
Stop Password Masking - dcminter
http://www.useit.com/alertbox/passwords.html
======
wyday
Usually this guy's observations are spot on, but this is just wrong. For
instance, every time I give a presentation I usually have to login to a secure
site. I'm almost always plugged into an overhead projector while I'm logging
in.

So, not only is this guy suggesting websites change their technology, he's
also suggesting users modify their behavior to be more secure.

Not going to happen.

~~~
Deestan
> For instance, every time I give a presentation I usually have to login to a
> secure site.

To be fair, he _did_ suggest that password masking was toggled by a checkbox
that was ON by default.

~~~
dinkumthinkum
It's just too easy to screw that up and despite the argument proferred there
is no real benefit. If typing on mobile devices is hard it doesn't seem what
we need to do is post our credit card numbers online.

~~~
teej
I used to work as phone support for a webapp targeted at Real Estate Agents.
60% of our web + phone support requests were related to passwords. A third of
those requests were errors due to misspellings.

An option to reveal the text of the password field would have a drastic effect
on these support requests. It would lower calls and call times on these
issues. Even if this 15-minute change only saved 30 minutes of support time a
-year- this would be a net win.

You might not screw up passwords, but plenty of people do. I'm not suggesting
to have it permanently visible, just the option to make it visible. This
enables people with password issues to debug their own issues before resorting
to a password reset or contacting support.

------
Deestan
At least when _setting_ or _changing_ passwords, I would like an option to
display them in clear text.

Slightly on-topic: I find it silly for a shopping website to display your
complete credit card information in plain letters on screen, while masking
your login password. The credit card info can be misused to empty your bank
account, while the login password can be misused to ... what? Send obscene
support requests and muck about with your digital shopping cart?

~~~
apgwoz
> Send obscene support requests and muck about with your digital shopping
> cart?

That, and if your credit card is stored on their servers, which your statement
implies, it'd be easy for me to buy stuff on behalf of you. Right now, I'm
buying you a new 72 inch Plasma screen which you can't afford. Have fun
returning it!

Of course, I could send that plasma to myself, but it'd be stupid of me to do
so, since I'd be giving away my where abouts.

~~~
Deestan
> if your credit card is stored on their servers, which your statement implies

No, I did not intend to imply that.

The places where I do most my shopping, I have to (or prefer to, in the case
of Amazon) enter credit card information on a per-purchase basis.

~~~
apgwoz
I considered for a moment the possibility that you were referring to entering
your credit card numbers without masking, and probably should have deduced
that given the context.

------
shabda
This is very unconventional advise. But this is Jacob Nielsen talking on
usability. What he says is generally backed by very extensive testing and way
more usability experience than any of us on news.YC have.

You might not agree to unmask all passwords but why not this

> It's therefore worth offering them a checkbox to have their passwords
> masked; for high-risk applications, such as bank accounts, you might even
> check this box by default.

This is spot on as well.

> Password masking has proven to be a particularly nasty usability problem in
> our testing of mobile devices, where typing is difficult and typos are
> common

And on a mobile device, people snooping would be uncommon as well, so why mask
passwords on mobile sites?

So please think hard on this, before you dissmiss this as stupid or untenable.

~~~
oddgodd
>So please think hard on this, before you dismiss this as stupid or untenable.

I have. This is stupid and untenable.

Problem one: Right now if I encountered a login form that didn't mask the
password I would probably attribute this to incompetence, not usability. I
don't think I'm the only one.

Problem two: Right now all login forms work the same. The top field is the
username and under that is the password field. This would break that
consistency by adding the "show (or hide) password" behavior. In his
description he even suggests that some sites default to a different behavior
based on some notion of degree of security. Now logging in with someone
looking on becomes quite a bit more nerve-wracking because you need to figure
out if the password field will disclose your password. This is less usable.

Now, where I think this may be useful is if it is added as part of the
"invalid password" behavior. Offer to give the user help only if they need it.
Provide them a button to show the password they entered, and allow them to try
again underneath it to fix any typos or verify that they correctly entered the
password they were thinking of. This helps the user without changing the way
the login form operates in the default case where a correct password is
entered (a password that's probably in the user's muscle memory because they
use it for everything). I know I've actually seen this done somewhere,
although I can't remember where.

Mobile is a bit different. I’m completely behind the times in using a mobile
device to access the web, but I know that my terribly slow phone running its
gimped browser (netfront, I think?) on its tiny screen quite a few years ago
provided the option to display masked fields in the editor window it would
switch to whenever filling out an input field. This seems like a better
solution to this problem to me (and was almost a necessity on that device
since it didn’t have a proper keyboard).

