The End of the Asterisk?
Jakob Nielsen’s Alertbox today proclaims that we we should Stop Masking Passwords. He claims the usability costs are too high, especially on mobile devices where typos are more common.
I was skeptical, but he has some great points, the most important being that the greatest security risks when you are entering a password are really electronic—someone snooping your password through an unsecure connection. Someone watching your screen can just as easily watch your keyboard to see what keys you tap. But most of the time this is irrelevant, since you are at home and not really being stalked by an over-the-shoulder snooper.
And to cover the occasional Internet kiosk scenario, he suggests providing a checkbox that will let users decide whether they want to mask their password. I like it! Virtual equivalent of cupping your hand around the keypad at an ATM.
Now that I think about it, I have recently noticed that when I type a password on my mobile phone, it briefly shows the last character I typed before replacing it with an asterisk. (Is that an Opera Mobile feature?) That seems to be a concession to some of Nielsen’s points regarding mobile password entry. But I wonder whether it really makes sense either. If it’s visible to you briefly, then it’s visible to a snooper briefly too. But what are the chances that someone can see that teeny tiny text you are taptapping on your phone anyway???
So I guess he’s convinced me! Death to the Asterisk!