- minute forty-four -

Movies, Food, Beer and Geek Stuff

Tech

Thoughts on password masking.

I’ve seen a couple of blog posts in the last few weeks on the subject of password masking. Jakob Nielsen’s post entitled Stop Password Masking makes a case for dropping the accepted standard that sees password fields blanked out by a line of bullets or asterisks. Nielsen claims that the security benefits are small at best and the impact on accessibility and usability is huge.

Let me say right off the bat, I couldn’t disagree more! Not only do I think Nielsen is wrong, I find the post to be one of the most obtuse articles I’ve ever seen. What made me write this article, though isn’t Nielsen’s view. I was compelled to write this after listening to this week’s edition of BoagWorld. In the podcast, Paul and Marcus, who’s views I usually very much agree with, seem to accept the notion of removing password masking with open arms. When I heard what was being said I could barely keep my jaw from hitting the floor.

“Why is it that as human beings we have a tendency to accept the status quo? Even if we think something is a bad idea we often fail to speak up because it has always been that way and ’surely there must be a good reason’.” – Paul Boag

Of course Nielsen and, by his agreement, Boag don’t talk about just removing masking from all web sites and apps en mass. They do recognise that apps such as online banking, and indeed anything that will be used on a public computer will benefit from password masking but the proposed solution seems not only totally counter-intuitive but also as though it will have a big negative impact on the usability of the site/app.

“Yes, users are sometimes truly at risk of having bystanders spy on their passwords, such as when they’re using an Internet cafe. It’s therefore worth offering them a checkbox to have their passwords masked; for high-risk applications, such as bank accounts, you might even check this box by default.” – Jakob Nielsen

The problem with this solution is that it will only truly be effective with tech savvy or web savvy users who know what they are looking at. Average Joe, in the situation where the password is masked probably won’t notice the “unmask” check-box and even if they do they may not understand the security implications. By the same token, in the event that the password is unmasked they won’t take the time to think about the security of the situation and will be left open to people looking over their shoulder. While on that topic…

“Most websites (and many other applications) mask passwords as users type them, and thereby theoretically prevent miscreants from looking over users’ shoulders. Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed. So, password masking doesn’t even protect fully against snoopers.” – Jakob Nielsen

So what he’s suggesting is that rather than having the password entry spied on by skilled snoopers, why discriminate? Let’s make sure that all snoopers, regardless of skill, can spy our passwords just by looking at the screen! Really? Of course, what Nielsen is getting at is that the security benefits of masking can be fairly small and I do kind of agree; a skilled crim can indeed just look at your key presses. But he is very much putting a spin on that to benefit his own points about the usability impacts of masking.

  • Users make more errors when they can’t see what they’re typing while filling in a form. They therefore feel less confident. This double degradation of the user experience means that people are more likely to give up and never log in to your site at all, leading to lost business. (Or, in the case of intranets, increased support calls.)
  • The more uncertain users feel about typing passwords, the more likely they are to (a) employ overly simple passwords and/or (b) copy-paste passwords from a file on their computer. Both behaviors lead to a true loss of security.

I find both of those points weak at best. Users can make more errors when they can’t see what they’re typing but by the same token, because of the masking they will be more aware of this. My experience in IT support has shown me that people make several attempts at entering their password before giving up or calling support. This means that the log-on failures can be mainly attributed to two things; The user has forgotten their password or they have caps lock turned on. Now, for the latter you may think “Well, unmasking would reveal that error” but in my experience the user won’t notice the capitals. If they’ve not noticed it when they were entering their username, an unmasked password won’t reveal the error to them any better. The true solution to the caps lock problem is a tool tip that notifies the user that caps lock is on and it may cause their password to be entered incorrectly.

The second point is loaded. It is up to the developer to police overly simple passwords and educate users on the benefits of a secure password. As for copy-paste passwords; this is clutching at straws. In my many years in tech support I have never come across a user who does this. I think all but the most security ignorant will see the potential issues with doing this.

I’m all for the progression of usability on the web but what this seems like is change for changes sake. I think the perceived usability problems with traditional masked passwords are incredibly small. Too small, in fact to risk the plethora of issues of creating a triple standard where some passwords are masked, others aren’t and others give you a choice. It’s a clear cut case of ‘if it ain’t broke, don’t fix it.’ Masked passwords have been the norm for decades. People expect it. Moreover having their password display on screen will destroy a user’s sense of security while using the app, even if they are using it on their own computer.

3 comments

  1. Steve D - July 20, 2009 4:34 pm

    I completely agree with you Dan. To be honest this kind of opinion is where web folk forget about what the users need or want, and pander unnecessarily to accessibility issues rather than what is the sensible solution.

    Whilst I agree that customs and general practice should be challenged wherever necessary, there is a point where common sense needs to prevail. I have, on one or two occasions had my password “unmasked” by an app, and that bothered me and made me more tense about using the site than anything else.

    I think it’s also somewhat churlish to suggest that password masking is a net only thing. The most obvious use of this practice is at an ATM machine, something that has been standard since they were introduced. Like on a computer, many times no-one will be watching, but it’s nice to know your code is covered from any other stray prying eyes. This is the convention that was carried onto the web because it made sense, so it isn’t a case of challenging a “status quo” as Paul mentions in his podcast. Imagine if all of a sudden the banks said they were dropping masked PIN numbers (or giving it as an option) because it would reduce mistakes and make customers feel more confident putting their details in!

  2. Dan - July 20, 2009 5:41 pm

    Thanks for your comments, dude. Yeah it’s true that, even when you’re alone in a room, having your password revealed can have a profound effect on your feeling of security. I did find an article a few days ago that gave two interesting solutions that, in my opinion work very well. You can read those here.

  3. Steve D - July 21, 2009 9:23 am

    Cheers for the link, Chris is a very level headed guy by the sounds of things, and that is a pretty good solution to the problem. I’d love to see a website do an A/B test, where on one version the login is as normal, and then without character masking.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>