Wednesday, June 24, 2009

Should we stop masking passwords?

Yesterday, the usability guru Jakob Nielsen wrote an interesting article for his alertbox: Stop Password Masking.
Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn't even increase security, but it does cost you business due to login failures.
In the article, he argues that masking the user password, which has been the standard practice for some decades, is basically worthless and creates usability and security problems (users choosing easy passwords or copypasting them).

He mentions briefly that you could have a checkbox for this, and that for some sites (banks, etc) it might be checked by default.

There are several issues with this:
  • Who are you to decide which sites are important enough to have their passwords masked?
  • Who are you to decide that in behalf of the user?
  • Why do you have to make this a tradeoff, when the code that does the trick is this one-liner?
<input type="checkbox" checked onclick="$('pwd').type = this.checked? 'password' : 'text'"/>Hide password

Give me a reason not to make this the standard design for all password boxes or make it part of a helper script in the browser (i.e. display that checkbox when hovering the password box).