Usability authority Jakob Nielsen recently published a new article suggesting that developers “abandon legacy design” and stop masking password fields with bullets or asterisks, because of “reduced usability to protect against a non-issue.”
Most websites (and many other applications) mask passwords as users type them, and thereby theoretically prevent miscreants from looking over users’ shoulders. Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed. So, password masking doesn’t even protect fully against snoopers.
More importantly, there’s usually nobody looking over your shoulder when you log in to a website.
This is wrong on so many levels.Have you ever set your laptop up in a public place, such as a café, a library, an airport? How often is there someone else in the room when you use a computer? Have you ever had your laptop hooked up to a projector? In Nielsen’s private world, there are only people typing away at computers isolated by four walls. In the real world, people, intentionally or not, “shoulder surf.”
The argument that “a truly skilled criminal can simply look at the keyboard” is about as logical as saying that you don’t need a key for your car or house, because a truly skilled criminal will break in anyway. Password masking protects against more casual (or even accidental) snoopers. It’s not easy at all to get someone’s password by watching them type, unless they are very slow, “hunt and peck” typist.
When you press a key, it’s only for a second. Blink. You missed it. What key did I just press? If you remove the masking feature on password fields, which is required by the upcoming HTML 5 standard, your password is shown in full for a much longer length of time.
A checkbox to toggle the functionality on and off, as Nielsen recommends, breaks a more important design and usability principle that I believe Nielsen stands behind: That you should present as few options as possible to the user.
Slashdot has plenty to say on the matter:
I’ve never been impressed by the argument that ‘I can’t think why we need this (standard) security measure, so let’s drop it.’ It usually indicates a lack of imagination of the speaker. But in this case, does usability outweigh security?
If I look outside my office window, I can see about 48 office windows (without standing up) and all of them have the lights on and it’s dusk outside. Give me a dSLR and a decent set of long distance lenses and I’ll prove you wrong.
To a usability expert, expectations are your friends. You trust them. You believe in them.
To a security expert, expectations are your enemies. You distrust them. You try to figure out what they’re hiding from you.
Of course, everyone agrees that what is expected and what happens *should* be the same, but I think here the securities guys have the more legitimate concern. Mr. Nielson doesn’t even considers the possibility that his expectations might be violated. He assumes they are benign as long as they are “usually” right.
In any computing environment, security trumps usability. Password masking is such a minor usability issue, and one that can be overcome with just a little bit of education on the matter. It’s not worth creating a security risk because one segment of the population can’t do something as simple as typing a password properly.