26 June 2009

Don't Stop Password Masking

I was surprised to see the latest advice Stop Password Masking from Jakob Nielsen.

Password masking has become common for no reasons other than (a) it's easy to do, and (b) it was the default in the Web's early days.

Jakob Nielsen's has raised many usability topics in his Alertbox but he is not always correct. Although I used to read his column with an open, somewhat sceptical, mind I gave up some time ago*.

No, password masking isn't just some legacy design artefact. Like other design choices relating to user identification and authentication, these have a significant impact on user trust and data privacy, confidentiality and integrity. It is wrong to suggest that masking should be removed by default. By all means inform users of the risks and let them choose to display the characters being typed, but don't have this status set by default. More-and-more web sites are being accessed away from home, and being overseen by other people or surveillance equipment is commonplace almost everywhere.

Let's clean up the Web's cobwebs and remove stuff that's there only because it's always been there.

On e-commerce sites, the need to log in can often be removed completely, or made non-compulsory. Too often security controls are applied for other reasons, such as to generate information for sales and marketing reports, rather than to ease the purchasing process. For more critical data, the use of authentication mechanisms other than static passwords should be considered.

* I stopped reading Alertbox after Jakob Nielsen became very defensive about his training material only being available on DVD and not VHS tape, as many people had requested. His argument was that DVD players were so cheap, people should upgrade. Yet at the time, he was promoting the idea that web sites would render in all browsers—including old legacy ones.

Update 7th July 2009: Password Masking Update.

Posted on: 26 June 2009 at 08:43 hrs

Comments Comments (2) | Permalink | Send Send

Comments

Comments are filtered automatically and should appear shortly after they been checked.

I saw that article from Jakob. He was not thinking that day.I tweeted a few times after posting my own article about it, and got a bunch of people tweeting me reason why he is so wrong on this. Somethings that happen in the lab don't always go the way you plan in real life.
1 Added by Rob Posted on 27 June 2009 at 01:21 hrs
Agreed -- Nielsen is off his trolley on this one. Password masking is necessary - especially when your screen is easily visible by others (say, at a kiosk or library).

The only really necessary innovation that I have seen with regard to password masking came along with iPhone OS 2.0. When you type in a password field, the character you type is visible for a second or two before being masked. When using a keyboard with no tactile button sensation, this is a welcome innovation.
2 Added by Brien Posted on 03 August 2009 at 20:22 hrs
Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
Don't Stop Password Masking
http://www.clerkendweller.com/2009/6/26/Dont-Stop-Password-Masking
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/2009/6/26/Dont-Stop-Password-Masking
Requested by 38.107.191.118 on Tuesday, 9 February 2010 at 03:31 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2009-2010 clerkendweller.com