Thoughts on password masking.
I’ve seen a couple of blog posts in the last few weeks on the subject of password masking. Jakob Nielsen’s post entitled Stop Password Masking makes a case for dropping the accepted standard that sees password fields blanked out by a line of bullets or asterisks. Nielsen claims that the security benefits are small at best and the impact on accessibility and usability is huge.
Let me say right off the bat, I couldn’t disagree more! Not only do I think Nielsen is wrong, I find the post to be one of the most obtuse articles I’ve ever seen. What made me write this article, though isn’t Nielsen’s view. I was compelled to write this after listening to this week’s edition of BoagWorld. In the podcast, Paul and Marcus, who’s views I usually very much agree with, seem to accept the notion of removing password masking with open arms. When I heard what was being said I could barely keep my jaw from hitting the floor.
“Why is it that as human beings we have a tendency to accept the status quo? Even if we think something is a bad idea we often fail to speak up because it has always been that way and ’surely there must be a good reason’.” – Paul Boag
Of course Nielsen and, by his agreement, Boag don’t talk about just removing masking from all web sites and apps en mass. They do recognise that apps such as online banking, and indeed anything that will be used on a public computer will benefit from password masking but the proposed solution seems not only totally counter-intuitive but also as though it will have a big negative impact on the usability of the site/app.
“Yes, users are sometimes truly at risk of having bystanders spy on their passwords, such as when they’re using an Internet cafe. It’s therefore worth offering them a checkbox to have their passwords masked; for high-risk applications, such as bank accounts, you might even check this box by default.” – Jakob Nielsen
The problem with this solution is that it will only truly be effective with tech savvy or web savvy users who know what they are looking at. Average Joe, in the situation where the password is masked probably won’t notice the “unmask” check-box and even if they do they may not understand the security implications. By the same token, in the event that the password is unmasked they won’t take the time to think about the security of the situation and will be left open to people looking over their shoulder. While on that topic…
“Most websites (and many other applications) mask passwords as users type them, and thereby theoretically prevent miscreants from looking over users’ shoulders. Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed. So, password masking doesn’t even protect fully against snoopers.” – Jakob Nielsen
So what he’s suggesting is that rather than having the password entry spied on by skilled snoopers, why discriminate? Let’s make sure that all snoopers, regardless of skill, can spy our passwords just by looking at the screen! Really? Of course, what Nielsen is getting at is that the security benefits of masking can be fairly small and I do kind of agree; a skilled crim can indeed just look at your key presses. But he is very much putting a spin on that to benefit his own points about the usability impacts of masking.
- Users make more errors when they can’t see what they’re typing while filling in a form. They therefore feel less confident. This double degradation of the user experience means that people are more likely to give up and never log in to your site at all, leading to lost business. (Or, in the case of intranets, increased support calls.)
- The more uncertain users feel about typing passwords, the more likely they are to (a) employ overly simple passwords and/or (b) copy-paste passwords from a file on their computer. Both behaviors lead to a true loss of security.
I find both of those points weak at best. Users can make more errors when they can’t see what they’re typing but by the same token, because of the masking they will be more aware of this. My experience in IT support has shown me that people make several attempts at entering their password before giving up or calling support. This means that the log-on failures can be mainly attributed to two things; The user has forgotten their password or they have caps lock turned on. Now, for the latter you may think “Well, unmasking would reveal that error” but in my experience the user won’t notice the capitals. If they’ve not noticed it when they were entering their username, an unmasked password won’t reveal the error to them any better. The true solution to the caps lock problem is a tool tip that notifies the user that caps lock is on and it may cause their password to be entered incorrectly.
The second point is loaded. It is up to the developer to police overly simple passwords and educate users on the benefits of a secure password. As for copy-paste passwords; this is clutching at straws. In my many years in tech support I have never come across a user who does this. I think all but the most security ignorant will see the potential issues with doing this.
I’m all for the progression of usability on the web but what this seems like is change for changes sake. I think the perceived usability problems with traditional masked passwords are incredibly small. Too small, in fact to risk the plethora of issues of creating a triple standard where some passwords are masked, others aren’t and others give you a choice. It’s a clear cut case of ‘if it ain’t broke, don’t fix it.’ Masked passwords have been the norm for decades. People expect it. Moreover having their password display on screen will destroy a user’s sense of security while using the app, even if they are using it on their own computer.