Jakob Nielsen’s latest Alertbox raises and interesting and controversial question – should passwords be masked in online forms?
Nielsen argues that usability suffers when passwords are just a series of bullets and that it causes sites to lose business due to customers struggling to log in.
When you make it hard for users to enter passwords you create two problems — one of which actually lowers security:
Users make more errors when they can’t see what they’re typing while filling in a form. They therefore feel less confident. This double degradation of the user experience means that people are more likely to give up and never log in to your site at all, leading to lost business. (Or, in the case of intranets, increased support calls.)
The more uncertain users feel about typing passwords, the more likely they are to (a) employ overly simple passwords and/or (b) copy-paste passwords from a file on their computer. Both behaviors lead to a true loss of security.
Personally I’m quite happy with the idea that passwords are visible in plain text although I agree with the requirement to have a checkbox for when I’m in public place. The big issue for me is that a large proportion of web users don’t really understand things and are likely to assume that passwords visible in plain text are somehow less secure than passwords that are converted to bullets.
There are huge numbers of people who don’t understand Internet, ranging from the dozens of people every month who search for www.direct.gov.uk/taxdisc and then email me thinking I’m the DVLA to the people who complain to our clients that their ecommerce forms are publicly displaying their credit card number when it’s just their browser auto-complete function.
What do you think?
Patrick Altoft is Director of Search at Leeds based digital & SEO agency Branded3. Patrick also runs Blogstorm.You can get our blog posts delivered for free by email every day - simply add your email address to the box below or alternatively grab the RSS feed.
{ 6 comments… read them below or add one }
When I first read that story I totally agreed – especially on mobile interfaces where typing is so damn awkward, but now I’m not so sure on reflection.
Fundamentally, 90% of people use one password for *everything* – from their email to their online bank account. While there’s a definite usability lag in not being able to see what you’re typing, I think the dangers of someone getting their hands on your entire digital life probably trumps that in terms of importance.
In my experience, users associate a masked password with a sense of security. Regardless of what (if any) encryption is going on behind the scenes, if a password is plainly visible then I believe more users would feel uneasy about using the form than those that are less confident about entering in a password that is masked.
An alternative technique could be to do something similar to password entry when using mobile web browsers: display the character as it’s typed, but just for a second or two and then mask it. Enough time for the user to register that they’ve entered the correct/incorrect character and amend, if necessary.
Im not sure where I sit with this one. In the middle I think, as I do feel that if users were to see the password etc. that they may find it easier to log in, but on the other hand, through personal experience, I find that showing the user what their password is while they are typing it makes them feel unsecure and feel that it may be less legit.
Find me on Twitter
@Joff my iPhone does that – just displays it for long enough so you can see if you hit the wrong key.
More comments from Patrick AltoftFind me on Twitter
At first my thought is “Argh” – yes, the only one to be worried about is the guy looking over my shoulder… all data still goes through the pipes, whether we can see what we are typing or not.
Then as I am reading through the comments, I remember watching a keynote (but sorry, I can’t remember where or when ) as the presenter showed a one hour long, non-technical way of ‘hacking’ people and accounts. He showed a whole bunch of images and some video, basically just paying attention to what was on the targets conference badge, parking hang tag, and snooping over a shoulder to see what programs were running in the desktop tray (lower right corner of Windows). Amazing how much you could tell, just by observing.
So, will someone be able to snoop your easily readable password over your shoulder? You bet!
More comments from pamidstateI usually go with Nielsen’s suggestions, but this time I’d say it heavily depends on your audience and the device they’re using. Your point with users feeling that a plain-text password is somehow less secure is a good one – I think most users just don’t get if there is an (additional) checkbox saying “mask my password”. Users are just used to the password masking – but I think it’ll be worth changing to plaintext passwords on new devices such as smart phones – cause there’s isn’t a standard yet. But then each website would have to detect the browser first and deliver different password fields … which can be quite a pain in the neck.
{ 1 }
Should Passwords Be Masked in Online Forms?: Jakob Nielsen’s latest Alertbox raises and interesting and co.. http://tinyurl.com/nq9cq6
Leave a Comment (registration is optional)