Should we stop masking passwords?

June 28, 2009

A few days ago, Jakob Nielsen posted an article in which he recommended displaying passwords in plain text instead of masking them. You should read the article if you haven’t already. I’ve read some of the reactions on the Internet and I think people are so passionate about this topic. Here are a few of my thoughts on this problem.

People often mistype passwords

If you ever performed usability testing you will know this true. Sometimes it can take users 30 or more seconds for a simple login activity! And that can be frustrating. However I think this goes far beyond simple mistyping.

Password managers

I believe we all agree that password masking is necessary for public/shared computers. But there is really simple solution for non-shared computers: password managers that are integral part of browsers. Just think this way: how many times you actually type your password on a home computer?

People are paranoid

Is plain text passwords what users would expect? How would avarage user behave in case of typing plaintext password? People feel uncomfortable, even paranoid, when leaving sensitive data and that includes passwords. Offices are often shared with one or more employees so looking over a shoulder is very common practice. No matter how reasonable it actually is, masking passwords at least gives the feel of privacy.

Optional masking

As one of the solutions, Jakob suggested adding a checkbox that can turn masking on/off. Making too many options could make authentication process painful for users. Imagine that some websites mask password, other don’t. Some even have optional masking. Some keep last typed key for a second. Some use a combination of those. Real mess if you ask me.

iPhone solution

iPhone has an interesting solution (or solution attempt) to this problem. It keeps the last typed character for a short time and then converts it to bullet. It might help you during typing but it doesn’t resolve “shoulder surfing” problem that is present.

Some other solutions?

Unfortunately and fortunately password masking is still here. But, perhaps we can think in another direction. What if the current authentication concept (username&password) is just too old? I don’t know what will be the future of authentication. Maybe it will evolve to concepts like OpenID, biometric technology or will be based on some kind of certificates. Maybe we won’t wait long for some new concept to become a standard.

So, I am not sure if we really have a problem here?

What are your thoughts on this one?

I discuss these topics on twitter too. In case you feel nostalgic, my RSS feed is still working.

19 Comments

  • Brian Boatright (June 28, 2009)

    At this point I think it would cause more problems if it were not masked. Imagine going to a public pc or even a friends and logging into one of your accounts and start typing into the password field and it is not masked. Most likely by the time you are done typing the password will be completely entered and now exposed. Granted there could be someone watching your keystrokes or key logging but in most cases the mask at least gives you a the feeling of security, as you point out.

    I don’t agree with Jakob on the password field but he has another article on the Reset button which I mostly agree http://www.useit.com/alertbox/20000416.html The exception is the cancel button. It’s true most people don’t use it but on a number of profile or other edit forms I think it is expected to have a Submit/Update as well as a Cancel button. I think keeping the button locations in the same order is most important. I keep Submit/Update on the left and Cancel on the right.

  • Harry (June 28, 2009)

    I wonder, if the password is not masked, would it be easier for a hacker to inject some javascript to track keypresses and steal passwords? There are quite a few webapps available like clicktale that can be used to track keypresses using javascript in this way.

  • Nenad Banovic (June 29, 2009)

    My personal option is that password should stay masked for all public services(publicly accessed), and for home services/users it can be without mask.

    One more thing…"iPhone’s masking solutions" is not iPhone’s only it is in use in windows mobile long before apple’s iPhone.

    That solutions is maybe the best to use everywhere….

  • Bruno (June 29, 2009)

    Just one correction, the "iPhone solution" has been used in cell phones years before of the iPhone creation. (try to write a password at any java midlet and you will see)

  • Dan (June 29, 2009)

    Wow! You think masked passwords cause difficulty. You try and log onto a SCO UNIX box! It doesn’t even show you bullets. It doesn’t even flash the cursor to let you know it’s aknowledging the characters!

    The current norm of masking passwords with bullets is just fine. people are starting to use things like 1password to manage their passwords but this worries me. I’ve worked in IT support for years and found a 3rd certainty to add to the old "death and taxes" addage… That is; people will forget passwords. We recently migrated to google apps for our corporate email and the most common support call we’ve had, by a long way, is forgotten passwords. After a few weeks we got another bunch of lost password calls. People had been relying on their browser to remember their passwords while not having the common sense to know what they were themselves.

    The lamens don’t understand that utilities like 1password and even browsers’ ability to save passwords are purely to stop you having to type them each time… not to remember them for you!

  • Jin (June 29, 2009)

    Jakob’s propose sounds nice on paper, as usual. But in reality, it causes more problem than it solves.

