Slashdot Mirror

← Back to Stories (view on slashdot.org)

Nielsen Recommends Not Masking Passwords

Posted by timothy on from the *****-****-**-******** dept.

Mark writes "Usability expert and columnist Jakob Nielsen wants to abolish password masking: 'Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn't even increase security, but it does cost you business due to login failures.' I've never been impressed by the argument that 'I can't think why we need this (standard) security measure, so let's drop it.' It usually indicates a lack of imagination of the speaker. But in this case, does usability outweigh security?"

3 of 849 comments (clear)

  1. Re:Two words by rtfa-troll · · Score: 5, Interesting

    Sure, being the RTFA troll, I read the article. But that still doesn't convince me. The keyboard press is a brief instant on a device which is easy to place more or less out of line of sight. A visible password on a screen is present for a long time and there are a number of interesting ways to capture this. Whilst keyboards are not perfect I think that some protection is worthwhile. One thing is for sure. Nobody is going to remember to turn this on when they are in public and your password only needs to be captured once.

    One thing that might be a possible compromise is the system the mail client on my Nokia phone uses. The most recent character entered in the password is displayed for a short time. I can see each individual character, but the entire password is not exposed. I worry on the subway, but since it's a personal device it's easier to make this difficult to see.

    --
    =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
  2. Re:You could always let the user choose by Rei · · Score: 5, Interesting

    For what it's worth, I've had a password compromised before by someone looking over my shoulder at what *keys* I typed. I'd rather not make it even easier for people by letting them just look at the screen, thanks. As you note, you never know whether your environment is secure. In my case, back in TAMS, I had a "friend" who was chatting with me as an excuse to stand close enough / above me to see the keyboard; he then set up a porn site on my university account as a prank.

    Strangely enough, the last I heard from him, he was becoming a Mormon missionary...

    --
    I tore these out of your symbol, and they turned into paper.
  3. Re:Making my point with humor by gdshaw · · Score: 5, Interesting

    Actually, the comment is (perhaps unintentionally) insightful. According to the current (25th June 2009) draft of the HTML 5 spec:

    "The user agent should obscure the value so that people other than the user cannot see it."