So, not only is this guy suggesting websites change their technology, he's also suggesting users modify their behavior to be more secure.

Not going to happen.

To be fair, he did suggest that password masking was toggled by a checkbox that was ON by default.

An option to reveal the text of the password field would have a drastic effect on these support requests. It would lower calls and call times on these issues. Even if this 15-minute change only saved 30 minutes of support time a -year- this would be a net win.

You might not screw up passwords, but plenty of people do. I'm not suggesting to have it permanently visible, just the option to make it visible. This enables people with password issues to debug their own issues before resorting to a password reset or contacting support.

Typos happen even to those who can type well. And I can remember my password, but sometimes it's a matter of figuring out which password to remember. If the one I expected to work doesn't, it just be that I unknowingly mistyped it, not that it was the wrong password.

Slightly on-topic: I find it silly for a shopping website to display your complete credit card information in plain letters on screen, while masking your login password. The credit card info can be misused to empty your bank account, while the login password can be misused to ... what? Send obscene support requests and muck about with your digital shopping cart?

That, and if your credit card is stored on their servers, which your statement implies, it'd be easy for me to buy stuff on behalf of you. Right now, I'm buying you a new 72 inch Plasma screen which you can't afford. Have fun returning it!

Of course, I could send that plasma to myself, but it'd be stupid of me to do so, since I'd be giving away my where abouts.

No, I did not intend to imply that.

The places where I do most my shopping, I have to (or prefer to, in the case of Amazon) enter credit card information on a per-purchase basis.

You might not agree to unmask all passwords but why not this

> It's therefore worth offering them a checkbox to have their passwords masked; for high-risk applications, such as bank accounts, you might even check this box by default.

This is spot on as well.

> Password masking has proven to be a particularly nasty usability problem in our testing of mobile devices, where typing is difficult and typos are common

And on a mobile device, people snooping would be uncommon as well, so why mask passwords on mobile sites?

So please think hard on this, before you dissmiss this as stupid or untenable.

I have. This is stupid and untenable.

Problem one: Right now if I encountered a login form that didn't mask the password I would probably attribute this to incompetence, not usability. I don't think I'm the only one.

Problem two: Right now all login forms work the same. The top field is the username and under that is the password field. This would break that consistency by adding the "show (or hide) password" behavior. In his description he even suggests that some sites default to a different behavior based on some notion of degree of security. Now logging in with someone looking on becomes quite a bit more nerve-wracking because you need to figure out if the password field will disclose your password. This is less usable.

Now, where I think this may be useful is if it is added as part of the "invalid password" behavior. Offer to give the user help only if they need it. Provide them a button to show the password they entered, and allow them to try again underneath it to fix any typos or verify that they correctly entered the password they were thinking of. This helps the user without changing the way the login form operates in the default case where a correct password is entered (a password that's probably in the user's muscle memory because they use it for everything). I know I've actually seen this done somewhere, although I can't remember where.

Mobile is a bit different. I’m completely behind the times in using a mobile device to access the web, but I know that my terribly slow phone running its gimped browser (netfront, I think?) on its tiny screen quite a few years ago provided the option to display masked fields in the editor window it would switch to whenever filling out an input field. This seems like a better solution to this problem to me (and was almost a necessity on that device since it didn’t have a proper keyboard).

Mac OS X's Keychain Access has "show this password", and iPhone does masking but still shows you the last character you just typed for about a second.

I think these are both good compromises.

That I think is the problem with the original message - the problem IS sort of there but the solution is just too readical for it :P

He is right about the point, straight on. I've been thinking about implementing it on our web app at aleveo.com like that. Let me elaborate.

We all know that having a simple and usable register/login form increases signups. Let that aside, I've kicking out everything of our forms until really only the necessary. Among those things is the repeat password/email field, username (enough with those) etc. However, what if caps is on, or the keyboard layout is other and so on, the person will signup for your service, but next time he wants to login, if he is having issues with the form, you're done. He'll blame you, as he think he knows what he types as a password.

It is essentially wrong not to see what you are typing. If you noticed, Mr.Nielsen didn't go into implementation. He said that the concept is legacy. A good implementation would be having a checkbox next to the password field "[] show text" or similar, default unchecked.

An older person would definitively appreciate that, but it is not only for them, as it happens to me too (24 year old) to mistake until I figure out what I am really typing in (first keystroke swallowed, typing mistake, caps, wrong layout, etc)

Regardless just because he is a well respected individual does not make all his ideas "the right way".

