Filed under: Design, Security, Web
Password Masking: love it or leave it?
Password masking - the practice of replacing the characters a user types into password entry field with bullets - has been widespread on the web for a long time. Jakob Nielsen recently wrote a thought-provoking post suggesting masking is hurting more than it helps, and that it's only being kept around out of habit. I'll try to make the case for and against masking here, and let Download Squad readers weigh in on the subject.Down With Masking:
Masking ruins the user experience. When users can't see what they're typing, they're likely to make mistakes and second-guess themselves. Did I forget my password, or did I just make a typo? After enough login failures, they'll either stop using your site or call support. As a result, users try to get around the problems of masking by entering a simple, insecure password, or by copying and pasting their passwords in. Why are we continuing a practice that undermines user security and adds uncertainty to the user experience? Masking has got to go.
Masking Forever:
Masking doesn't make users feel insecure, it makes them feel more secure. It was instituted for a reason: to keep someone who might be reading over your shoulder from reading your password. Maybe this has become less of a concern over the years, but masking has picked up some new, equally important uses, too. What if you're screensharing with a coworker or recording a screencast that happens to include your site's login process? Users have come to expect masking. When they run into the rare site that doesn't use it, they get nervous that their password might be sent unencrypted. Part of good design is giving users what they expect, so keep giving them password masking.
So, readers, what do you think? Take the poll, and let me know in the comments if you've got better arguments for or against.
So, just how good at time waster games are you? Think you've got the stuff? Well, The World's Hardest Game 2.0 doesn't think you do.
Yes, amazingly, it's possible to have a sequel to a game called "The World's Hardest Game". It doesn't seem logically possible, since if the first one was actually the world's hardest, how could another one come along and share the moniker? It made me doubt the name in the first place. That is, until I tried the game.
The mechanics of the game are very simple. You are a small red square, ...
Reader Comments (Page 1 of 2)
Seoman said 3:42PM on 6-27-2009
Love it? Of course I don't love it. But the alternative is worse.
Personally, I think that it might be nice to allow passwords to be unmasked (with a checkbox or something) in low risk situations, but I would never want it to be the default. And it'd be nice to have other authentication mechanisms more thoroughly explored too.
Reply
Alex Tayra said 3:45PM on 6-27-2009
uber-easy solution: http://i41.tinypic.com/50o239.png
Reply
Mysterius said 7:53PM on 6-27-2009
I second making the option to turn off masking standard.
thecompkid said 3:48PM on 6-27-2009
Once I was on a public computer with a ton of people around and I stumbled upon a form on some website that DIDN'T mask my password when I typed it in. Luckily, I only got a couple of characters into my password and I deleted everything pretty quickly, but it was quite a shock.
I've never seen password masking as inconvenient, I've never even met anyone who sees it as inconvenient. Seriously, how difficult is it to memorize how to type your password?
Reply
Ryan Adams said 4:00PM on 6-27-2009
Better idea: make it optional. Most sites already offer the option to "remember my user id", why not offer a option to "mask password"?
Some situations (like public libraries, crowded offices, etc.) warrant password masking, others (single person at home) have no need for it.
Even better idea: Make password inputs show only the last typed character. Many cell phones, pdas, and other devices already include this functionality. The letter you type is visible until x seconds go by, or you type another letter. JavaScript would make this a piece of cake.
Reply
mooglinux said 4:13PM on 6-27-2009
There is no argument for calling it an inconvenience. Masking should be done away with, as should any sort of visual indication of your password.
Unix and linux does it right: type it in, no mask, no characters, nothing. Then no one can even tell how many characters is in the password.
Learn to type your own frakking password!
Reply
Jash Sayani said 4:25PM on 6-27-2009
Taking out Masking is the lamest thing I have ever heard. If you make a god damn typo, then re-type the bloody password or stop using computers. What if you are seated near a friend/co-worker and want to login ? And there are millions of people who would look over shoulders to see the password. And I know hundreds of people who would stop using the site if they don't use masking.
So, to cut it short, spend time in something productive rather than coming up with the LAMEST ideas....
