Password Masking: The Debate Goes On
Article by George Norman
On 08 Jul 2009
You might remember that about a week back Jacob Nielsen, one of the world’s leading experts on web usability, announced that the practice of password masking is detrimental to the overall user experience and is detrimental to security as well. As Nielsen put it, turning characters into bullets in the password field discourages the user from logging in, encourages the user to pick overly simple passwords, and is incredibly annoying when you make a mistake and have to retype the whole thing again because you can’t see where the error is.

Jacob Nielsen also proposed that offering a checkbox would be a good idea for those situations when you really need to conceal your passwords, like when you are in an internet café, or working in an open plan office environment. Just tick the checkbox and your password is concealed. When there’s no one around and you feel safe about revealing your password, un-check the box.


As you would imagine, Jacob Nielsen’s words spurred much controversy amongst security experts – like for example Sophos’ Senior Technology Consultant Graham Cluley and Trend Micro’s Advanced Threat Researcher Ben April. They argued against Nielsen’s proposal, saying that dropping the practice of password masking would not be a good idea security-wise, would put you in socially awkward situations at times, and would send a bad message to the regular user. Graham Cluley also pointed out an essential flaw in Jacob Nielsen’s thinking: it is not the web page that masks passwords, it is the browser that does so.

At the time, the only one to support Jacob Nielsen was internationally renowned security technologist and author, Bruce Schneier. He agreed that since most times when you use the computer you are alone, then masking passwords is really nothing more than a nuisance and revealing them would prevent the user from making any mistakes. There are times when someone close to you will try to sneak a peak at your password, but shoulder surfing is not very common, added Schneier.

Now it seems that Bruce Schneier is taking back his words of support for dropping password masking: “So was I wrong? Maybe. Okay, probably. Password masking definitely improves security; many readers pointed out that they regularly use their computer in crowded environments, and rely on password masking to protect their passwords. On the other hand, password masking reduces accuracy and makes it less likely that users will choose secure and hard-to-remember passwords, I will concede that the password masking trade-off is more beneficial than I thought in my snap reaction, but also that the answer is not nearly as obvious as we have historically assumed.”

Previous articles on the subject:
Time to Drop Password Masking Expert Says
Security Experts Argue over Dropping Password Masking Proposal

Tags: Password, Password masking, Security, Usability
About the author: George Norman
George is a news editor.
You can follow him on Google+, Facebook or Twitter

I Hope you LIKE this blog post! Thank you!
What do YOU have to say about this
blog comments powered by Disqus
Popular News
By George Norman on 17 Aug 2017
With the blockbuster movie season upon us, Sony decided to celebrate the occasion with a sale: the Attack of the Blockbusters Sale that offers discounts of up to 50% (60% if you’re a PlayStation Plus member) on a ton of PS4 video games.
By George Norman on 17 Aug 2017
Samsung’s new T5 portable solid-state drive (PSSD) uses the latest 64-layer V-NAND technology, offers between 250GB and 2TB of storage capacity, has a lightweight and shock-resistant design that’s smaller than the average business card, and delivers industry-leading transfer speeds of up to 540 MB/s.
Related News
Sponsored Links
Hot Software Updates
Top Downloads
Become A Fan!
Link To Us!
Password Masking: The Debate Goes On
HTML Linking Code