I think people are misreading what he said and making knee jerk reactions. But, for exampl...:

> password masking doesn't even protect fully against snoopers.

Seems an irrelevant point - he doesnt weigh the security tradeoff against the supposedly improved usability. I would argue that password masking is the #1 deterrent for casual password stealers. Plus reading fast typed keys is a skill needing to be acquired. A determined thief will always find a way to get your password. The masking is deter the casual criminals (or just your co-workers etc!!)

> It's just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue

For a UI designer/engineer I think this shows a whole lot of ignorance about how people use computers... does he really imagine most people use their computer this way? really?

One important point he misses is that password boxes leap out at you BY being masked. This is an important UI concept because the user knows they are logging into something "secure". It is also the expected behaviour (for better or for worse); not just a convention but an ingrained expectation! UI designers hardly ever break expectations like that in my experience ;)

In terms of not seeing what your typing: he should know a vast majority of people watch their fingers as they type. Knowing you made a mistake is a fairly natural process (yes, we have tested this).

He DOES have a very very good point about mobiles - this is a perfect example of where masking shouldnt be employed. And I suspect this is the main point he is making. But extending it to every format? No, that IS silly.

:)

I think Jakob is really onto something here.

"More importantly, there's usually nobody looking over your shoulder when you log in to a website."

I agree with this statement entirely, but wonder if in a mobile setting, like with an iPhone if this isn't a bad idea. There have been many times where I tried to look over at someones iPhone to see what they were doing and simply couldn't see. I'm talking as close as 2 feet away.

And since I know how annoying it can be to type passwords on my iPod Touch, I could see the value of this--but only on devices with very small screens, and WITHOUT any sort of auto-fill from the browser. Of course, it should be an opt-in sort of setting. No vendor should decide your fate when it comes to security decisions like this.

Also, how about the iPhone compromise? It displays the last character you typed for only an instant.

The solution is obvious to me. If javascript is enabled, allow the user to undo a reset.

If javascript is disabled, don't show a reset button or make it harder to click accidentally somehow (make it smaller or a link or more out of the way).

Firefox > Preferences > Secutiry > "Saved Passwords" -> "Show Password"

Anyway, the simple fix is to not show saved passwords in plain text.

It refuses to let you see the WEP key that you are typing, but insists that you type it twice.

If it were something like "what is your favorite flavor of popsicls" and not "type this random 58 character sting of hex", then that might be acceptable, but it isn't. Really, who is going to be standing over your shoulder and memorize that?

/drives me insane

//iwconfig ath0 essid "blueberry struedel" key $foo ftw

Current Windows (Vista) allows you to tick a box and see the WPA key as you type it (once) (it's masked by default).

If only that option could be easily showed and asked for simple users: a little icon within password boxes showing if it's masked or not, and a hotkey / click on the icon to toggle it on/off.

You can read the input value with Javascript, so if you add an 'unmask password' button, then that button should effectively replace the input type=password with an input type=password and populate it with the values previously stored in the password element.

There are a number of ways to do this, but switching out elements was the easiest for me -- of course, browsers have come a long way since that implementation. YMMV.

However they would appreciate the feature if they can't manage to make their password work (e.g. caps lock, different keyboard layout, etc.)

As for this "checkbox," how many users will unwittingly have their online identity stolen because regular users aren't thinking about whether they need to select some checkbox before they type in their passsword. Also, that seems more annoying than more usable.

As someone else mentioend, this makes "remember password" totally unworkable; though personally I don't like that feature either.

There is a difficulty in mobile devices but that is because typing on such devices is not really great in terms of usability.

The other thing is that I don't think there is much evidence that this is really a problem. The only "barrier" problem that people have observed is having to create an account in the first place, but that is a separate issue.

And although I'll probably be shot down for this:

The iPhone OS's method of displaying the last masked character briefly before masking it is probably the best way to handle masking.

The fact is we need a better option both for security and usability.

Response: This is like saying locking your door doesn't help because someone can just get a bulldozer and push it in. Sure, it's true, but you aren't locking your door to make your home impenetratable. You're locking your door to prevent casual unauthorized entry. You don't want someone to just wander in while you're away and take things without having to do any work at all. And you don't want someone to just barge in without knocking (well you might, but it's a case for locking your door). Similarly, you aren't masking passwords to make it impossible for anyone to ever know your password. You're masking passwords so you can log in to your email in front of your friends without them getting tempted to use the information they gleaned.