~~~
jonb
I'm 100% in agreement with you here.

Mac OS X's Keychain Access has "show this password", and iPhone does masking
but still shows you the last character you just typed for about a second.

I think these are both good compromises.

------
dejan
My God, do you even know who "this guy" is? Stop and give it a thought a bit.

He is right about the point, straight on. I've been thinking about
implementing it on our web app at aleveo.com like that. Let me elaborate.

We all know that having a simple and usable register/login form increases
signups. Let that aside, I've kicking out everything of our forms until really
only the necessary. Among those things is the repeat password/email field,
username (enough with those) etc. However, what if caps is on, or the keyboard
layout is other and so on, the person will signup for your service, but next
time he wants to login, if he is having issues with the form, you're done.
He'll blame you, as he think he knows what he types as a password.

It is essentially wrong not to see what you are typing. If you noticed,
Mr.Nielsen didn't go into implementation. He said that the concept is legacy.
A good implementation would be having a checkbox next to the password field
"[] show text" or similar, default unchecked.

An older person would definitively appreciate that, but it is not only for
them, as it happens to me too (24 year old) to mistake until I figure out what
I am really typing in (first keystroke swallowed, typing mistake, caps, wrong
layout, etc)

~~~
ErrantX
He might well be an expert in UI but certainly is no expert in security - so I
think he is broaching fields he is not qualified in :)

Regardless just because he is a well respected individual does not make all
his ideas "the right way".

I think people are misreading what he said and making knee jerk reactions.
But, for exampl...:

> password masking doesn't even protect fully against snoopers.

Seems an irrelevant point - he doesnt weigh the security tradeoff against the
supposedly improved usability. I would argue that password masking is the #1
deterrent for _casual_ password stealers. Plus reading fast typed keys is a
skill needing to be acquired. A determined thief will always find a way to get
your password. The masking is deter the casual criminals (or just your co-
workers etc!!)

> It's just you, sitting all alone in your office, suffering reduced usability
> to protect against a non-issue

For a UI designer/engineer I think this shows a whole lot of ignorance about
how people use computers... does he really imagine most people use their
computer this way? really?

One important point he misses is that password boxes leap out at you BY being
masked. This is an important UI concept because the user knows they are
logging into something "secure". It is also the expected behaviour (for better
or for worse); not _just_ a convention but an ingrained expectation! UI
designers hardly ever break expectations like that in my experience ;)

In terms of not seeing what your typing: he should know a vast majority of
people watch their fingers as they type. Knowing you made a mistake is a
fairly natural process (yes, we have tested this).

He DOES have a very very good point about mobiles - this is a perfect example
of where masking shouldnt be employed. And I suspect this is the main point he
is making. But extending it to every format? No, that IS silly.

:)

------
fb
This guy must have been joking. The fact that HE always types his passwords
alone in his office does not mean that any sane person would like a
possibility that anyone ever has a chance to see his password. Apparently,
some people are not always alone...

~~~
Edinburger
Yes, good luck to anyone in (a) an open-plan office or (b) an office with
security cameras.

~~~
mooism2
Are the security cameras trained on the screen or the keyboard?

~~~
eli
Would you know?

~~~
tezza
And would you know if they just recorded the keys your fingers pressed?

I think Jakob is really onto something here.

