Password Masking: Annoying, Unproductive, and Unsecure
Two of the oldest blogs have hit on one of my oldest Internet pet peeves: The idiotic masking of passwords on webforms, wherein one has to type often-long strings blindly, seeing only a string of asterisks.
It’s time to show most passwords in clear text as users type them. Providing feedback and visualizing the system’s status have always been among the most basic usability principles. Showing undifferentiated bullets while users enter complex codes definitely fails to comply.
Most websites (and many other applications) mask passwords as users type them, and thereby theoretically prevent miscreants from looking over users’ shoulders. Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed. So, password masking doesn’t even protect fully against snoopers.
More importantly, there’s usually nobody looking over your shoulder when you log in to a website. It’s just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue.
When you make it hard for users to enter passwords you create two problems — one of which actually lowers security:
- Users make more errors when they can’t see what they’re typing while filling in a form. They therefore feel less confident. This double degradation of the user experience means that people are more likely to give up and never log in to your site at all, leading to lost business. (Or, in the case of intranets, increased support calls.)
- The more uncertain users feel about typing passwords, the more likely they are to (a) employ overly simple passwords and/or (b) copy-paste passwords from a file on their computer. Both behaviors lead to a true loss of security.
Via Jason Kottke, who responds, “Sing it, brother.”
Nielsen also gets a word in about “Reset” buttons on forms, another annoying anachronism.