While loading Windows 8 Server into VM, I noticed a symbol that looked like a fermata at the end of the password field when I started typing in a password. Well, of course, my first inclination is, “what the heck is that?” And, of course, I just kept going. I noticed it again when the login screen came up and decided to click on it. It looks like the fermata is actually supposed to be an eye… clicking on it revealed my password. Cool! I think…
In looking through some of the new Windows 8 Group Policy, it looks like Microsoft is calling this feature “password reveal.” Ok… I can see where this could be useful; but, I can also see where in some environments it is a really bad idea to have this turned on. Honestly, I don’t want to know what my users are using for passwords. From an auditing standpoint, it is better for me to not know their passwords. Besides, we have password policies and can hopefully through training steer our users toward creating good secure passwords.
In the event you’re on the fence with this new feature like I am, there is a Group Policy setting that disables it. In the GPMC for Windows 8, go to Computer Configuration > Administrative Templates > Windows Components > Credential User Interface > Do not display the password reveal button. Set the policy to “Enabled” and say goodbye to the password reveal fermatas/eyes!
The setting is also available in User Configuration > Administrative Templates > Windows Components > Credential User Interface > Do not display the password reveal button, if you just want to disable the feature for a subset of your users. Just be aware that using it on the User side won’t disable the feature on the logon screen.
Another fair word of warning, the policy specifically cites Windows 8 Consumer Preview and Internet Explorer 10 as products affected by this policy. I’ve already tried a few different third-party applications and they did not have the password reveal fermata/eye in them. In the event Microsoft makes this feature available to developers, it could start showing up in other applications. If it does, I’ll re-visit this setting and see if third-party apps are compliant with the Group Policy setting.