Reply
Malteserr said 4:41PM on 6-27-2009
WTF? Is this even up for debate? I'm sorry, but I'm one of those people who like to visit their hotmail/gmail account at public libraries, at friends' houses etc and masking is definitely good. I wouldn't want someone else to be able to even guess my password, let alone see it.
Reply
Ben! said 4:42PM on 6-27-2009
Anybody who selected the "I wouldn't notice one way or the other" is clearly lying.
Reply
go4bust said 5:00PM on 6-27-2009
When I connect remotely to assist people on their computers they are REALLY happy about the masking :-)
Reply
quanta said 5:04PM on 6-27-2009
I would vote "Love it", although I must admit the option can be useful in select circumstances. For example, I was pretty happy that Windows Vista's Wi-Fi dialog gave the option to unmask your encryption passphrase. This password tends to be lengthy, obtuse and so infrequently entered it's just a better user experience to see what you are typing.
What we really need is some standards on what passwords are acceptable. i.e. some systems have a minimum character limit, some have a maximum, some allow special characters, some make them mandatory, etc. This will better facilitate and encourage password retention and compliance.
Reply
Jim said 5:19PM on 6-27-2009
Umm wow. I won't even go into all the things wrong with this article. At the top of my list though is a terrible misconception that must be addressed. Just because the display of your password is masked to your eyes and any eyes looking over your shoulder does NOT mean that it is being encrypted during sending or in memory.
In the case of web applications it is even more common that your password isn't being sent encrypted. Unless great steps are taken, you can pretty much assume that your password will be sent over the wire unencrypted. The only exception to this is secured web pages (SSL) in which all traffic is encrypted unless told otherwise. I've seen more than a few web applications that store your password in their database unencrypted too. You never know how well designed a web site designed. This is why I try not to use the same password for any two sites. There are plenty of good external tools for tracking such passwords to assist you with managing them. My personal favorite is Keepass for example.
Reply
Jay Hathaway said 7:24PM on 6-27-2009
I never said that masking meant it was being sent encrypted, just that when it's unmasked, users see that something is out of the ordinary and wonder whether it's being sent in plaintext.
Jim said 9:29PM on 6-27-2009
My apologies. You're correct that you didn't exclusively say they are sent unencrypted when unmasked.
There is an implied statement though in that you specifically mention in the "pro" side of your argument that when people don't see the masked passwords they assume that their password is sent unencrypted. My intent was to add clarity to this. The masked presentation of your password, or lack there of, has no barring on whether your password is being transmitted securely.
The masked password creates a false sense of security. Mentioning that it creates a sense of security (by means of pointing out that without it, it makes you feel unsecure) should really be followed up with the further explanation of how this is untrue.
Again, my apologies for not being more clear on this matter.
Erik said 5:30PM on 6-27-2009
Or just use lastpass (www.lastpass.com) and mistyped passwords will be a thing of the past.
-E
Reply
Sexy Music said 6:34PM on 6-27-2009
Well, I like the fact that there possible could be an option of unmasking although I would not like it to appear all of the time. For example, if I am in a public place, or around other people, I would not want my password to be visible to them.
sexy music - http://www.sexualsong.com
Reply
lman said 6:34PM on 6-27-2009
I have an idea:
Why don't they put a checkbox to unmask the field for those who are alone in front of a computer?
I voted "I love it" btw, I work in IT and sometimes i have to use my username and password in front of other employees and i dont want them knowing it.
Reply
chris joseph said 6:50PM on 6-27-2009
Jakob Nielsen raised some interesting, and even a few truly valid points when trying to sell his seminal tome on usability in web design nearly a decade ago, but I honestly don't believe this is worth the attention anyone is giving it.
This is what password reminder or reset links are for. The masking is a security feature. Do you want bank ATM's to put your PIN on the screen as you type it in? I didn't think so.
Reply
der_tuxman said 8:59PM on 6-27-2009
Masking sucks. I got a Greasemonkey script disabling it.
Reply
FUCKtheFCC said 9:10PM on 6-27-2009
If you don't have someone looking over your shoulder then there is a Firefox extension called Unhide Passwords. The best compromise is on the N810 - it shows each character as you type for half a second and then masks it.
Reply