Jacob Nielsen says that we should Stop Password Masking in his latest AlertBox article. His argument is simple -- we are very, very rarely in a situation where we're typing in a password while someone is looking over our shoulder. It's extremely common for us to be typing in a password when we're alone. So why not showing our passwords as we type? And, he suggests, have a checkbox to mask the password for those rare situations when someone actually is watching us type.
This reminds me of a situation I ran into a few years ago. A server product I was supporting got complaints from customers because we were showing passwords in property files. A central aspect of security for the server was file system security, so there was no issue with an unauthorized person being able to open the property file and see the password (if they could do that, they wouldn't need the password, the entire system would be vulnerable). So the issue was solely around looking-over-the-shoulder scenarios where someone would need to open the property file with someone watching. There was a clear usability degradation from occluding the password in the file, so we asked customers to give us examples of situations where this looking over the shoulder would be a problem. Their response? It doesn't matter! Passwords should always be occluded! Just in case!
We masked the passwords in the property file.
So I have a lot of sympathy for Nielson's position. But I'm not completely convinced. For example, the one fairly common scenario I can think of where masking is needed is when screen sharing during a web conference. I'm on web conferences all the time, and I'd estimate that there are at least a couple times a week where someone types in a password while screen sharing. And note that Nielsen says that some passwords (like for bank accounts) should perhaps be occluded by default, but there's nothing special about passwords when screen sharing. In other words, during design we can't anticipate whether this is a password that is likely to be used during a web conference. If users have to click a "mask" checkbox before typing a password in a web conference, lots of people will forget... potentially exposing their password to not ONE person looking over their shoulder, but scores of people on a web conference. That seems like a very real concern.
But in terms of baby steps, I like the idea of having a checkbox to mask passwords that is always checked by default. If you're surprised when you first password attempt fails, you can uncheck it and make sure you're typing in it in correctly.
Wednesday, June 24, 2009