Nielsen Wants Your Passwords to Be Visible to the World

Usability authority Jakob Nielsen recently published a new article suggesting that developers “abandon legacy design” and stop masking password fields with bullets or asterisks, because of “reduced usability to protect against a non-issue.”

Most websites (and many other applications) mask passwords as users type them, and thereby theoretically prevent miscreants from looking over users’ shoulders. Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed. So, password masking doesn’t even protect fully against snoopers.

More importantly, there’s usually nobody looking over your shoulder when you log in to a website.

This is wrong on so many levels.Have you ever set your laptop up in a public place, such as a café, a library, an airport? How often is there someone else in the room when you use a computer? Have you ever had your laptop hooked up to a projector? In Nielsen’s private world, there are only people typing away at computers isolated by four walls. In the real world, people, intentionally or not, “shoulder surf.”

The argument that “a truly skilled criminal can simply look at the keyboard” is about as logical as saying that you don’t need a key for your car or house, because a truly skilled criminal will break in anyway. Password masking protects against more casual (or even accidental) snoopers. It’s not easy at all to get someone’s password by watching them type, unless they are very slow, “hunt and peck” typist.

When you press a key, it’s only for a second. Blink. You missed it. What key did I just press? If you remove the masking feature on password fields, which is required by the upcoming HTML 5 standard, your password is shown in full for a much longer length of time.

A checkbox to toggle the functionality on and off, as Nielsen recommends, breaks a more important design and usability principle that I believe Nielsen stands behind: That you should present as few options as possible to the user.

Slashdot has plenty to say on the matter:

I’ve never been impressed by the argument that ‘I can’t think why we need this (standard) security measure, so let’s drop it.’ It usually indicates a lack of imagination of the speaker. But in this case, does usability outweigh security?

If I look outside my office window, I can see about 48 office windows (without standing up) and all of them have the lights on and it’s dusk outside. Give me a dSLR and a decent set of long distance lenses and I’ll prove you wrong.

To a usability expert, expectations are your friends. You trust them. You believe in them.

To a security expert, expectations are your enemies. You distrust them. You try to figure out what they’re hiding from you.

Of course, everyone agrees that what is expected and what happens *should* be the same, but I think here the securities guys have the more legitimate concern. Mr. Nielson doesn’t even considers the possibility that his expectations might be violated. He assumes they are benign as long as they are “usually” right.

In any computing environment, security trumps usability. Password masking is such a minor usability issue, and one that can be overcome with just a little bit of education on the matter. It’s not worth creating a security risk because one segment of the population can’t do something as simple as typing a password properly.

  • Blaine Moore

    I have a plugin that allows me to display a password if I want – but I'd much prefer it stay hidden by default!

  • Pingback:

  • Steve Yakoban

    Nielsen has way too much attention with his usability rants. Sure usability is important, but even with every usability feature enabled, some people (unfortunately) are disabled so much that they still can't use the web. So somewhere you have to find a balance between reasonable usability and extremism. He's an extremist because he makes a lot of money being one – he's really not virtuous as he would want you to believe.

  • Saurab

    LOL, many times we access our websites sitting beside our friends, though they dont watch us what we type in our keyboard, but making password visible make it lot easier for them to get our passwords which me might be using on other websites also.

  • Klaus Johannes Rusch

    Having an option in the browser to reveal passwords might help in some cases. Revealing passwords by default is a bad idea.

  • Murf

    A word in defense of the disabled… Unlike you 'perfect beings' I am dyslexic and often have much frustrating dificulty logging in with 'blobbed-out' passwords… I know my passwords but so many times the letters get typed in the wrong order and sometimes I get locked -out because the system thinks I am a hacker! How much better to have the option (at least, no need to make it default) of being able to see what you type, and corect any mistakes before hitting the enter key! Please think of those less able than yourselves…..

    • redwall_hp

      You make a valid point.

      I think that the creation of the option shouldn't be something shoved off onto web developers though. It should be an option in the browser or operating system. Something like a toggle in the settings to not mask the passwords.

      Thanks for commenting. It's always nice to here another perspective, instead of it just being me ranting. :)

      EDIT: If you use Firefox, there are a few addons that can remove the blobs/asterisks from password forms as you type.