Password masking – the debate begins (Reflections on Jakob Nielsen)

By Matt Cornock

Jakob Nielsen is a highly regarded usability expert. His recent Alertbox article (I’m sure he wouldn’t want to call it a blog post) entitled Stop Password Masking, is certainly going to cause a stir in the web community. He proposes that masked passwords (when you type in a password field on the web it only shows bullets or asterisks), are essentially not user-friendly. I for one do not see the web community suddenly abandoning masked password fields. There’s a familiarity with them, they’re like PIN numbers on ATM cash machines.

According to Nielsen, masked passwords have limited security value, “Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed.” There are legitimate cases where masked passwords are essential, Nielsen suggests Internet Cafes and Online Banking as two examples. I’d like to add into that mix: whenever you’re doing a presentation and showing a locked site, also when using screencasts or remote desktops. His work-around is to have a checkbox to toggle masking or not. For me this extra layer of user interaction, though solving the unmasked problem, would probably worsen the user experience: It’s something extra to think about.

There’s a psychological side of this argument as well. Nielsen talks about “Users mak[ing] more errors when they can’t see what they’re typing while filling in a form. They therefore feel less confident.” Or worse, using basic passwords to remember them easily, creating poor security. However, having something like a password kept visibly ‘secret’ on screen is a comforting experience and gives the impression of security (even if the backend isn’t). We’ll see what the community makes of this, however I wouldn’t be predicting a big change – at least not until our PINs are displayed on ATM screens. What’s wrong with “legacy” when it works?

Leave a Reply

Your e-mail address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.