Why it’s a **** idea not to mask passwords

Web usability guru Jakob Nielsen has challenged websites to stop masking passwords as internet users type them in to login.

Nielsen claims that web surfers make mistakes when all they can see are asterisks rather than the characters of their password, and this results in a bad usability experience. Masking passwords makes websites unfriendly, Nielsen says, and ultimately means lost business and users choosing overly simple passwords.

Jakob Nielsen’s opinion is supported by security expert Bruce Schneier who says on his blog that shoulder-surfing (where someone watches as you type your password) isn’t very common, and that entering passwords in cleartext greatly reduces errors.

Login with your username and password

I’m afraid that wise as these two gents are, I have to disagree with them.

Imagine you’re logging in at an internet cafe – would you want your password to be visible to the person sitting in the row behind you? It turns out that Nielsen has thought of that scenario:

"[Offer users] a checkbox to have their passwords masked; for high-risk applications, such as bank accounts, you might even check this box by default. In cases where there's a tension between security and usability, sometimes security should win.", he suggests.

Then, in a work environment, there will be people in your IT team who know the all-powerful system passwords that have a God-like power to mess around with all kinds of things on the computers.

When an IT guy comes to visit my desk, and he needs to log in to fix whatever I’ve broken on my PC – should the system password be visible to me and for the inhabitants of Sophos HQ to see? I bet I’m not the only one to be sitting in a completely open plan building – anybody could be passing by and looking over my shoulder.

Graham's desk, complete with attractive tinsel and festive balloons

Or what happens when I am at a friend’s house and I want to quickly log in to my web email account to forward him something I have been discussing with him? Sure, he’s my friend and I trust that he’s not going to misbehave – but I really don’t think I should be sharing my password with him.

Equally I don’t want to be put in the awkward social position of going to the extra effort of ticking a box to obscure my password from him. Much better that I had no option to see the password at all!

But the biggest misunderstanding that Nielsen and Schneier seem to have made is that it’s not the websites that mask the passwords – it’s browsers like Firefox and Internet Explorer that interpret the HTML of a webpage and choose how to obscure the field’s contents.

If there were an option to display password input fields as cleartext rather than asterisks, then that should be set in the user’s browser not decided by individual websites. Even then, I can’t imagine many situations when it wouldn’t actually be more of an inconvenience (asking friends and colleagues to turn around or wear a bucket over their head for the next ten seconds) than the masking of passwords we have at the moment.

Update: Clu-blog reader John got in touch to say, “You do realise, of course, your desk is as camp as Graham Norton presenting Eurovision. What’s with the balloons and tinsel?”.

The explanation is that the photo was taken on my tenth anniversary at Sophos. 🙂