toolbar to get the same effect, if you like:

Unmask

You are, unfortunately, on your own for figuring out how to do any of this in other browsers.

Finally, if you are a Web developer and you think it is a good idea to give your site's visitors the ability to unmask passwords when they try to log in, you can always create an Unmask Password link using the above JavaScript snippet. I recommend thinking long and hard about that before making the option available, however.

In an article like this, I can make people aware that there is a danger to security that is addressed by masked password fields, thus leaving it up to the user to make an informed decision. Many visitors to your site on the Internet may not be aware of the risks of unmasking passwords, however, and dumping a lot of text on users explaining the dangers so they can make an informed decision can more than counteract any usability gains from making it possible to unmask passwords with a simple mouse click. Whatever you do, just don't force your users to live with unmasked passwords.

As a final warning, keep in mind that when you walk away from your computer with your password on the screen, the fact that it is masked may not stop someone else from getting your password using something like this JavaScript trick. Most software security techniques, no matter how useful in a networked world, are not proof against physical access to the machine.

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

Source from http://www.zdnetasia.com/techguide/security/0,39044901,62057540,00.htm?scid=nl_z_tgis

Do you know whether your computers are actively using IPv6 or not? Better check, as the bad guys probably already know.

Microsoft began enabling IPv6 protocol by default with the release of Vista.

That policy continued with Windows Server 2008 and will with Windows 7. Apple, Linux, and Solaris are also shipping their latest distributions with IPv6 enabled.

Before continuing, I need to explain something. We all understand that IPv6 is important. I even mustered enough courage with the gracious help of Joe Klein, director of IPv6 security at Command Information, to write several articles about it. So that's no longer on my radar.

What's on my radar

I'm not sure why, but computers are now shipping with IPv6 enabled. My guess would be that most OS developers figured IPv6 networks would be more predominate by now. Or that there's no downside to enabling IPv6, so why wait.

I do know of one Microsoft service that requires IPv6. It's called Windows Meeting Space. It uses the peer-to-peer framework and IPv6 to setup ad hoc networks automatically.

What numbers are we talking about
The number of computers running IPv6 is staggering. Carolyn Duffy Marsan in a NetworkWorld article quoted Joe Klein as saying:

"We're probably talking about 300 million systems that have IPv6 enabled by default. We see this as a big risk."

What I'm wondering, is how many of the people using the 300 million computers realize IPv6 is enabled or know what it means?

What's being exploited
In a concurrent article, Marsan asked experts what they considered the most serious issues of running a dual stack comprised of IPv6 and IPv4.

• Rogue IPv6 traffic: Attackers realize that most network administrators aren't monitoring IPv6 traffic or they can't. Because existing firewalls, IDS, or network management tools aren't IPv6-aware. Therefore, an attacker can send malicious traffic to any computer running IPv6 and it will get through.
• IPv6 tunneling: Protocols such as Teredo and Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) encapsulate IPv6 packets inside IPv4 packets. The morphed packets can easily pass through IPv4 firewalls and network address translation (NAT) equipment, defeating perimeter defenses purposed to sense and drop IPv6 packets.
• Rogue IPv6 equipment: Because IPv6 uses auto-configuration, an attacker can gain considerable control over computers running IPv6, simply by placing a rogue device capable of issuing IPv6 IP addresses on the network under attack. To make matters worse the device could have router attributes. Forcing all traffic to transit through it, allowing attackers to snoop, modify, or drop traffic at their whim.
• Built-in ICMP and multicast: Unlike IPv4, IPv6 requires ICMP and multicast traffic. That fact will significantly change how administrators approach network security. Right now, blocking ICMP and multicast traffic on IPv4 networks is the accepted practice. That will no longer work and complicated filtering of ICMP and multicast packets will be required to maintain some semblance of security.

Leave IPv6 enabled or not

Whether to leave IPv6 "enabled or not" is about as clear as mud. There's the yes camp and there's the no camp with the whole gray area in between littered with other opinions. I thought I'd let the experts introduced in Marsan's article present their views:

Tim LeMaster: Director of systems engineering for Juniper's federal group said:

"If you're not prepared for IPv6, then the prudent thing to do is not to allow it into your network," LeMaster says. "But you shouldn't be blocking all IPv6 traffic for the next five years. You should only block it until you have a policy and understand the threats."

Lisa Donnan: Vice president of advanced technology solutions at Command Information has a different viewpoint:

"We don't recommend that you block IPv6 traffic. We are recommending that you do an audit and find out how many IPv6 devices and applications are on your network. If you have IPv6 traffic on your network, then you've got to plan, train, and implement IPv6."

Sheila Frankel: Computer scientist in the Computer Security Division of the National Institutes of Standards and Technology (NIST) expressed a middle-ground viewpoint:

"Companies need to acquire a minimal level of expertise in IPv6, which will help protect them against threats. The other thing they should do is to take their outward-facing servers, those that are external to the corporation's firewalls, and enable IPv6 on them. That way, customers from Asia with IPv6 addresses will be able to reach these servers and their own people will acquire expertise in IPv6. This will be a first step in the process."

"IPv6 is coming. The best way is to face it head on and to decide you're going to do it in the most secure manner possible."

As soon as I started receiving computers with IPv6 enabled, I turned the protocol off. My rational was why take a chance when it's not necessary. Apparently, my choice is paying off, as my client's computers aren't vulnerable to these new exploit vectors.

That works for me for the time being at least. I don't pretend to think my choice will work for everyone. From the above opinions, the only thing I do know for sure is that getting up-to-speed on IPv6 is important. As that knowledge will help you determine what's in your network and computer systems best interest.

How to disable IPv6
Thankfully, disabling IPv6 is quite easy. I've provided links to Web sites that explain the process for several of the operating systems, if you're so inclined:

Disable IPv6 in Linux

Disable IPv6 in Windows Vista

Disable IPv6 in Mac OS X

Final thoughts
This is definitely a thorny subject and full of surprises. Just like every new and untested technological change. I can accept that. What's hard to accept is that security once again appears not to be a main consideration. I hope it's just a temporary oversight.

Michael Kassner has been involved with IT for over 30 years, and is currently a systems administrator for an international corporation and security consultant with MKassner Net.

Source from http://www.zdnetasia.com/techguide/security/0,39044901,62056959,00.htm?scid=nl_z_tgis