A few days ago, Jakob Nielsen posted an article in which he recommended displaying passwords in plain text instead of masking them. You should read the article if you haven’t already. I’ve read some of the reactions on the Internet and I think people are so passionate about this topic. Here are a few of my thoughts on this problem.
People often mistype passwords
If you ever performed usability testing you will know this true. Sometimes it can take users 30 or more seconds for a simple login activity! And that can be frustrating. However I think this goes far beyond simple mistyping.
I believe we all agree that password masking is necessary for public/shared computers. But there is really simple solution for non-shared computers: password managers that are integral part of browsers. Just think this way: how many times you actually type your password on a home computer?
People are paranoid
Is plain text passwords what users would expect? How would avarage user behave in case of typing plaintext password? People feel uncomfortable, even paranoid, when leaving sensitive data and that includes passwords. Offices are often shared with one or more employees so looking over a shoulder is very common practice. No matter how reasonable it actually is, masking passwords at least gives the feel of privacy.
As one of the solutions, Jakob suggested adding a checkbox that can turn masking on/off. Making too many options could make authentication process painful for users. Imagine that some websites mask password, other don’t. Some even have optional masking. Some keep last typed key for a second. Some use a combination of those. Real mess if you ask me.
iPhone has an interesting solution (or solution attempt) to this problem. It keeps the last typed character for a short time and then converts it to bullet. It might help you during typing but it doesn’t resolve “shoulder surfing” problem that is present.
Some other solutions?
Unfortunately and fortunately password masking is still here. But, perhaps we can think in another direction. What if the current authentication concept (username&password) is just too old? I don’t know what will be the future of authentication. Maybe it will evolve to concepts like OpenID, biometric technology or will be based on some kind of certificates. Maybe we won’t wait long for some new concept to become a standard.
So, I am not sure if we really have a problem here?
What are your thoughts on this one?