Don’t Stop Password Masking
There’s a few websites I go on the internet for insight into design and usability trends: A List Apart, Alertbox, Sitepoint, Web Design from Scratch, and Signals vs Noise. I generally find these sites very useful, and I respect the opinions of the writers there. However, sometimes people are just plain wrong.
The offender today is Jakob Nielsen, who writes for Alertbox. He published an article back in July about password masking, and why we should do away with it:
Most websites (and many other applications) mask passwords as users type them, and thereby theoretically prevent miscreants from looking over users’ shoulders. Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed. So, password masking doesn’t even protect fully against snoopers.
In essence, he is saying we should do away with those dots or asterisks which appear when we type in our passwords. What a bad idea.
The only place I believe this may be valid for is private offices. Anywhere else, it is a bad idea. Schools, internet cafe’s, open plan offices and public kiosks are just a few example of where people type in passwords where people seeing the screen is common place.
Password masking doesn’t protect against malicious criminals who want to hack your bank account. It protects from casual hacking – where people you know look over your shoulder and grab your password to have a bit of fun with you. With password masking, this isn’t a problem. Without it, we are all opening ourselves up.
Perhaps there is a solution to help Jakob see his password on the screen: a browser extension which toggles the visibility of your password on websites. Simple. He can use it, and the rest of us can keep living our lives as if nothing ever happened.
(Just a note: I still respect Jakob Nielsen – I think most of his articles are great. It’s just this one thing I have a problem with. Even others agree with my point of view.)