Wednesday, June 24, 2009

Nielsen says to stop password masking

Jacob Nielsen says that we should Stop Password Masking in his latest AlertBox article. His argument is simple -- we are very, very rarely in a situation where we're typing in a password while someone is looking over our shoulder. It's extremely common for us to be typing in a password when we're alone. So why not showing our passwords as we type? And, he suggests, have a checkbox to mask the password for those rare situations when someone actually is watching us type.

This reminds me of a situation I ran into a few years ago. A server product I was supporting got complaints from customers because we were showing passwords in property files. A central aspect of security for the server was file system security, so there was no issue with an unauthorized person being able to open the property file and see the password (if they could do that, they wouldn't need the password, the entire system would be vulnerable). So the issue was solely around looking-over-the-shoulder scenarios where someone would need to open the property file with someone watching. There was a clear usability degradation from occluding the password in the file, so we asked customers to give us examples of situations where this looking over the shoulder would be a problem. Their response? It doesn't matter! Passwords should always be occluded! Just in case!

We masked the passwords in the property file.

So I have a lot of sympathy for Nielson's position. But I'm not completely convinced. For example, the one fairly common scenario I can think of where masking is needed is when screen sharing during a web conference. I'm on web conferences all the time, and I'd estimate that there are at least a couple times a week where someone types in a password while screen sharing. And note that Nielsen says that some passwords (like for bank accounts) should perhaps be occluded by default, but there's nothing special about passwords when screen sharing. In other words, during design we can't anticipate whether this is a password that is likely to be used during a web conference. If users have to click a "mask" checkbox before typing a password in a web conference, lots of people will forget... potentially exposing their password to not ONE person looking over their shoulder, but scores of people on a web conference. That seems like a very real concern.

But in terms of baby steps, I like the idea of having a checkbox to mask passwords that is always checked by default. If you're surprised when you first password attempt fails, you can uncheck it and make sure you're typing in it in correctly.

22 comments:

Jeff Harris said...

Interesting, I think it depends on the context. I know lots of people who would freak out if they saw their password being shown to them for a banking website.

Perhaps a compromise would be to offer users a choice, perhaps a link to switch a plain text input to a "secure" password field.

Terry Bleizeffer said...

Yeah, that's the idea behind the checkbox that masks the password. I think there's 3 scenarios:
1. password field + masking checkbox (unchecked by default)

2. password field + masking checkbox (checked by default)

3. masked password field (no checkbox, always masked)

I don't think a 4th scenario of "unmasked password field (no checkbox, always unmasked)" is viable.

Unlike Nielson, I think scenario #1 is not viable either, because of screen sharing.

But I really like #2 over #3.

Georg Tavonius said...

As I read Nielsons Article, I found that concept (to always show the password) very distrubing. I'm working in a open-plan office and there is always someone who runs along behind my desk. So I would be one of the guys who would freak out if my password would be shown in plain text all the time.

But having a checkbox that is checked by default and would by unchecking make the password field visible is a good thing. And the OSs show already that it can work.

Anonymous said...

The checkbox option sounds viable but I doubt there will be a change anymore.

BTW, it's Nielsen if you want to correct your tag. (If there was a pun or something with the misspelling I must have missed it.)

Theresa Ramsey said...

Another technique would be to show the character briefly, then mask it. iPhone uses this style, though since it's a personal device, it's not the same as projecting or web conference.

photo masking said...

Interesting stuff!
Thanks!!

Regards,
image masking services

Groupdmt said...

I found very good and I would like to congratulate you for your work..
image masking service

Unknown said...

I am looking for image masking, hair masking. not password masking.
I found this post useful to me.
clipping path | image masking service | glamor retouching | magazine ads design

Unknown said...

Hi, how nice your services. I have found it very useful. I am going to share this link with my friends and colleagues. I think everybody should do so.

image masking in bangladesh said...

I have read your blog post and it was really helpful for me. I will definitely visit your blog again for read more contents. I will also share on my social media page of any helpful post :)

Clipping Path Service said...

I really enjoyed your blog Thanks for sharing such an informative post.

Andrew said...

Clipping Expert Asia is the leading photo editing company which provides bulk photo editing and retouching service at a cheap price.

photo retouch said...

Fantastic post. We provide high-quality photo retouching service at a cheap price from Clipping Expert Asia.

Clipping path service said...

Clipping Image is an online-based Image editing service Provider that provides that high-quality photoshop clipping path service at an affordable rate.

Techcloud said...

Wow, very nice write-up and very informative as well. Very often I used to hide my password. This is the natural tendency of human beings. Anyways I'm working on different image post-production platforms which include a variety of Photoshop processes. However, thanks for sharing such nice tips. Please keep sharing more tips like this. image post production

Unknown said...

Hey!! Amazing post. Thank you for sharing such a informative post.

Unknown said...

Amazing post, Thank you for share with us.

David Chilson said...

Absolutely unique and fine piece of information. I've never spent that much time reading before but this is really awesome.
Image Masking Services
Neck joint Services

David Carlis said...

Helpful blog here you have shared. A lot of thanks for this published. Drop Shadow Helps
Clipping Path
Photo Cut Out
Image Manipulation
Image Retouching
Clipping Path Tutorial
Background Remove
Image Editing
Neck Joint
eCommerce Photo Editing

Perfect Retouching said...

I agree with the suggestion that a fourth scenario of an unmasked password field (no checkbox, always unmasked) is not a viable or recommended option. Similarly, I disagree with Nielson's opinion that scenario 1 (password field + masking checkbox unchecked by default) is viable. In my opinion, screen sharing makes this option risky and therefore it should not be used. The most secure and recommended options are either scenario 2 (password field + masking checkbox checked by default) or scenario 3 (masked password field with no checkbox, always masked).

Perfect Retouching
Professional Product Retoucher

Color Clipping Ltd. said...
This comment has been removed by the author.
Priotoma Bangla said...

Priotoma Bangla is the foremost provider of premium sanitary fittings, sanitary ware, kitchen fittings & appliances, and architectural hardware in Bangladesh. As the official distributor of top global brands, we offer a comprehensive range of over 1800 products and end-to-end solutions, from design to installation. Our products are available nationwide through 200 stores, covering 80% of premium building material sellers in Dhaka. Additionally, we operate five state-of-the-art studios and sales centers strategically located in high-traffic areas. Our team includes 15 foreign-trained technicians who oversee each project, ensuring top-notch quality and providing complimentary after-sales services. Leveraging the latest software and ERP technology, supported by a team of 25 trained personnel, we are dedicated to fulfilling the diverse needs of our customers, clients, and partners. Trust Priotoma Bangla for all your premium sanitary and architectural requirements.