Tom Mollerus' Weblog

Jakob Nielsen just called for password masking to die:

Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn't even increase security, but it does cost you business due to login failures. It's time to show most passwords in clear text as users type them. Providing feedback and visualizing the system's status have always been among the most basic usability principles. Showing undifferentiated bullets while users enter complex codes definitely fails to comply.

He claims that miscreants can still steal your password just by watching the keyboard instead of the screen, and that mistyped passwords will reduce business because of user frustration. I don't agree that either of these are worthy arguments: first, it's a lot harder to watch someone's keystrokes than it is to read off letters accumulating in an on-screen field; and second, I would guess that the amount of lost business due to user frustration over password fields is very neglible. Plus I'm willing to bet you'd lose more users if you didn't obscure your passwords because they would think your site was lacking in good security.

I do agree with one of his suggestions later in the posting, which Jeff Atwood has proposed before: adding a checkbox to the form (or dialog box) so the user can control whether the password field is masked or revealed. This setting could even be applied globally in application preferences, applied by web site, or even applied by network connection. If you're on the home network, don't mask; if you're at work, mask; if you're on an unrecognized network, and therefore probably in public, mask.

For those of you in the Boston area: want to hear about the next version of ColdFusion and the new IDE, code-named Bolt? Then you'll want to make sure to attend tomorrow night's Boston CFUG meeting at Adobe's offices in Newton, with speakers Adam Lehman and Tim Buntel.

Adam will be giving us the scoop on the upcoming version of ColdFusion as well as the new IDE codenamed Bolt. Tim Buntel will show us some of the features in Flex 4 and Flash Builder designed specifically with ColdFusion developers in mind.

Brian and I are planning for food and giveaways that are even better than usual, too!

RSVP Today! http://www.eventbrite.com/event/356084057

Lately I've been working on a site where we have to gather some network information from our customers, including the domain name/IP of their LDAP server, and an LDAP username and password. We want the ability to tell them right away whether the credentials they've typed in are valid, so we offer a test right there on the page. This isn't too hard-- just pass the credentials back to the server via AJAX, run them through CFLDAP, and return the result to the customer. But what's not as easy to do is to handle connections when the LDAP server only allows SSL-protected transactions and uses a self-signed certificate. To enable your server to recognize the custom certificate, you'll need to add it to the list of trusted certs in your server's keystore.

We've scheduled a great meeting for June 23rd that you will not want to miss. Adam Lehman, ColdFusion's Product Manager, and Tim Buntel, Flex Product Manager, will be back to host this year's Adobe User Group Tour which will include discussion of the next versions of ColdFusion and Flex/Flash Builder. This meeting will include a number of giveaways and we will be providing good food and drinks.

Date and Time: June 23, 2009 from 6:00pm - 9:00pm

Address:
Adobe Systems
275 Grove St
Newton, MA 02466

RSVP: http://www.eventbrite.com/event/356084057