Helping people with computers... one answer at a time.

The number of asterisks that are hiding a password, an email address, or secret question might not represent the size of the answer.

Hi, Leo. After clicking Forgot Password and the characters to check if you're human, and such, when there's an option to send your password to your alternate address, are the asterisks equivalent to your email?

I was changing my password and when I tried to login I realized you can only fit six characters. What's with that? Anyway, so when I chose the alternate address, it had this many asterisks ****** instead of ********. Does it not include full stops, hyphens, and underscores?

In this excerpt from Answercast #15, I look at various scenarios used by software developers to hide your security information from hackers.

Do the asterisks match my password?

No. It's an interesting security measure.

So, here's the problem: if someone is watching you, the number of asterisks (if it matches the length of your password or matches the length of your email address) could give an attacker a bit of information.

It could tell them that, "Oh, this guy's password is eight characters long." Or "This guy's email address is 12 characters long." That's an additional bit of information that an attacker could then use to narrow down an attack or an attempt to get access to that account.

Hide password length

So, what a lot of email providers, and a lot of security interfaces, do is that... regardless of the length of your password... they always show six characters: six asterisks or eight asterisks or something like that.

That way, it's clear that the length of the number of your password is completely unrelated to what's shown on the screen, so as not to divulge that information.

Showing partial emails

Same thing. When Hotmail (in a case like this) is displaying your email address, they're displaying just enough of it so you know that it's the email address you think it is. But they're obfuscating the length so that somebody else (for example, a hacker with access to your account) wouldn't necessarily be able to infer what the email address was.

They would only see a couple of letters and a random number of asterisks. With that information, they wouldn't even be able to tell how long the email address was.

That's what these sites are doing. It's not something to typically worry about. I just wanted to explain it to people who get a little confused from time to time when the number of asterisks doesn't match the number of characters that they expect.

Article C5307 - May 7, 2012 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

1 Comment
Glenn P.
May 8, 2012 10:32 AM

Perhaps the most extreme example of this was CompuServe (when it had an "ASCII acess" mode) -- they didn't echo the password at all, period, as asterisks or otherwise! You typed it in "blind".

Talk about returning zero information!     :)

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.