Password masking unnecessary, counterproductive?

MP3iTunes

Web usability campaigner Jakob Nielsen says its time to let users see their passwords as they type them.

10 Responses to “Password masking unnecessary, counterproductive?”

  1. Evelyn Ledesma says:

    I have found myself in password hell from time to time and unmasking would be helpful to me. I am usually alone when I type in passwords and the option to unmask makes lots of sense in my case.

  2. Mike Scher says:

    “The only thing wrong with password authentication is that it uses passwords.”

    Issues with password usability versus security are as old as passwords. Watching large organization after large organization try to take on the balancing act finally convinced me that passwords were good only for items of the lowest security interest. In 2004, I finally wrote an article on the subject. Thank you for ultimately asking the big question: Are passwords really a good answer to the tougher security questions?

    The 1994 article:

    http://www.usenix.org/publications/login/2004-12/pdfs/ohno.pdf

  3. PJT says:

    Getting rid of password masking is a horrible idea. I’m surprised you aired such nonsense on future tense. It’s like hosting an advocate for reintroducing cars without the inconvenience of seatbelts. Insane. Why not invite someone from the local identity thieves’ guild to go on air suggesting that we stop encrypting transmitted passwords while we’re at it? Wouldn’t that be more convenient for handheld users also? Too bad they can easily be read in transit, as easily as they can and would be read “over the shoulders” if your guest’s recommendation were followed.

  4. blank says:

    99.9% of passwords are bs. just some way for a company/webpage to make a list of email addresses. there are so many webpages that I do not 1)read articles 2)contribute opinions 3)download freeware from

    because they want you to create yet another username, password.

    I used some imaginary email address to post this, hope it works, sorry joeblow at yahoo dot com

  5. Don says:

    I understand the issue that Mr. Nielsen is attempting to solve. However, it is the wrong solution. As a UI expert, Mr. Nielsen should know that people follow a normal pattern of behavior. That is the reason that most confirmation messages fail to prevent the action that it is attempting force the user to pause and think. If the field is plain-text by default, it unlikely that the user would toggle the masked attribute. Conversely, if the field is masked, the user will typically toggle it to plain-text as his/her normal behavior when in the office or home.

    Until there is a ubiquitous two-factor authentication (something you have and something you know) solution (e.g. Yubico’s YubiKey and OpenID), the masked password fields are the best solution for protecting user authentication information.

  6. Chris says:

    I would even go farther than Don for better security: I think good access security is something you have (i.e., RSA dongle with a changing key), something you know (password), and something you are (i.e., biometrics). But that wasn’t Jon’s original question.

    I think that password unmasking should be allowed, but it should be a browser option (default: masked) and an HTML or web server option (on the server side).

    If one wants to turn off masking in the browser, that’s fine, but make a big stink about that, but still allow the user to do it.

    On the server side, one could allow site or page administrators to force the password to be masked, overriding the browser settings, either in a Web server setting or in the HTML code to set up the form. Or, barring that, the admins could also tell people that to access their secure site, they need to have password masking on (such as what’s done with turning off or on JavaScript). Some groups, such as banks or government sites, might force masking to be on for their own safety. While damages from sniped passwords might be isolated to one user’s account, the trouble a bank might have to go through to make things right would cost much more in time and energy and hassle than allowing a user to see his or her password.

  7. deb says:

    Masking of passwords is an ISF requirement – it is a security framework requirement for software developers. While I respect Jakob, it is ridiculous to condone violating ISF requirements.

  8. Privacy Advocate says:

    If someone can see your screen (of if you are presenting with a projector) then you don’t want to your password to a site to be seen. Let’s be honest, most of our passwords are the same or pretty close and you give a room full of people access to your password.

    Remember to change the settings back so they are masked are another thing I don’t have to remember.

    Also, companies and education sites not forcing so many password changes are more of a hazard to security as people will want to write them down just to keep things straight…

    ps. the email I entered is also fake

  9. lori Ogbuji says:

    Anyone who has children who shares their computers knows that masked passwords are still a necessary thing. My children don’t need to know my itunes password, the passcode to watch adult content on the cable box, or the password to simply log on to my account on my computer. I have a nephew who could watch your fingers glide over the keys and figure out the code, even if it was masked. Admittedly, it would be nice to turn them off, in certain situations.

  10. I am not (that I know of) related to Mr. Jakob Nielsen, and while I sometimes think it is extream in some of his views, I have to slap my head and say, “Duh!” on the issue of letting people “unmask” their password imput if they choose. And is should be a choice with the default set to it being masked.

    But I have been frustrated on several occasions where I lose where I am and have to erase and start over, or have the caps lock on, or some other glitch causes me problems that could be avoided or solved easily if I could see what I (or the computer) was doing.

    A far greater risk to security is low-quality passwords, or people using the same username and password on every site they visit. I have tested this idea on a site where we have users create accounts and I can assure you that most people ARE doing this. Lucky for them we are ethical.