June 24, 2009
When you make it hard for users to enter passwords you create two problems — one of which actually lowers security:
* Users make more errors when they can’t see what they’re typing while filling in a form. They therefore feel less confident. This double degradation of the user experience means that people are more likely to give up and never log in to your site at all, leading to lost business. (Or, in the case of intranets, increased support calls.)
* The more uncertain users feel about typing passwords, the more likely they are to (a) employ overly simple passwords and/or (b) copy-paste passwords from a file on their computer. Both behaviors lead to a true loss of security.
(Link: Jakob Nielsen – Stop Password Masking)
Advertisement
I would argue that Nielsen’s recommendation actually lower security and usability for most users: http://www.atmedia.net/KlausRusch/blog/2009/06/disagreeing-with-jakob-nielsen-on.html
I don’t agree with the summary. I agree that the usability of masked passwords is low, but we can’t just unmask them.
Jakob Nielsen states that most og the time no-one looks over your shoulder. That’s right – but what about the times that someone does? He says that the “culprit” can see what you click on the keyboard – that’s right, but most of the time the one looking over the shoulder is not a criminal – merely a work colleague or a friend, and they are looking not because they search for my passwords, but just because they are there and something happens on screen. I don’t want my work colleagues to see my passwords.
Another usability thing: let’s say that you login to a site with unmasked password. As you type it and see the letters – don’t you feel insecure? If the site doesn’t take the effort to hide the letters now – why would it encript it in the net? By masking the letters, the site says to the user: “I’m aware this is a password and I’ll keep it a secret for you.”.