Comments on: Thoughts on password masking.

By: Steve D

Steve D — Tue, 21 Jul 2009 08:23:16 +0000

Cheers for the link, Chris is a very level headed guy by the sounds of things, and that is a pretty good solution to the problem. I’d love to see a website do an A/B test, where on one version the login is as normal, and then without character masking.

By: Dan

Dan — Mon, 20 Jul 2009 16:41:43 +0000

Thanks for your comments, dude. Yeah it's true that, even when you're alone in a room, having your password revealed can have a profound effect on your feeling of security. I did find an article a few days ago that gave two interesting solutions that, in my opinion work very well. You can read those here.

By: Steve D

Steve D — Mon, 20 Jul 2009 15:34:09 +0000

I completely agree with you Dan. To be honest this kind of opinion is where web folk forget about what the users need or want, and pander unnecessarily to accessibility issues rather than what is the sensible solution.

Whilst I agree that customs and general practice should be challenged wherever necessary, there is a point where common sense needs to prevail. I have, on one or two occasions had my password “unmasked” by an app, and that bothered me and made me more tense about using the site than anything else.

I think it’s also somewhat churlish to suggest that password masking is a net only thing. The most obvious use of this practice is at an ATM machine, something that has been standard since they were introduced. Like on a computer, many times no-one will be watching, but it’s nice to know your code is covered from any other stray prying eyes. This is the convention that was carried onto the web because it made sense, so it isn’t a case of challenging a “status quo” as Paul mentions in his podcast. Imagine if all of a sudden the banks said they were dropping masked PIN numbers (or giving it as an option) because it would reduce mistakes and make customers feel more confident putting their details in!