The problem is that El Goog has almost no existing customer support service. If your account is compromised and or disabled by Google itself, there is no place to seek help. The only place you could ask for help would be the Google support forum, which is actually run by users, no one hangs around there that can do administrative level work. The next issue is that G+ has automated real name identification system and account an suspension system based on several automated features, currently due there is almost no way to appeal an account suspension due to a non-existing customer support system. To test this system try changing your name (preferably on a throwaway account) multiple times, you'd find out that it would automatically suspend access to your account once that passes a certain threshold. The biggest issue is that once someone creates a G+ account, all their existing Google content comes under that account, thus a suspension of the G+ account means goodbye to gmail, YouTube, blogger, Calendar and so on.. all content is disabled and it's almost impossible to get it back (unless you are a celebrity or your story gets published in media).

The problem with his article is sensationalism. This isn't an issue that's unique to the Apple iPad or iPhone, this application (and the core derivative) would work on any smart phone/tablet device. And.... best of all it can be adapted to work on even physical keyboards. Instead of taking the iOS tangent, he should have stuck with the movie theory and actually showed how this is possible using a physical keyboard (differential lighting on keypress .. or a keyboard with backlight etc). IMO that would be more impressive.

As I said before, if you read the PDF, he claims he started on this project cause the masked password entry was way too robust by default to exploit. I didn't feel that was the case as my own observation is different from what he claimed. The rest of what he did was excellent, not saying anything about that, I'm just saying his initial assertion that password entry masking was safe on iOS is invalid.

Can you show a screen of the iOS you run and password entry? I'd rather he showed these videos but it doesn't fit his article.

I'm sorry you feel that way. Could you show me a screenshot of your iPad with iOS 5 and the same screen (and which beta?). Also It's already been claimed this is iOS 4.3.x above. No offense, but I did my best to show you how this looked on my screen, I liked the study and the little application they made, but the whole thing has holes in it as said above.

I'm sorry are you the person behind this video? Yes, I do like to pull an article apart to see the validity of the claims. As far as I can see, this person's iPad is not behaving as mine does by default. I'm not sure if that's cause he has iOS5.0 as I do not use that. Yes, I admit the keyboard thing was an err on my part, as I was reading his PDF I realized this was about non-simple passcode entry. As far as the password showing up, it doesn't happen on mine (and as others said doesn't happen on their iPad's as well). The letters that show up are huge, it's very very easy to read it off, and they stick around for quite a bit, I could take two screenshots of a given passcode letter before it becomes a mask. I do like what he made, it's cool. But I wonder if he went this far on an assertion that was not completely true (ie. masked passwords cannot be read).

I'm not sure if the video is doctored or not or if it's iOS5, why would they do an experiment like this on a non-production OS? background for anon

Come over to here. We are having the same conversation in two branches. I'm on 4.3.3, default settings with non-simple password entry as I said before.

No, that's not how it works. If you are observing the iPad, you can easily figure out what is typed by looking at the key that is being pressed, let me demonstrate (see the h). For some reason their iPad is not doing this :) Which is the case for the rest of their experiment.

Yes, I tested it all out, there was no need for this extensive demonstration, as the assertion that password masking is completely hidden by default is incorrect (which is why they did the 2nd method). Their video's password entry does not work as it does on default on my iPad. On mine when I press a key, the key is momentarily shown on the line above before turning into a masked entry.

Ah, let me point out what came out bogus to me when I read the PDF.

The person claims this on page 3:

We have long realized the danger of having passwords stolen through shoulder surfing attacks which is why it is truly rate to find an application that fails to mask passwords on screen. Even the iDevices (which we examine below) mask passwords by default. We take the fact that password masking is so ubiquitous as the obvious acknowledgement of the shoulder surfing as a viable attack method.

Wait... This is where I have a problem, they claim that iOS masks the passwords by default and thus they have to use this other compelx method of capturing what keys are pressed. My problem with this video demonstration is that they didn't have to go that far, they just had to capture the password, but they assert it is already masked.

If you meant the non simple passcode entry, then why would anyone even need this App. The black keyboard given on there, actually echo whatever you type up on the empty line above, there is no need to capture keys. What you type is flashed right above in the white row over they keyboard.

The iPad keyboard does not look like the one linked in the article, it's Apple grey/white.

I'm a strong believer in having people use their real names in social networks, this I find is useful in weeding out a lot of strange interactions online. Having to use your real name and or easily identifiable account seem to make people post more cautiously than they would anonymously.

Having said that, I still feel the current enforcement of Google+'s real name policy and data deletion is not up to par with any type of decent policies I would expect Google to come up with. As this is a test phase, I hope this would be ironed out. Even a strike system ( like France's 3 strike or ISP's 6 strike) would be more agreeable instead of the current implementation.

I would suggest people test Google+ with Google accounts that do not contain a lot of sensitive or valuable data.