Password masking - the practice of replacing the characters a user types into password entry field with bullets - has been widespread on the web for a long time. Jakob Nielsen recently wrote a thought-provoking post suggesting masking is hurting more than it helps, and that it's only being kept around out of habit. I'll try to make the case for and against masking here, and let Download Squad readers weigh in on the subject.

Down With Masking:

Masking ruins the user experience. When users can't see what they're typing, they're likely to make mistakes and second-guess themselves. Did I forget my password, or did I just make a typo? After enough login failures, they'll either stop using your site or call support. As a result, users try to get around the problems of masking by entering a simple, insecure password, or by copying and pasting their passwords in. Why are we continuing a practice that undermines user security and adds uncertainty to the user experience? Masking has got to go.

Masking Forever:

Masking doesn't make users feel insecure, it makes them feel more secure. It was instituted for a reason: to keep someone who might be reading over your shoulder from reading your password. Maybe this has become less of a concern over the years, but masking has picked up some new, equally important uses, too. What if you're screensharing with a coworker or recording a screencast that happens to include your site's login process? Users have come to expect masking. When they run into the rare site that doesn't use it, they get nervous that their password might be sent unencrypted. Part of good design is giving users what they expect, so keep giving them password masking.

So, readers, what do you think? Take the poll, and let me know in the comments if you've got better arguments for or against.