Slashdot Mirror

← Back to Stories (view on slashdot.org)

Nielsen Recommends Not Masking Passwords

Posted by timothy on from the *****-****-**-******** dept.

Mark writes "Usability expert and columnist Jakob Nielsen wants to abolish password masking: 'Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn't even increase security, but it does cost you business due to login failures.' I've never been impressed by the argument that 'I can't think why we need this (standard) security measure, so let's drop it.' It usually indicates a lack of imagination of the speaker. But in this case, does usability outweigh security?"

5 of 849 comments (clear)

  1. Re:Not to fanboi all over the place... by IANAAC · · Score: 5, Informative

    Around long before the iPhone, but it was a nice try to attribute that to the iPhone.

  2. Re:Another two words by clone53421 · · Score: 3, Informative

    Oh really? Even if your browser won't just show them to me I can still get them easily if I have physical access to your browser and I am able to successfully guess which sites you frequent:

    javascript:for(var a=document.getElementsByTagName("input"),i=0;i<a.length;i++)if(a[i].type=="password")void(a[i].type="text");

    I'm not flaming Firefox for showing the passwords. What I am saying is simple... if your browser does save passwords, secure either the browser (Firefox has a master password) or the computer (via an account password, and don't leave the desktop logged in). The asterisks are a secure enough method of obscuring your password from someone looking over your shoulder, but they are not a secure method of obscuring your password from someone who's actually sitting at the computer keyboard.

    --
    Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
  3. Re:Making my point with humor by Gordonjcp · · Score: 3, Informative

    Lotus Notes had (has?) a login dialog that addressed this by showing a random number of X's for each character rather than a 1-to-1 mapping.
    ... and bloody awful it was too. What the hell was the point of showing the dots at all? At least with one dot per character you've got visual feedback of how many characters you've typed. Seeing six dots in the password field when you've only typed three characters is confusing and jarring.

  4. Re:You could always let the user choose by speculatrix · · Score: 5, Informative

    S60 has been doing this before the iPhone/iPodTouch was even a rumour within apple.

  5. Re:Microsoft wep key by iPhr0stByt3 · · Score: 5, Informative

    If you mis-type the password to a wireless network, the AP won't even tell you it's wrong. That is because the AP will hopefully act as if it was correct in order to significantly slow down brute force password attempts. Windows will try to get a DHCP address and eventually come up with "limited or no connectivity". Therefore, using a double-check might save a few minutes if you can correct your typo immediately. I'm not saying that I prefer this. I'd personally rather have just one box and type it carefully, but that is a valid and good reason for this behavior.