Editor's note, 07/07/2009: Bruce Schneier
has changed his mind. He now says that he was "probably wrong" to
support Jakob Nielsen's view. See our more
recent story.
Usability expert Jakob Nielsen and security expert Bruce
Schneier have both said that websites should stop blanking out
passwords as users type them in. They say that the practice
inconveniences users with no security benefit at all.
Most websites that require passwords allow a user to see the
login name as it is typed in but replace the password as it is type
with dots or asterisks so that the password cannot be viewed either
by another person looking at the screen or by the user.
"It's time to show most passwords in clear text as users type
them," said Nielsen in a post on his website. "Providing feedback
and visualizing the system's status have always been among the most
basic usability principles. Showing undifferentiated bullets while
users enter complex codes definitely fails to comply."
Nielsen is the web's most famous usability guru and campaigns
for content and websites to conform to technical standards in order
to be usable and accessible for all users, including disabled users
using assistive technologies.
One of technology's most renowned security experts echoed
Nielsen's concerns, and backed up Nielsen's assertion that password
masking does nothing to improve security.
"Password masking has annoyed me for years," Schneier told
OUT-LAW.COM. "Shoulder surfing is largely a phantom problem, and
people know to be alert when others are nearby, but mistyping a
long password happens all the time."
Nielsen said that research had shown that password masking
causes problems for users. "Password masking has proven to be a
particularly nasty usability problem in our testing of mobile
devices, where typing is difficult and typos are common. But the
problem exists for desktop users as well," he said.
Nielsen said that preventing users from seeing the passwords
they type in causes two problems. "Users make more errors when they
can't see what they're typing while filling in a form. They
therefore feel less confident. This double degradation of the user
experience means that people are more likely to give up and never
log in to your site at all, leading to lost business," he said.
"The more uncertain users feel about typing passwords, the more
likely they are to (a) employ overly simple passwords and/or (b)
copy-paste passwords from a file on their computer. Both behaviors
lead to a true loss of security," he said.
Schneier agreed that masking passwords was likely to result in a
weakening of security. "I'm sure people choose shorter and easier
to type password when their typing is masked, resulting in less
security overall," he said.
Nielsen said that sites usually blank out type-in passwords out
of force of habit rather than reason. "Password masking has become
common for no reasons other than (a) it's easy to do, and (b) it
was the default in the web's early days," he said.
Nielsen acknowledged that shoulder surfing is a risk in some
environments, such as internet cafés. "It's therefore worth
offering them a checkbox to have their passwords masked; for
high-risk applications, such as bank accounts, you might even check
this box by default," he suggests. "In cases where there's a
tension between security and usability, sometimes security should
win."
Editor's note, 06/07/2009: We have had
a lot of feedback from people who disagreed with this
advice.
One reader noted: "The iPhone has a good method for entering
passwords, it shows the last character you typed then replaces it
by * when you type the next character. Doesn't cut down on the
risk of shoulder surfing but means they would have to be watching
you the whole time."
Disclaimer: We hope you find OUT-LAW’s content useful. It’s prepared by the lawyers at Pinsent Masons. Please remember, though, that it’s intended as general information only. It’s not legal advice. If that’s what you’re seeking, please
contact us. See also: our
full disclaimer