    At least several times a day, when i enter my password, there’s a coworker starring at my monitor too. I prefer to have my password masked.

  • Janko (June 29, 2009)

    Brian, Dan, Jin: Of course, it’s just not practical without masking.

    Harry: I think that you just can’t stop good hackers. You know, the evil ones ;)

    Nenad, Bruno: I didn’t know if there was implementation earlier than iPhone, thanks for the information!

  • Nenad Banovic (June 30, 2009)

    "http://www.theregister.co.uk" >> Masked passwords must go http://www.theregister.co.uk/2009/06/30/masked_passwords_usability

  • stormy (June 30, 2009)

    nice post. we have just developed a jQuery Plugin which gives textfields the behavior of an iphone styled passwordfield. check it out. http://www.mysrc.de/allgemein/jquery-mypass-password-hiding-iphone-style/

  • DerHorst (July 1, 2009)

    I follow this blog since a long time and I ever liked ‘the way Janko does it’!

    But this time I am a bit disappointed.

    I am pretty sure that Janko (of course!) and this Jakob Nielsen guy beat me in just everything they do and maybe even in a few things I do, but when I read this blogentry from Mr. Nielsen I just get the following thoughts:

    "Did this Nielsen guy ever used the Internet a bit?
    Its really a sad thing that he does this only alone in his dark room and/or in a lonely office."

    Stop masking passwords is one of the craziest things I ever read…

    In my opinion the only possibility would be to add a textlink behind the password that demask them.
    (Maybe even only for a few seconds).
    But yea that would be a really mess.
    A way could be that browsers get this ability by default.

    Ways to simplify the log-in progress are available, fingerprint scanners work and are available as USB-Device or even build in (some Laptops).
    In large companies there are often ID-Cards for entering the area/building or pay in the canteen, with a cardreader (often implemented in the keyboard) they could be used for identification.

    But these things should do nothing else than enter the saved username/mailadress/ID-number and password to the system, so that the "normal" password log-in is available as a backup, when cardreading fails.

    Please excuse me when my thoughts where a bit hard, don’t beat me with a stick, but this was the first thing I had in mind.

  • Janko (July 1, 2009)

    stormy: Nice one, thanks for sharing!

    DerHorst: Please don’t apologize for sharing your opinion :) I really appreciate the work of Jakob Nielsen and enjoy reading his articles even if he is wrong. But that doesn’t means that I agree with everything he wrote. In this case, of course, I disagree with his opinion. Only, my intentions wasn’t to criticize his idea directly but rather to examine how different concepts affect this problem and try to explain why password masking should still be here.

  • Dan (July 8, 2009)

    I just wrote a blog post about my thoughts on this.

    http://minute44.com/archives/674

  • Daemon (July 8, 2009)

    There are numerous reasons why password should stay masked, but one of them is EXTREMELY important: most users today have many user accounts for many sites. This leads every user, not just power-user, to start creating passwords that follow some logic, and passwords that are easily constructed for each new site that we need to register.

    For example, my system could be: my nickname + name of site + numbers 123, making my passwords look like this:

    daemon-facebook-123
    daemon-twitter-123

    This in turn means that even if ONE of those passwords gets seen over my shoulder, all of my data is compromised.

    Concluding: I want my passwords to stay secure ALWAYS. The usability gain is too small to compensate for the possibility that all of my passwords get "broken".

  • Mark (July 11, 2009)

    @Bruno & Janko: I caught that right away. I have a UTStarcom phone that pre-dates the iPhone, and it does that when I log into Yahoo.

  • Montana Flynn (July 14, 2009)

    OpenID FTW

  • Anz (July 25, 2009)

    How about giving a small icon near the password field to switch between plain or masked field? Will that make more confusion or is it good?

  • Paulius Uza (August 3, 2009)

    I think someone forgot to mention this:

    – Security cameras in the room
    – Screen grabber applications
    – User made print-screens or videos

    For me personally – the password field should stay masked, or the site should use OpenID

  • Ivan Minic (August 5, 2009)

    Remain masked untill better way of authorising is widely available.

  • Rick (November 5, 2009)

    Mr . Nielsen makes a compelling case. I also agree with your points re: user expectation and PW auto-fill.

    I find it comforting, in those instances that I actually have to type (or double-click the username box), when I am given a short, gentle reminder that the ‘inconvenience’ is in fact for [i]my[/i] benefit.

    The check-box/choice option he describes would seem to be an acceptable solution. Perhaps with a link (mouse-over/notification box) to some sort of explanation.