The End of the Asterisk?
Jakob Nielsen’s Alertbox today proclaims that we we should Stop Masking Passwords. He claims the usability costs are too high, especially on mobile devices where typos are more common.
I was skeptical, but he has some great points, the most important being that the greatest security risks when you are entering a password are really electronic—someone snooping your password through an unsecure connection. Someone watching your screen can just as easily watch your keyboard to see what keys you tap. But most of the time this is irrelevant, since you are at home and not really being stalked by an over-the-shoulder snooper.
And to cover the occasional Internet kiosk scenario, he suggests providing a checkbox that will let users decide whether they want to mask their password. I like it! Virtual equivalent of cupping your hand around the keypad at an ATM.
Now that I think about it, I have recently noticed that when I type a password on my mobile phone, it briefly shows the last character I typed before replacing it with an asterisk. (Is that an Opera Mobile feature?) That seems to be a concession to some of Nielsen’s points regarding mobile password entry. But I wonder whether it really makes sense either. If it’s visible to you briefly, then it’s visible to a snooper briefly too. But what are the chances that someone can see that teeny tiny text you are taptapping on your phone anyway???
So I guess he’s convinced me! Death to the Asterisk!
7 comments
The last character feature you’re talking about occurs on iPhones also. I love that I can see the last character. As long as only one char is visible I feel protected.
comment by Jamis Charles about an hour later
No! It’s just plain silly to force web authors to provide functionality that could and should be provided by web browsers. Forms are THE biggest usability issue on the web, so Jakob suggests alleviating one minor usability issue by introducing yet another checkbox that is certainly going to confuse MORE people than the asterisks.
If this is such a big issue, the browsers should provide the user an option to mask passwords or not. Even a context menu option (View Password) would work.
But let’s not suggest that web authors should try to account for something that is potentially a minor problem for a few folks with fat thumbs. User preferences in web sites are for sissies!
comment by Jared 1 hour later
I agree; this should be a browser/OS setting, not an extra checkbox on web forms. Inevitably, at some point, you’ll have your browser up on a projector or Go To Meeting and accidentally reveal a password because you forgot to check the box before typing. That kind of setting needs to be on a global, not a per-form, basis.
A (possibly) better solution would be to offer to unmask the password for that login instance if you typed it wrong the first time. So you’d get a standard “Your password was wrong” message, with a link/toggle to unmask your password. But I imagine most people would just quickly retype the password and ignore the invitation.
Personally, I find that masked passwords feel more secure than unmasked; I see those asterisks and am comforted—even if it’s just a placebo. I wonder how many people would freak out if, suddenly, all password fields on the web suddenly unmasked. My guess: the vast majority.
comment by Jared Christensen 3 hours later
All good points. Thanks for sharing guys. The downside of course is waiting for browsers to catch up. Bottom line is that there is no need for this “feature.” At best it is Jared’s placebo :-) But you’re right—lots of people would probably freak out if it disappeared, although it would disappear only as quickly as it was adopted as a standard, which I would guess would be slow.
@jared I like your thought about maybe only showing the option if the user has trouble. That would immediately reveal an all-caps or unshifted letter problem, and keep it out of the user’s face until there was proof of a problem.
comment by Ted Boren 3 hours later
There’s a “show password” checkbox in the Mac OS X dialog box for connecting to a wireless network, when a password is required…
comment by Samuel 6 hours later
The whole argument about how people that could see it on your screen could justsee your keyboard is a little silly. Most people type so fast these days, someone trying to watch me type my password would have little luck seeing what I typed.
I run in to situations every day like giving demos or presentations on a projected screen where showing my password in plain text would be a total fail.
The showing of the last character on a phone makes sense because of the context.
This is for sure an issue that should be handled by browsers… if even handled at all.
comment by Josh Bryant 13 hours later
The iPhone has a pretty good workaround for this. When you type in a password, the last character you typed in is visible, and all previous characters become asterisks.
It works pretty well in my opinion, someone over your shoulder wouldn’t be able to see the whole password if they were just glancing and you can also tell if you typed in a letter wrong.
comment by Chris Rebstock about a day later
Comment preview
comment by you less than a minute ago