« Boston CFUG meeting tomorrow night at Adobe's offices | Main | Three methods for password reveal »

Better yet, make password masking optional

Jakob Nielsen just called for password masking to die:

Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn't even increase security, but it does cost you business due to login failures. It's time to show most passwords in clear text as users type them. Providing feedback and visualizing the system's status have always been among the most basic usability principles. Showing undifferentiated bullets while users enter complex codes definitely fails to comply.

He claims that miscreants can still steal your password just by watching the keyboard instead of the screen, and that mistyped passwords will reduce business because of user frustration. I don't agree that either of these are worthy arguments: first, it's a lot harder to watch someone's keystrokes than it is to read off letters accumulating in an on-screen field; and second, I would guess that the amount of lost business due to user frustration over password fields is very neglible. Plus I'm willing to bet you'd lose more users if you didn't obscure your passwords because they would think your site was lacking in good security.

I do agree with one of his suggestions later in the posting, which Jeff Atwood has proposed before: adding a checkbox to the form (or dialog box) so the user can control whether the password field is masked or revealed. This setting could even be applied globally in application preferences, applied by web site, or even applied by network connection. If you're on the home network, don't mask; if you're at work, mask; if you're on an unrecognized network, and therefore probably in public, mask.

Comments (3)

I tried putting your code on one of my sites. The servers have an odd way of becoming completely unresponsive after navigating to /clickheat/ (I assume the index.cfm).

Are there some installation instructions I need to use before trying to integrate this to my site?

Really wanted to point out I'm just happy that i happened on the web page.

Really wanted to point out I'm just happy that i happened on the web page.