Time to Drop Password Masking Expert Says
Every time you want to access your email account, instant messaging client, even log into your operating system, you have to provide a user name and a password. While the username is clearly visible, the password is always displayed as a long list of * characters. Replacing characters with bullets is a practice called password masking, and has been around for quite some time now. According to Jakob Nielsen, one of the world’s leading experts on web usability, it is about time this practice is dropped.
Jakob Nielsen argues that the practice of hiding characters behind bullets, as is the case with passwords, is in fact hurting web usability. The user enters his password, and the only feedback he receives is a row of bullets – which personally I find terribly annoying as I never know where I misspelled by password and consequently have to delete it all and start from scratch, making the login process a terrible bother. Besides being annoying, password masking is not even that secure, says Nielsen.
“It's time to show most passwords in clear text as users type them. Providing feedback and visualizing the system's status have always been among the most basic usability principles. Showing undifferentiated bullets while users enter complex codes definitely fails to comply. Most websites (and many other applications) mask passwords as users type them, and thereby theoretically prevent miscreants from looking over users' shoulders. Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed. So, password masking doesn't even protect fully against snoopers,” says Nielsen.
The practice of password masking has two direct effects on the end user. First of all he is more prone to make errors while typing in the password simply because he can’t see what he is typing – making said user feel less confident as Nielsen put it, and think twice about login in. Secondly, the user will be tempted to either user overly simple passwords, or just copy/paste the password from a locally stored file – both practices are very wrong, security-wise.
“Users are sometimes truly at risk of having bystanders spy on their passwords, such as when they're using an Internet café,” added Nielsen. "It's therefore worth offering them a checkbox to have their passwords masked; for high-risk applications, such as bank accounts, you might even check this box by default. In cases where there's a tension between security and usability, sometimes security should win. In most cases, however, users will appreciate getting clear-text feedback as they enter passwords. Your business will increase, and security will even improve a tiny bit as well.”
For the Firefox user that does not want to mask his password, there is a simple solution: the Show Passwords add-on. What this add-on does is eliminate those annoying * symbols and let you see exactly what you are typing into the password field. And if at any time you feel the need to once again mask your password, Show Passwords can be easily turned on and off by clicking on the icon placed in the Firefox Status Bar.
If you would like to get Show Passwords, a download location is available here.
Jakob Nielsen argues that the practice of hiding characters behind bullets, as is the case with passwords, is in fact hurting web usability. The user enters his password, and the only feedback he receives is a row of bullets – which personally I find terribly annoying as I never know where I misspelled by password and consequently have to delete it all and start from scratch, making the login process a terrible bother. Besides being annoying, password masking is not even that secure, says Nielsen.
“It's time to show most passwords in clear text as users type them. Providing feedback and visualizing the system's status have always been among the most basic usability principles. Showing undifferentiated bullets while users enter complex codes definitely fails to comply. Most websites (and many other applications) mask passwords as users type them, and thereby theoretically prevent miscreants from looking over users' shoulders. Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed. So, password masking doesn't even protect fully against snoopers,” says Nielsen.
The practice of password masking has two direct effects on the end user. First of all he is more prone to make errors while typing in the password simply because he can’t see what he is typing – making said user feel less confident as Nielsen put it, and think twice about login in. Secondly, the user will be tempted to either user overly simple passwords, or just copy/paste the password from a locally stored file – both practices are very wrong, security-wise.
“Users are sometimes truly at risk of having bystanders spy on their passwords, such as when they're using an Internet café,” added Nielsen. "It's therefore worth offering them a checkbox to have their passwords masked; for high-risk applications, such as bank accounts, you might even check this box by default. In cases where there's a tension between security and usability, sometimes security should win. In most cases, however, users will appreciate getting clear-text feedback as they enter passwords. Your business will increase, and security will even improve a tiny bit as well.”
For the Firefox user that does not want to mask his password, there is a simple solution: the Show Passwords add-on. What this add-on does is eliminate those annoying * symbols and let you see exactly what you are typing into the password field. And if at any time you feel the need to once again mask your password, Show Passwords can be easily turned on and off by clicking on the icon placed in the Firefox Status Bar.
If you would like to get Show Passwords, a download location is available here.