Also, I can type faster than most people are probably able to read a keyboard (and my passwords are not words which makes them even harder to figure out), but there is likely no one on earth who can type faster than people can read.

---

Bad argument #2: It's ok to unmask some passwords because the information isn't critical.

Response: Take the example of looking at pictures of your cat. Where are these pictures? Let's suppose they're on Flickr. Actually, it doesn't matter much. Now, does Flickr (or this other website) just allow you to view pictures? No, it also allows you to post pictures (I wouldn't want someone posting their porn pics under my account), chat with friends (DEFINITELY don't want to be impersonated there), and even CHANGE YOUR PASSWORD thereby stealing your account. If you're just talking about password protecting a directory on your computer with cat pictures, sure show the password... but anything this trivial wouldn't be password protected anyway. Simply put, if it's important enough to have a password, it's important enough to have that password masked. Otherwise, why have it at all?

---

Excellent point: Since users DO use the same password for multiple things, you don't even know or control what credentials you are giving away. You may very well give away someone's bank PIN.

When you log in to a site, all the major browsers automatically ask you if you want to save your password. But if you display the password in plain text then the browser doesn't detect it as a password... and it doesn't offer to save it for you.

So what is that likely to result in? • Users getting annoyed at your site, and thus lost business • Users writing down their password somewhere else, resulting in a loss of security

These outcomes are exactly the opposite of what Jakob Nielsen is trying to achieve!

  onclick="getElementById('pwd').type='text';"

  $(function() {
    $("#hover-password").hover(
      function() {
        this.type = "text";
      },
      function() {
        this.type = "password";
      }
    );
  });

Why take the risk? :)

"In most cases, however, users will appreciate getting clear-text feedback as they enter passwords."

If Nielsen had a mockup or something that we could all clearly see was a huge improvement, then sure, let's do it. A UI change this drastic should have an order of magnitude gain to it. Otherwise, move on to bigger fish.

Clearly the answer is another password.

On the other hand, if I start typing my password too soon after the login box appears on my laptop, it eats the first character. I would never have worked out why I was finding it so hard to login if the password box did not display bullets. (See also dodgy keyboards.)

If you cover your hand, the problem space is still small enough to guess just based on where you are covering and how long for.

Only systems that do not use passwords are viable if you are being closely scrutinized. e.g. entering only selected characters from your passphrase.

Rarely there is one good solution to fit all problems.

Don't get me wrong, usability is very important, but if your application has to be secure(and not having someone look at your password over your shoulder is a requirement), then how can you choose usability over security?

What I say is that sometimes this is not a requirement even if the website offers a login feature.

I guess that for my online mail client I would prefer to have a masked password field.

Now for my account at an online rss reader I actually don't care that much because there is nothing to protect (at least in my opinion) and no value for someone to steal and remember my password. Maybe however I still want to be protected against someone on the web who happens to have the same name as I do and wants to steal my account... However the probability for this guy to be over my shoulder is quite low.

Maybe this is all a question of personal interest. Some users will prefer usability over security while others will prefer the opposite no matter the application. If this is the case then I would vote for having the option to toggle between one and the other...

So in essence if you leave a password field open then your potentially exposing the "global" password of your user to anyone walking past. That seems an even bigger consideration than just exposing the pass to your site. Your taking away any security the user expects when typing a password in :)

That being said, that is probably beyond the scope of what the author is trying to address but is still always something to consider.

I guess I'll design my future login boxes with security enabled by default and unmask option for the responsible user who would need it...

Consider systems that require long passwords, and even go as far as to scan them against a dictionary, ensuring that the p/w must be a jumble. Users will always subvert such a hard-to-use system by writing down the password, completely undermining the whole thing.

My netbook doesn't have hard CAPS and NUMLOCK lights, I need to look at the display's status bar to see it. When I log on, the status bar isn't shown. I can't tell if my keyboard is in numeric mode, so I can't tell if I'm typing my password. This frequently becomes very frustrating -- and this isn't hypothetical, it happens to me all the time.

And his solution is to present passwords in clear text?

Hmmm. That seems to be a mix metaphor of a message: lets prompt people to make a more secure password (arguably not going to have much effect) but then display it in clear text.

To me that seems a true loss of security :)

EDIT: ignoring his point (b) because that is completely irrelevant - clear text password boxes are no more or less secure than copy/pasting the password. BUT your not giving the user the choice - every user has that bit less security, not just those copy/pasting.