Wild Apricot Blog

View: Tags | Archives

Should Websites Show Your Passwords in Plain Text?

Lori Halley 28 June 2009 4 comments

You know how, when you type your password into a website form, it shows a line of asterisks or bullets instead of the characters you’re typing? Usability expert Jakob Nielsen says it’s time to stop masking passwords, and show them on screen in plain text.

If you haven’t already done so, you’ll want to check out Jakob Nielsen’s latest AlertBox article to get the full details — but here’s his summary:

Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn’t even increase security, but it does cost you business due to login failures.

Usability is about the interaction of humans and technology, reducing users’ confusion about what to do on a website and trying to minimize the chance of human error: helping users to succeed in their online tasks. From that perspective, yes, showing passwords in plain text makes sense.

But there’s another aspect to usability, more to do with human emotions than with the physical and mental processes of interacting with a website. And the more I thought about all this, the more I wondered — did Jakob  Nielsen miss the mark on this one?

UK business analyst Simon Thomas (Oak Innovations) responded on Twitter with a comment that closely matched my first reaction:

Twitter screenshot: sijt: @rjleaman I think he did. Users expect it so would perceive a lack of security, even if there isn't. Perception is everything in ui.

Since the earliest days of computers, passwords have been masked, to keep passwords safe from the curious eyes of “shoulder surfers” and passers-by.  But your password isn’t fully protected from snoopers by hiding it on screen, Nielsen points out, as a “truly skilled criminal” can simply watch your keystrokes. And in any case, he says, there’s usually nobody there with you when you login:

It’s just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue.

I’m not sure he’s got that last bit right. In the corporate world, perhaps, a private office may be the norm  — but look around you and count all the open laptops, the next time you’re in a coffee shop, on public transit, or in a dentist’s waiting room. With the proliferation of free public wifi “hot spots” and mobile devices, it seems to me that our web use is becoming ever more public, not less so, and thus ever more vulnerable to prying eyes.

True, password masking doesn’t come close to guaranteeing security — but Spike Wyatt (ScrawlBug), a freelance writer who worked in IT for more than a decade, sums it up better than I can.

Spike writes:

Masking passwords is elementary security. While it’s true that the bigger advantage is the user’s increased feeling of security, it’s basic common sense not to show private information in clear text.

Any computer criminal worth their salt can crack a password, given time. I just believe it’s better to make it as difficult as possible, using as many methods as is sensible, rather than offering up free access in unmasked letters on a glowing screen that can be read from across the room. Just like the ‘privacy zone’ around an ATM: it’s not perfect, but every little helps.

Jakob Nielsen does suggest a compromise: add an extra checkbox to web forms, so users could opt in to password masking if they wanted — perhaps with masking enabled as the default for sensitive applications like online banking. But then, an extra checkbox would add one more visual element to clutter a web page, and one more small task to the login process. I wonder, too, if password masking is indeed a bad idea, why we should use it for high-security sites...

And here’s yet another wrinkle: Nielsen says that masking encourages people to choose simple, easy-to-remember passwords, or to copy-and-paste their passwords from a desktop text file — risky practices that no one would recommend. No wonder that a Twitter search on password masking and run-round of the blogs show wide-ranging opinions on the issue, with some of the arguments quite strongly worded!

What’s your opinion?

Is it time for the Web to unmask passwords and make it easier to login to a website? Does password masking serve a usful purpose, or do more harm than good?  How would you change the standard website login process?

Lori Halley [Engaging Apricot] Lori Halley [Engaging Apricot]

Posted by Lori Halley [Engaging Apricot]

Published Sunday, 28 June 2009 at 4:07 PM


  • JRA said:

    Sunday, 28 June 2009 at 11:16 AM

    I like it when a website (and my OS for that matter) gives me the option for privacy or for usability... Rather than the cookie cutter, everyone should "be safe because we know better" approach.

  • Jay Moonah (Noisy Apricot) said:

    Monday, 29 June 2009 at 1:03 PM

    I think Nielsen _might_ have had a point 5 years ago, but these days so many people login to services in public locations either on their own machines or on shared systems, I think now is completely the wrong time for this kind of change... although I do agree with JRA that it's nice to have the option, but I think the default has to be masked, if only because people are so socialized now to accept it as the norm.

  • Aaron Hawryluk said:

    Monday, 29 June 2009 at 2:53 PM

    Jay - I agree. Working at the Sun, I picked up a lot of passwords looking over shoulders at those lovely non-masked old Mac password fields. And people in the newsroom would log in to stuff with their interviewees sitting right there, etc. Whether Nielsen agrees or not, someone picking up your password by looking over your shoulder is a real security risk.

    Which brings me to another point... for a self-styled "usabilty expert", Nielsen doesn't get listened to very often. I've been ignoring 80% of what he says for years, and so has pretty much everyone I know in the industry.

  • DFA said:

    Monday, 29 June 2009 at 3:21 PM

    Nielsen should stick to Web and UI stuff. This issue goes far beyond his sphere of knowledge and (dubious, as per Aaron) influence.

Sorry, this blog post is closed for further comments.

Search: WildApricot.com 

About results ( seconds) Sort by: 
Sorry, an error occured when performing search.
Scroll to top