~~~
pygy
They could record the sound of the keypresses too. They may be impossible to
discriminate subjectively, but they all have a distinct signature...

~~~
mgj
Yep, see: <http://www.cs.berkeley.edu/~zf/papers/keyboard-ccs05.pdf>

------
cubix
He is sure right about the reset button though. I can't be the only one who
has entered a dozen or more fields only to lose it all with an inadvertent
reset rather than submit.

Also, how about the iPhone compromise? It displays the last character you
typed for only an instant.

~~~
Hexstream
"I can't be the only one who has entered a dozen or more fields only to lose
it all with an inadvertent reset rather than submit."

The solution is obvious to me. If javascript is enabled, allow the user to
undo a reset.

If javascript is disabled, don't show a reset button or make it harder to
click accidentally somehow (make it smaller or a link or more out of the way).

------
mark-t
I'm not willing to concede his point yet, but even if he's right, this should
be implemented by the browser, not the website. And if you consider taking his
advice, I suggest masking the password as soon as the input field loses focus.

------
chaosmachine
Combine this with the "remember password" feature of most browsers, and you
have a real problem.

~~~
slig
Browsers have to store the cleantext password and you can see them all here:

Firefox > Preferences > Secutiry > "Saved Passwords" -> "Show Password"

~~~
chaosmachine
Of course, but it's highly unlikely you'd accidentally expose that page to
someone. I was thinking more along the lines of letting your friend use your
computer to check gmail, and whoops, there's your password already in the box.

~~~
mcaloney
Of course, but if I let my friend use my computer to check gmail, he or she
could go to Firefox -> Preferences -> Security -> Saved Passwords and see all
of my passwords anyway. By letting somebody use my computer, I'm implicitly
trusting them to not misuse anything they might find.

~~~
chaosmachine
The problem is it's no longer avoidable. A friend is unlikely to want to snoop
on your saved password list, but can not avoid it when your password is
already in the box, and they have to delete it to type their own in.

Anyway, the simple fix is to not show saved passwords in plain text.

------
blhack
One of the most annoying offenders of this is the windows wireless
configuration utility.

It refuses to let you see the WEP key that you are typing, but insists that
you type it twice.

If it were something like "what is your favorite flavor of popsicls" and not
"type this random 58 character sting of hex", then that might be acceptable,
but it isn't. Really, who is going to be standing over your shoulder and
memorize that?

/drives me insane

//iwconfig ath0 essid "blueberry struedel" key $foo ftw

~~~
jodrellblank
"Windows"? "WEP"?

 _Current_ Windows (Vista) allows you to tick a box and see the WPA key as you
type it (once) (it's masked by default).

------
lucastx
I think it would be good if browsers came with an option to mask or don't mask
passwords. But I don't know if it would work, since the users who would find
and change that option would be the heavy users, that have almost no trouble
with passwords.

If only that option could be easily showed and asked for simple users: a
little icon within password boxes showing if it's masked or not, and a hotkey
/ click on the icon to toggle it on/off.

~~~
dinkumthinkum
Even if you could make it easy to find such an option, you'd just be giving
the users the loaded gun to shoot themselves with.

~~~
fcr
Well that's actually their responsibility...

However they would appreciate the feature if they can't manage to make their
password work (e.g. caps lock, different keyboard layout, etc.)

~~~
jsonscripter
I was once typing in my password on a box I forgot I had converted to Dvorak.
I was almost panicking because I was _so sure_ I was entering the password
correctly.

------
dinkumthinkum
This is totally ridiculous. So whenever my colleagues or students are working
with me on something and I have login to my email or whatever system I need to
get to, it's not bad enough that I have to feel uncomfortable that they can
see my keyboard while I type my password but they can just look at it on the
screen. I guess this is what happens when you actually let "usability experts"
design your systems.

As for this "checkbox," how many users will unwittingly have their online
identity stolen because regular users aren't thinking about whether they need
to select some checkbox before they type in their passsword. Also, that seems
more annoying than more usable.

As someone else mentioend, this makes "remember password" totally unworkable;
though personally I don't like that feature either.

There is a difficulty in mobile devices but that is because typing on such
devices is not really great in terms of usability.

