Why Masked Passwords Are a Serious Security Hole

It's hard to lose customers due to customer ignorance, but the alternative of giving them what they want (despite it being bad for them) is probably worse. At least, I don't know that I'd be comfortable doing so.<p>We run into it quite a bit, because our products are <i>extremely</i> complex, have numerous security-sensitive contact points in the system, and we've made some choices that do not match those of our competitors, often due to security concerns. Our refusal to treat chroot as a security tool is perhaps our most common source of "why don't you support this?" questions, and despite years of explaining our position, referencing numerous resources on the subject, providing examples of the futility of it, etc. doesn't make the question go away.<p>I think the best you can do is try to educate whenever the question comes up. It gets frustrating to answer the same question over and over again for years, especially if it's answered in the FAQ or documentation, but you pretty much just have to do it.

Could someone detail the process of "sharing a masked password", or at least how it would theoretically be implemented as a feature? I'm not quite sure I get the scenario. Is the masked password to access passpack user account? Or is it to access some site passpack is managing a password for?

Who shares masked passwords? I thought they were just there to keep someone over your shoulder from reading it.

Um, OK. Or you could just go to Preferences &#62; Security &#62; Saved Passwords (Firefox), or fire up Keychain Access (for Safari/Mac), or ... ?

Passpack is one of the more interesting security applications in the cloud -- they actually do client side encryption properly (I work out of the same office as them and talked with their lead developer a few times).

If a third party is able to run arbitrary JavaScript in your browser / on a login page, isn't it already game over?

how about we don't install any bookmarklet? i don't have any, and i aggressively hate toolbar extensions, being a refugee from the old IE monopoly time.<p>or how about browsers letting us know whether a bookmarklet is doing something suspicious?