Password Masking: Annoying, Unproductive, and Unsecure

Two of the oldest blogs have hit on one of my oldest Internet pet peeves:  The idiotic masking of passwords on webforms, wherein one has to type often-long strings blindly, seeing only a string of asterisks.

Jakob Nielsen:

It’s time to show most passwords in clear text as users type them. Providing feedback and visualizing the system’s status have always been among the most basic usability principles. Showing undifferentiated bullets while users enter complex codes definitely fails to comply.

Most websites (and many other applications) mask passwords as users type them, and thereby theoretically prevent miscreants from looking over users’ shoulders. Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed. So, password masking doesn’t even protect fully against snoopers.

More importantly, there’s usually nobody looking over your shoulder when you log in to a website. It’s just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue.

[…]

When you make it hard for users to enter passwords you create two problems — one of which actually lowers security:

  • Users make more errors when they can’t see what they’re typing while filling in a form. They therefore feel less confident. This double degradation of the user experience means that people are more likely to give up and never log in to your site at all, leading to lost business. (Or, in the case of intranets, increased support calls.)
  • The more uncertain users feel about typing passwords, the more likely they are to (a) employ overly simple passwords and/or (b) copy-paste passwords from a file on their computer. Both behaviors lead to a true loss of security.

Via Jason Kottke, who responds, “Sing it, brother.”

Nielsen also gets a word in about “Reset” buttons on forms, another annoying anachronism.

FILED UNDER: Uncategorized,
James Joyner
About James Joyner
James Joyner is Professor and Department Head of Security Studies at Marine Corps University's Command and Staff College. He's a former Army officer and Desert Storm veteran. Views expressed here are his own. Follow James on Twitter @DrJJoyner.

Comments

  1. Boyd says:

    I’ve never understood why so few applications, both web and standalone, give the user the option to choose whether or not to make the password visible.

  2. William d'Inger says:

    Those are the words of someone too lazy to concern himself with security. In my opinion, even showing a mask is too much information if it indicates the number of characters in the password. Don’t buy that hokum about it being less secure than displaying the actual password.

  3. ptfe says:

    This double degradation of the user experience means that people are more likely to give up and never log in to your site at all, leading to lost business. (Or, in the case of intranets, increased support calls.)

    That’s quite the assertion he’s making. I’d be shocked if people are actually “discouraged” by password masking (and note that he doesn’t stoop to providing anything more than a conjecture on this point). Does he honestly think that a non-negligible number of people are so flabbergasted by technology that, when faced with the prospect that their login may not work the first time because of the possibility of mis-typing their password and never seeing the mistake, they just can’t bear to try to enter a site? If that’s all it takes for him to give up, I’d say it’s a personal problem that requires some serious professional help.

  4. LaurenceB says:

    I’ve never understood why so few applications, both web and standalone, give the user the option to choose whether or not to make the password visible.

    I agree. But it’s even easier than that.

    Since the masking is a function of the browser, all that is needed is an option in the browser’s preferences that a user could check or un-check to enable or disable masking on all password forms.

    Voila! Everyone’s happy!

  5. Michael says:

    Meanwhile, those of us using 21st century technology have password managers, usually built right into the browser.

    Those are the words of someone too lazy to concern himself with security.

    Exactly, this is the kind of person that inspired the creation of Vista’s “Cancel or Allow” dialog, because he couldn’t be bothered to read the warning about an attachment being a known virus that would destroy his computer before he pressed “Ok”. He’s also the kind of person that will disable that dialog and complain when a known virus destroys his computer.

    Since the masking is a function of the browser, all that is needed is an option in the browser’s preferences that a user could check or un-check to enable or disable masking on all password forms.

    Firefox + Web Developer Toolbar has this option for me. I wouldn’t be surprised if there were a more basic Firefox extension that did just this.

  6. Michael says:

    Most websites (and many other applications) mask passwords as users type them, and thereby theoretically prevent miscreants from looking over users’ shoulders. Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed.

    Maybe this is true for him, but certainly not for me. I often have people looking over my shoulder when I need to log into a site. I make sure they are not looking at my screen or keyboard when I type my password (which I can type without looking at either), and I always look away when someone else is typing theirs.

  7. Somebody says:

    Yeah, I’m sorry but I’m going to have to disagree with JJ here. There are tons of people using laptops in public places, and if this was the norm, you can bet that there would be a lot more people around snooping for passwords. It’s about 10x easier to read a password off the screen than to figure out the keys pressed. I also don’t really buy this crap about people’s confidence, but then again I’m a pretty good typist.

    In short, though, we need more Internet security, not less.

  8. Somebody says:

    Also, my opinion is that people pick easy passwords because they are easy to remember, not because they are easy to type. As the other posters said, it’s people who are lazy about security.

  9. hln says:

    “Somebody” and Michael are absolutely correct. If you’re using a computer in public and logging in somewhere that you’re using a password (most places), it needs to be masked.

    The risks are obviously ranged – logging into your bank or a SaaS app like SalesForce is different than leaving a comment on a blog.

    Still, you may use the same password on both, so it’s best to be safe.

    Users, it may be a pain in the rear, but those sites that offer masking are doing it right.

  10. Boyd says:

    Users, it may be a pain in the rear, but those sites that offer masking are doing it right.

    If they offered it, I’d agree. Unfortunately, they force it, in all situations.

    And as for using passwords in public places, if you’re logging into your online bank account while sitting at a Starbucks, you’ve got bigger things to worry about than masking your password. “Security for Dummies” comes to mind.

  11. JKB says:

    And who is going to be blamed/sued when the password is compromised? There irritation caused to a few security dangerous people is not enough to cause a site to take the liability risk. But as stated above, there is really no reason the “mask password” field definition on a form couldn’t be subverted by an add-on the user puts to his browser thus assuming the risk for himself.

    Of course, either way, at some point a lot of internet idiots will unmask their passwords, a big compromise will happen, and Congress will be moved to impose liability on the site operators to save the fools from themselves.

  12. Michael says:

    And as for using passwords in public places, if you’re logging into your online bank account while sitting at a Starbucks, you’ve got bigger things to worry about than masking your password.

    Like what? SSL prevents anybody snooping the wireless from seeing the password or any part of my online banking conversation.

  13. Matthew Stinson says:

    Amen! Great point about how masking encourages the same passwords. Also, password masking is even more annoying on mobile phones. Keying in a password is one thing, but punching it in with a mobile keypad … gah, it’s horrible, especially for strong passwords.

  14. Michael says:

    Great point about how masking encourages the same passwords.

    Show me some empirical evidence that this is even true. Heck, show me anecdotal evidence. Of all the reasons I can think of for using the same password, input masking is not one of them.

  15. kvc says:

    This is more of the protecting me from things that I do not see or hear when they go bump in the night. It is similar to the nutritional fact sheet on a bottled water. Wonder why water is $2.00 a pint. Personally I get new passwords everyday because I have to reset them when I can’t remember the old one from day to day.

  16. Michael says:

    Personally I get new passwords everyday because I have to reset them when I can’t remember the old one from day to day.

    Get a password manager then, you’ll only need to remember one password. Take it with you on a USB drive or mobile phone and you can use it anywhere.