Hi, Leo. After clicking Forgot Password and the characters to check if
you’re human, and such, when there’s an option to send your password to your
alternate address, are the asterisks equivalent to your email?
I was changing my password and when I tried to login I realized you can only
fit six characters. What’s with that? Anyway, so when I chose the alternate
address, it had this many asterisks ****** instead of ********. Does it not
include full stops, hyphens, and underscores?
In this excerpt from
Answercast #15, I look at various scenarios used by software developers to
hide your security information from hackers.
Become a Patron of Ask Leo! and go ad-free!
Do the asterisks match my password?
No. It’s an interesting security measure.
So, here’s the problem: if someone is watching you, the number of asterisks
(if it matches the length of your password or matches the length of your email
address) could give an attacker a bit of information.
It could tell them that, “Oh, this guy’s password is eight characters long.” Or
“This guy’s email address is 12 characters long.” That’s an additional bit of
information that an attacker could then use to narrow down an attack or an
attempt to get access to that account.
Hide password length
So, what a lot of email providers, and a lot of security interfaces, do is
that… regardless of the length of your password… they always show six
characters: six asterisks or eight asterisks or something like that.
That way, it’s clear that the length of the number of your password is
completely unrelated to what’s shown on the screen, so as not to
divulge that information.
Showing partial emails
Same thing. When Hotmail (in a case like this) is displaying your email
address, they’re displaying just enough of it so you know that it’s the email
address you think it is. But they’re obfuscating the length so that somebody
else (for example, a hacker with access to your account) wouldn’t necessarily
be able to infer what the email address was.
They would only see a couple of letters and a random number of asterisks.
With that information, they wouldn’t even be able to tell how long the email
That’s what these sites are doing. It’s not something to typically worry
about. I just wanted to explain it to people who get a little confused from
time to time when the number of asterisks doesn’t match the number of
characters that they expect.