Nielsen Recommends Not Masking Passwords

Mark writes "Usability expert and columnist Jakob Nielsen wants to abolish password masking: 'Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn't even increase security, but it does cost you business due to login failures.' I've never been impressed by the argument that 'I can't think why we need this (standard) security measure, so let's drop it.' It usually indicates a lack of imagination of the speaker. But in this case, does usability outweigh security?"

Two words

[RollingThunder]

Shoulder surfing.

Seriously, is this guy is supposed to be an expert?

This is like having a fuel efficiency expert tell you to turn the motor off on your car, stick it in neutral, and push it, since it'll get infinite MPG. Passwords are supposed to be secret. Usernames aren't as critical.

Re:Two words

[tomhudson]

I'd rather have to retype the occasional password than have it visible to anyone shoulder surfing.

Think about your bank card, your PIN, etc.

FTFA:

It's therefore worth offering them a checkbox to have their passwords masked; for high-risk applications, such as bank accounts, you might even check this box by default. In cases where there's a tension between security and usability, sometimes security should win.

Retarded doesn't begin to cover this. Offering a default to turn OFF password masking for bank accounts? I'm sure the banks will just LOVE this one. We have enough problems with identity theft already.

Re:Two words

[amicusNYCL]

Oh, c'mon.

So, password masking doesn't even protect fully against snoopers.

No, it doesn't protect fully, but it does protect from everyone who can't see the keyboard when you type. In other words, it protects against every shoulder-surfing scenario except when the person is looking directly at the keyboard when you type. And even then, if you're typing fast enough or the keys are close enough together you won't be able to guess the password by watching the keyboard. Hell, I'm sitting right in front of the keyboard and I still can't look through my hands to see which keys my fingertips are actually pressing. So, password masking does protect from shoulder-surfing. It might not protect against people looking directly at your keyboard, but that might be because it's designed specifically to protect against people looking at the goddamn monitor.

More importantly, there's usually nobody looking over your shoulder when you log in to a website. It's just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue.

OK, so this is a great usability solution for websites that only get accessed by people sitting alone in their offices without the possibility of a co-worker standing there as they log in. For all other sites that people might access in an internet cafe, or at the airport, or in a coffee shop, or wherever else, I guess it doesn't apply at all.

Re:Two words

[radtea]

Retarded doesn't begin to cover this.

The best thing about the article, typical of an unfortunately large amount of usability literature, is the complete absence of empirical data. He simply asserts, for example, "users will not be confused by this" without offering a shred of empirical evidence for the claim. I'm not a typical user, but I'd sure as hell be confused if plaintext started to appear in the UI where a decade or two of experience has taught me to expect a line of bullets. I sure as hell wouldn't want to be on a helpdesk for a system that has just made this change.

Usability is an important area of software design, but it is still in its infancy, and the lack of usability experts chiming in to call this guy a blithering idiot is depressing. All claims about usability of any feature should be considered nonsense until someone comes to you with empirical data from real users that tell you what they find usable. Otherwise you're arguing mythological hypotheticals--how many users can dance on a pinhead.

How about a compromise?

[Verteiron]

Personally, I rather like the way many cellphones handle this: show the letter that was typed for a moment and THEN mask it. This allows you to spot typos and correct them without having to blank the field and start over.

Re:Um, here's a thought.

[Yetihehe]

It's possible, the only problem is with browsers. Almost all of them remember what you put in normal text fields. Next time on page - just press down arrow and voila!

One word for Nielsen: Projector

[tcsh(1)]

Ever logged in to a computer connected to an LCD projector?

Indeed lack of imagination

[guruevi]

1) If I look outside my office window, I can see about 48 office windows (without standing up) and all of them have the lights on and it's dusk outside. Give me a dSLR and a decent set of long distance lenses and I'll prove you wrong.

2) How many times have you typed in your password while somebody was looking at your screen eg. to show somebody something on a protected website. This happens a lot to tech people as we have to authenticate to solve an issue while somebody is standing next to me waiting for me to fix it.

3) How many times have you given a presentation where your screen view (but not your keyboard input) goes worldwide (eg. teleconference) or over a set of wires that you know haven't been tampered with (conference room) - again, logging in to your webmail or so to find a copy of your presentation.

4) How difficult is it to create a script that takes screenshots - how difficult is it to create a script that captures keyboard entry as well. Answer: the first can be done in userspace (and in the hands of an experienced script kiddie would be unnoticed), the latter usually has to go as a request to a driver, kernel or other layer that requires admin rights. This is true for Windows, Mac and (depending on your GUI) Linux

Ever typed a long WPA key into an iPhone?

The cellphone method works great and has never bothered me until I had to enter a 63-character WPA key into an iPhone. This is something you can't do from memory, so you're moving your eyes back and forth between a plaintext copy, and trying to remember just where you left off. Agony.

Basically, in a few situations like this, it would be really handy to turn off masking one-time-only.

Two more words for Nielsen: Security Cameras

[hoosbane]

Just because you don't think someone is watching over your shoulder, doesn't mean someone isn't watching over your shoulder.

Re:Making my point with humor

[doti]

That's because knowing the number of characters in a password greatly eases the password guessing.

The masking is indeed a bad idea. Your unix login prompt does the right thing.

Re:hunter2

[vidarh]

If Stephen Hawking says something about physics, do you require a citation from him? Nielson is recognized as one of the leading experts in his field.

No, but if Stephen Hawking made a claim that flew in the face of established conventions in - say - psychology, I would expect a citation. Nielsen is a usability expert, not a security expert, and GP questioned his claim about the security aspect.

Re:hunter2

[adamstew]

If Stephen Hawking says something about physics, do you require a citation from him? Nielson is recognized as one of the leading experts in his field.

Yes! I would! I would want to see the research that lead him to his conclusion in physics. Or, more specifically, I would want another physicist to look at his research and give his validation to say that it's sound.

You could always let the user choose

[marcus]

In a secure environment, with no one looking over my shoulder why not leave the chars in the clear?

Give 'em a checkbox: "Echo password []" which defaults to "unchecked" of course.

Re:Making my point with humor

[lindseyp]

What's even better than that is when the password input window *does* have focus, and the IM window steals it just as you start to type it in.

focus-stealing windows should be banned.