VKI Studios is now Cardinal Path! www.CardinalPath.com
Learn more about Cardinal Path

Password Masking: Do the Usability Issues Outweigh the Security Concerns?

Oh come on... let me in!

Jakob Nielsen has officially come out against password masking, arguing that (in most cases at least) the usability issues it creates outweigh the overstated security issues.

Since passwords (especially when masked) are a personal pet peeve, my first reaction was "YES!" But after thinking about it a while, and discussing it with colleagues, there appear to be at least two problems with presenting passwords in clear type.

First, it's not the convention. Nielsen touches on this issue, but says it doesn't matter because it's not a convention people look for and it's not going to cause confusion. Though I agree to a point, I think it might turn some users off. They'll see their password in clear text and think, "Wow, these guys don't care about security. Can I trust them with my personal information and credit card number?"

Second, people tend to use the same password (or small set of passwords) for many websites and applications. Even though security may not be a concern in one application, it may be very important in another. So maybe it doesn't matter that someone sees my password for one website, but if I've been foolish enough to use the same password for my online banking, that most definitely does matter!

I really want to agree with Jakob Nielsen on this. But for now at least, the idea of presenting passwords in clear text makes me a bit nervous.

Comments (Comment Moderation is enabled. Your comment will not appear until approved.)
Apple has been doing something like this forever. They have a checkbox that shows your password when logging into wireless or whatnot. Further, the iPod Touch shows the last character youve typed into a password field. Neither of these provide perfect security (then again neither does masking your password), but they do provide a level of confidence and security while maintaining usable password boxes.
# Posted By KentC | 6/24/09 12:33 PM
Allowing users to make the password visible may be a good idea; the recommendation to make passwords visible by default and have a checkbox to mask it is not, neither from a security nor from a usability perspective. Read my thoughts at http://www.atmedia.net/KlausRusch/blog/2009/06/dis...
# Posted By Klaus Johannes Rusch | 6/25/09 2:23 AM
I agree, that's probably the best compromise for now. Thanks for the link to your article.
# Posted By Michael S | 6/25/09 9:12 AM
Agreed, that's the solution I was suggesting. Masked by default, then unmasked at check. Provides he best of both worlds, with unmasked passwords available at home, but giving you the ability to mask it everywhere else.
# Posted By KentC | 6/25/09 9:59 AM