Helping people with computers... one answer at a time.
The number of asterisks that are hiding a password, an email address, or secret question might not represent the size of the answer.
Hi, Leo. After clicking Forgot Password and the characters to check if you're human, and such, when there's an option to send your password to your alternate address, are the asterisks equivalent to your email?
I was changing my password and when I tried to login I realized you can only fit six characters. What's with that? Anyway, so when I chose the alternate address, it had this many asterisks ****** instead of ********. Does it not include full stops, hyphens, and underscores?
In this excerpt from Answercast #15, I look at various scenarios used by software developers to hide your security information from hackers.
No. It's an interesting security measure.
So, here's the problem: if someone is watching you, the number of asterisks (if it matches the length of your password or matches the length of your email address) could give an attacker a bit of information.
It could tell them that, "Oh, this guy's password is eight characters long." Or "This guy's email address is 12 characters long." That's an additional bit of information that an attacker could then use to narrow down an attack or an attempt to get access to that account.
So, what a lot of email providers, and a lot of security interfaces, do is that... regardless of the length of your password... they always show six characters: six asterisks or eight asterisks or something like that.
That way, it's clear that the length of the number of your password is completely unrelated to what's shown on the screen, so as not to divulge that information.
Same thing. When Hotmail (in a case like this) is displaying your email address, they're displaying just enough of it so you know that it's the email address you think it is. But they're obfuscating the length so that somebody else (for example, a hacker with access to your account) wouldn't necessarily be able to infer what the email address was.
They would only see a couple of letters and a random number of asterisks. With that information, they wouldn't even be able to tell how long the email address was.
That's what these sites are doing. It's not something to typically worry about. I just wanted to explain it to people who get a little confused from time to time when the number of asterisks doesn't match the number of characters that they expect.