You know how, when you type your password into a website form, it
shows a line of asterisks or bullets instead of the characters you’re
typing? Usability expert Jakob Nielsen says it’s time to stop masking passwords, and show them on screen in plain text.
If you haven’t already done so, you’ll want to check out Jakob Nielsen’s latest AlertBox article to get the full details — but here’s his summary:
Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn’t even increase security, but it does cost you business due to login failures.
Usability is about the interaction of humans and technology,
reducing users’ confusion about what to do on a website and trying to
minimize the chance of human error: helping users to succeed in their
online tasks. From that perspective, yes, showing passwords in plain
text makes sense.
But there’s another aspect to usability, more to do with human
emotions than with the physical and mental processes of interacting
with a website. And the more I thought about all this, the more I
wondered — did Jakob Nielsen miss the mark on this one?
UK business analyst Simon Thomas (Oak Innovations) responded on Twitter with a comment that closely matched my first reaction:
Since the earliest days of computers, passwords have been masked, to
keep passwords safe from the curious eyes of “shoulder surfers” and
passers-by. But your password isn’t fully protected from snoopers by
hiding it on screen, Nielsen points out, as a “truly skilled criminal”
can simply watch your keystrokes. And in any case, he says, there’s
usually nobody there with you when you login:
It’s just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue.
I’m not sure he’s got that last bit right. In the corporate world,
perhaps, a private office may be the norm — but look around you and
count all the open laptops, the next time you’re in a coffee shop, on
public transit, or in a dentist’s waiting room. With the proliferation
of free public wifi “hot spots” and mobile devices, it seems to me that
our web use is becoming ever more public, not less so, and thus ever
more vulnerable to prying eyes.
True, password masking doesn’t come close to guaranteeing security — but Spike Wyatt (ScrawlBug), a freelance writer who worked in IT for more than a decade, sums it up better than I can.
Masking passwords is elementary security. While it’s true that
the bigger advantage is the user’s increased feeling of security, it’s
basic common sense not to show private information in clear text.
Any computer criminal worth their salt can crack a password,
given time. I just believe it’s better to make it as difficult as
possible, using as many methods as is sensible, rather than offering up
free access in unmasked letters on a glowing screen that can be read
from across the room. Just like the ‘privacy zone’ around an ATM: it’s
not perfect, but every little helps.
Jakob Nielsen does suggest a compromise: add an extra checkbox to
web forms, so users could opt in to password masking if they wanted — perhaps
with masking enabled as the default for sensitive applications like online
banking. But then, an extra checkbox would add one more visual element to clutter a
web page, and one more small task to the login process. I wonder, too, if password masking is indeed a bad idea, why we should use it for high-security sites...
And here’s yet another wrinkle: Nielsen says that masking encourages
people to choose simple, easy-to-remember passwords, or to
copy-and-paste their passwords from a desktop text file — risky
practices that no one would recommend. No wonder that a Twitter search on password masking and run-round of the blogs show wide-ranging opinions on the issue, with some of the arguments quite strongly worded!
What’s your opinion?
Is it time for the Web to unmask passwords and make it easier to
login to a website? Does password masking serve a usful purpose, or do
more harm than good? How would you change the standard website login