The other thing is that I don't think there is much evidence that this is
really a problem. The only "barrier" problem that people have observed is
having to create an account in the first place, but that is a separate issue.

~~~
mooism2
Yes, hidden by default would be better, even when the password is only
protecting photos of my cat.

------
abrahamvegh
Somewhat valid points... but for the most part not.

And although I'll probably be shot down for this:

The iPhone OS's method of displaying the last masked character briefly before
masking it is probably the best way to handle masking.

------
matthardcastle
I look forward to the day when an option other than passwords become viable.
Have you ever looked at a typical users password? Run john the ripper over
you're users passwords field and prepare to be frighted. If you don't store
them hashed just take a look at them.

The fact is we need a better option both for security and usability.

------
DanielStraight
Bad argument #1: Masking doesn't help since someone can just watch the
keyboard or use some extremely complicated and expensive analysis to determine
what you are typing.

Response: This is like saying locking your door doesn't help because someone
can just get a bulldozer and push it in. Sure, it's true, but you aren't
locking your door to make your home impenetratable. You're locking your door
to prevent casual unauthorized entry. You don't want someone to just wander in
while you're away and take things without having to do any work at all. And
you don't want someone to just barge in without knocking (well you might, but
it's a case for locking your door). Similarly, you aren't masking passwords to
make it impossible for anyone to ever know your password. You're masking
passwords so you can log in to your email in front of your friends without
them getting tempted to use the information they gleaned.

Also, I can type faster than most people are probably able to read a keyboard
(and my passwords are not words which makes them even harder to figure out),
but there is likely no one on earth who can type faster than people can read.

\---

Bad argument #2: It's ok to unmask some passwords because the information
isn't critical.

Response: Take the example of looking at pictures of your cat. Where are these
pictures? Let's suppose they're on Flickr. Actually, it doesn't matter much.
Now, does Flickr (or this other website) just allow you to view pictures? No,
it also allows you to post pictures (I wouldn't want someone posting their
porn pics under my account), chat with friends (DEFINITELY don't want to be
impersonated there), and even CHANGE YOUR PASSWORD thereby stealing your
account. If you're just talking about password protecting a directory on your
computer with cat pictures, sure show the password... but anything this
trivial wouldn't be password protected anyway. Simply put, if it's important
enough to have a password, it's important enough to have that password masked.
Otherwise, why have it at all?

\---

Excellent point: Since users DO use the same password for multiple things, you
don't even know or control what credentials you are giving away. You may very
well give away someone's bank PIN.

------
gutch
My concern is that not using a standard HTML password field will break the
'remember password' functionality built into browsers.

When you log in to a site, all the major browsers automatically ask you if you
want to save your password. But if you display the password in plain text then
the browser doesn't detect it as a password... and it doesn't offer to save it
for you.

So what is that likely to result in? • Users getting annoyed at your site, and
thus lost business • Users writing down their password somewhere else,
resulting in a loss of security

These outcomes are exactly the opposite of what Jakob Nielsen is trying to
achieve!

------
dugmartin
Just put a "show password" checkbox next to it and use javascript to change
the input field type from password to text.

~~~
benhoyt
Yeah, that'd probably be a one-liner JavaScript. Something like:

    
    
      onclick="getElementById('pwd').type='text';"
    

But you'd want a bit more to toggle it. Still, maybe a slightly better way --
and a way to address the security issue at the same time -- would be to show
the password when you hover over the field with your mouse. Is there a way to
do this easily with JS?

~~~
dugmartin
You can do it in jQuery very easily. Give your password field the id of
"hover-password" and add the following jQuery snippet:

    
    
      $(function() {
        $("#hover-password").hover(
          function() {
            this.type = "text";
          },
          function() {
            this.type = "password";
          }
        );
      });

------
subbu
This will solve another issue related to passwords. Password confirmation.
Displaying password in clear text removes the need for password confirmation
field. This could be a worthwhile experiment.

~~~
ErrantX
That doesnt seem a sensible move to me. Clear text pass boxes with NO password
confirmation removes the error checking from the machine to the user. We all
know users are extremely error prone and bug ridden.

