Wild Apricot Blog

View: Tags  |  Archives

Sign up to have the latest blog posts sent straight to your inbox!

    or RSS feed:  

Should Websites Show Your Passwords in Plain Text?

You know how, when you type your password into a website form, it shows a line of asterisks or bullets instead of the characters you’re typing? Usability expert Jakob Nielsen says it’s time to stop masking passwords, and show them on screen in plain text.

If you haven’t already done so, you’ll want to check out Jakob Nielsen’s latest AlertBox article to get the full details — but here’s his summary:

Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn’t even increase security, but it does cost you business due to login failures.

Usability is about the interaction of humans and technology, reducing users’ confusion about what to do on a website and trying to minimize the chance of human error: helping users to succeed in their online tasks. From that perspective, yes, showing passwords in plain text makes sense.

But there’s another aspect to usability, more to do with human emotions than with the physical and mental processes of interacting with a website. And the more I thought about all this, the more I wondered — did Jakob  Nielsen miss the mark on this one?

UK business analyst Simon Thomas (Oak Innovations) responded on Twitter with a comment that closely matched my first reaction:

Twitter screenshot: sijt: @rjleaman I think he did. Users expect it so would perceive a lack of security, even if there isn't. Perception is everything in ui.

Since the earliest days of computers, passwords have been masked, to keep passwords safe from the curious eyes of “shoulder surfers” and passers-by.  But your password isn’t fully protected from snoopers by hiding it on screen, Nielsen points out, as a “truly skilled criminal” can simply watch your keystrokes. And in any case, he says, there’s usually nobody there with you when you login:

It’s just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue.

I’m not sure he’s got that last bit right. In the corporate world, perhaps, a private office may be the norm  — but look around you and count all the open laptops, the next time you’re in a coffee shop, on public transit, or in a dentist’s waiting room. With the proliferation of free public wifi “hot spots” and mobile devices, it seems to me that our web use is becoming ever more public, not less so, and thus ever more vulnerable to prying eyes.

True, password masking doesn’t come close to guaranteeing security — but Spike Wyatt (ScrawlBug), a freelance writer who worked in IT for more than a decade, sums it up better than I can.

Spike writes:

Masking passwords is elementary security. While it’s true that the bigger advantage is the user’s increased feeling of security, it’s basic common sense not to show private information in clear text.

Any computer criminal worth their salt can crack a password, given time. I just believe it’s better to make it as difficult as possible, using as many methods as is sensible, rather than offering up free access in unmasked letters on a glowing screen that can be read from across the room. Just like the ‘privacy zone’ around an ATM: it’s not perfect, but every little helps.

Jakob Nielsen does suggest a compromise: add an extra checkbox to web forms, so users could opt in to password masking if they wanted — perhaps with masking enabled as the default for sensitive applications like online banking. But then, an extra checkbox would add one more visual element to clutter a web page, and one more small task to the login process. I wonder, too, if password masking is indeed a bad idea, why we should use it for high-security sites...

And here’s yet another wrinkle: Nielsen says that masking encourages people to choose simple, easy-to-remember passwords, or to copy-and-paste their passwords from a desktop text file — risky practices that no one would recommend. No wonder that a Twitter search on password masking and run-round of the blogs show wide-ranging opinions on the issue, with some of the arguments quite strongly worded!

What’s your opinion?

Is it time for the Web to unmask passwords and make it easier to login to a website? Does password masking serve a usful purpose, or do more harm than good?  How would you change the standard website login process?

Get a Special Report on Simplifying Membership Management

Enter your e-mail and receive this special report in your inbox.

Stop duct taping your organization together.
Learn how Membership Management Software can do the heavy lifting for you.

Get a special consumer guide on how 14,182+ organizations stopped doing things manually in your inbox.

Escape from Excel Hell!

Stop duct taping your organization! Learn how membership management software helps you do a lot more with less.

Get a special consumer guide on how 14,182 associations, clubs and nonprofits stopped doing things manually in your inbox.

Thank you!

We will be emailing you your copy of "What is Membership Management" shortly.

As a bonus, we'll be in touch with regular updates on topics of interest to small associations, clubs and non-profits.

Email:
We hate spam, and promise 100% privacy.
Posted by 
Published Sunday, 28 June 2009 at 4:07 PM
See more: 

Comments

  • JRAJRA

    JRA said:

    I like it when a website (and my OS for that matter) gives me the option for privacy or for usability... Rather than the cookie cutter, everyone should "be safe because we know better" approach.

    Sunday, 28 June 2009 at 11:16 AM
  • Jay Moonah (Noisy Apricot)Jay Moonah (Noisy Apricot)

    Jay Moonah (Noisy Apricot) said:

    I think Nielsen _might_ have had a point 5 years ago, but these days so many people login to services in public locations either on their own machines or on shared systems, I think now is completely the wrong time for this kind of change... although I do agree with JRA that it's nice to have the option, but I think the default has to be masked, if only because people are so socialized now to accept it as the norm.

    Monday, 29 June 2009 at 1:03 PM
  • Aaron HawrylukAaron Hawryluk

    Aaron Hawryluk said:

    Jay - I agree. Working at the Sun, I picked up a lot of passwords looking over shoulders at those lovely non-masked old Mac password fields. And people in the newsroom would log in to stuff with their interviewees sitting right there, etc. Whether Nielsen agrees or not, someone picking up your password by looking over your shoulder is a real security risk.

    Which brings me to another point... for a self-styled "usabilty expert", Nielsen doesn't get listened to very often. I've been ignoring 80% of what he says for years, and so has pretty much everyone I know in the industry.

    Monday, 29 June 2009 at 2:53 PM
  • DFADFA

    DFA said:

    Nielsen should stick to Web and UI stuff. This issue goes far beyond his sphere of knowledge and (dubious, as per Aaron) influence.

    Monday, 29 June 2009 at 3:21 PM
Sorry, this blog post is closed for further comments.
Membership Software - Wild Apricot For sales and support questions,
schedule a callback
Not a big talker?
email support@wildapricot.com
Wild Apricot Inc. 144 Front Street West Suite 725, Toronto, Ontario, Canada M5J 2L7