Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Why are there only six asterisks in the password field when my password has more characters?


Hi, Leo. After clicking Forgot Password and the characters to check if
you’re human, and such, when there’s an option to send your password to your
alternate address, are the asterisks equivalent to your email?

I was changing my password and when I tried to login I realized you can only
fit six characters. What’s with that? Anyway, so when I chose the alternate
address, it had this many asterisks ****** instead of ********. Does it not
include full stops, hyphens, and underscores?

In this excerpt from
Answercast #15
, I look at various scenarios used by software developers to
hide your security information from hackers.

Become a Patron of Ask Leo! and go ad-free!

Do the asterisks match my password?

No. It’s an interesting security measure.

So, here’s the problem: if someone is watching you, the number of asterisks
(if it matches the length of your password or matches the length of your email
address) could give an attacker a bit of information.

It could tell them that, “Oh, this guy’s password is eight characters long.” Or
“This guy’s email address is 12 characters long.” That’s an additional bit of
information that an attacker could then use to narrow down an attack or an
attempt to get access to that account.

Hide password length

So, what a lot of email providers, and a lot of security interfaces, do is
that… regardless of the length of your password… they always show six
characters: six asterisks or eight asterisks or something like that.

That way, it’s clear that the length of the number of your password is
completely unrelated to what’s shown on the screen, so as not to
divulge that information.

Showing partial emails

Same thing. When Hotmail (in a case like this) is displaying your email
address, they’re displaying just enough of it so you know that it’s the email
address you think it is. But they’re obfuscating the length so that somebody
else (for example, a hacker with access to your account) wouldn’t necessarily
be able to infer what the email address was.

They would only see a couple of letters and a random number of asterisks.
With that information, they wouldn’t even be able to tell how long the email
address was.

That’s what these sites are doing. It’s not something to typically worry
about. I just wanted to explain it to people who get a little confused from
time to time when the number of asterisks doesn’t match the number of
characters that they expect.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

1 thought on “Why are there only six asterisks in the password field when my password has more characters?”

  1. Perhaps the most extreme example of this was CompuServe (when it had an “ASCII acess” mode) — they didn’t echo the password at all, period, as asterisks or otherwise! You typed it in “blind”.

    Talk about returning zero information!     :)


Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.