Why take the risk? :)

------
falldowngoboom
Summary: We have no data about this problem, nor our proposed solution.

"In most cases, however, users will appreciate getting clear-text feedback as
they enter passwords."

If Nielsen had a mockup or something that we could all clearly see was a huge
improvement, then sure, let's do it. A UI change this drastic should have an
order of magnitude gain to it. Otherwise, move on to bigger fish.

------
callahad
Sadly, my employer is going the opposite direction and planning to implement
"strong user names" and mask both fields. This is in response to users with
access to sensitive information leaving passwords written down near their
workstations.

Clearly the answer is another password.

------
Tichy
Isn't there also a thing that password form fields can't be read by
Javascript?

~~~
reconbot
Nope, they can be - it's how things like SuperGenPass work. (Highly
recommended btw)

------
khandekars
Disagree. Even bullets shouldn't be displayed while the user types the
password. Why should a security camera in an office know that the user's
password length is ten, twelve or twenty nine characters?

~~~
mooism2
If you have a well chosen password and it is that long, knowing how long your
password is won't be enough for the office snoop to crack the password. I'd be
more worried about the camera watching which keys I'm pressing.

On the other hand, if I start typing my password too soon after the login box
appears on my laptop, it eats the first character. I would never have worked
out why I was finding it so hard to login if the password box did not display
bullets. (See also dodgy keyboards.)

~~~
khandekars
Dodgy keyboard is a good point; makes for a compelling case in favour of
bullets.

------
mgrouchy
Unfortunately usability doesn't necessarily coincide with security. If you
have to choose between the two, security always wins.

~~~
fcr
I have to disagree. Who wins between usability and security depends on the
application you're using/building.

Rarely there is one good solution to fit all problems.

~~~
mgrouchy
While this is true. In the general case, if your application is required to be
secure, its not a choice.

Don't get me wrong, usability is very important, but if your application has
to be secure(and not having someone look at your password over your shoulder
is a requirement), then how can you choose usability over security?

~~~
fcr
_not having someone look at your password over your shoulder is a requirement_

What I say is that sometimes this is not a requirement even if the website
offers a login feature.

I guess that for my online mail client I would prefer to have a masked
password field.

Now for my account at an online rss reader I actually don't care that much
because there is nothing to protect (at least in my opinion) and no value for
someone to steal and remember my password. Maybe however I still want to be
protected against someone on the web who happens to have the same name as I do
and wants to steal my account... However the probability for this guy to be
over my shoulder is quite low.

Maybe this is all a question of personal interest. Some users will prefer
usability over security while others will prefer the opposite no matter the
application. If this is the case then I would vote for having the option to
toggle between one and the other...

~~~
mgrouchy
I think being able to mask and unmask your password with a checkbox is
certainly viable(as long as the masking is the default). The problem lies not
with users like you who have different passwords for different applications,
the problem lies with users who have the same password for all applications.

That being said, that is probably beyond the scope of what the author is
trying to address but is still always something to consider.

~~~
fcr
Fair enough. I agree that the website may expose a "global" password as you
and another person said.

I guess I'll design my future login boxes with security enabled by default and
unmask option for the responsible user who would need it...

------
jcapote
I noticed that heysan didn't mask the password on their login page when using
my nintendo dsi, incompetence or usability?

------
ciudilo
This guy is just completely detached from real world...

------
ErrantX
_The more uncertain users feel about typing passwords, the more likely they
are to (a) employ overly simple passwords and/or (b) copy-paste passwords from
a file on their computer. Both behaviors lead to a true loss of security_

And his solution is to present passwords in clear text?

Hmmm. That seems to be a mix metaphor of a message: lets prompt people to make
a more secure password (arguably not going to have much effect) but then
display it in clear text.

To me that seems a _true_ loss of security :)

EDIT: ignoring his point (b) because that is completely irrelevant - clear
text password boxes are no more or less secure than copy/pasting the password.
BUT your not giving the user the choice - every user has that bit less
security, not just those copy/pasting.

