In Jakob Nielsen’s June 23, 2009 Alertbox post entitled, “Stop Password Masking“, Mr. Neilsen makes the argument that it’s time to stop masking passwords (showing stars or bullets instead of the actual keystrokes) in web forms.  He argues two main points as to why this “archaic” practice should be discontinued:

1. Password masking causes users to make more errors during entry, thus making users less confident which then leads to lost business, and,
2. If users are uncertain as to whether or not they’ll be able to properly enter passwords into masked input boxes they will either resort to keeping their passwords in a text file to copy & paste or “employ overly simple passwords.”

While I can see where he’s coming from here, I don’t know if I’ve ever heard of any website losing customers/business in my 12 years of being a website designer/IT professional because its users were lacking in confidence because their passwords were masked.  For him to validly make that claim I’d like to see him back that up with some real world metrics from companies who have masked login systems.   On the other hand, I will give limited credence to his second argument – that people may use overly simple passwords or keep their passwords in a text file.

However… masked passwords aren’t the only (or primary in my opinion) reason why people use overly simplistic passwords or store passwords in text files on their computers.  In fact, I can give you an example of the latter that I know happens frequently.  Some of my World of Warcraft friends are very concerned about keyloggers (which are somewhat pervasive in fake WoW addons) – specifically those who haven’t bothered to buy the Blizzard Authenticator’s or use the Blizzard Authenticator iPhone app.  So, as a surrogate for that higher level of security, they instead store their passwords in a text file on their desktop and copy/paste their password into the password prompt each time they login to that.

While that method does avoid getting their password caught by a keylogger, it opens them up to accidentally pasting their password into in-game chat or private messages.  Obviously not a very smart, or secure, method anyway.

To illustrate the other part of Mr. Nielsen’s second point I can give you a real world example of people who have overly simplistic passwords: our parents generation.  While I’m not saying my parents have overly simplistic passwords (thankfully my parents have been smart enough to not share them with me when I’m doing tech support for them), I know of many people who are my father’s age – in their 60’s and 70’s – whose passwords are the name of their cats or their kids or their spouses simply because it’s easy to remember.  Also, because they don’t worry about security as much as younger, erm, more aware folks do.

A great example of why removing password masking is a bad idea stems from one of the great features of web browsers that we sometimes take for granted these days: local login info storage.  A quick example: Timmy is at his office and walks away from his computer to get a cup of coffee.  Timmy forgets to lock his workstation.  Mark is on his way to a meeting and forgets exactly which conference room his meeting is in.  As Mark is walking through the office, he walks by Timmy’s desk and notices that his workstation is unlocked.  Mark figures since no one is around and the workstation is unlocked he can use the computer briefly to check his e-mail and find out which conference room his meeting is in.

When Mark opens up the web browser on Timmy’s workstation, it takes him directly to Timmy’s homepage – Gmail.com.  Timmy stores his username and password for Gmail.com on his web browser.  Because the password box for Gmail.com is now unmasked (in Mr.Nielsen’s world), Mark has now inadvertently seen Timmy’s username AND password.  Immediately, Timmy has now opened himself up for all kind of potential harm and privacy issues.  If Mark is a malicious guy and Timmy doesn’t use different passwords for other services, Mark may potentially have access to Timmy’s online banking, credit cards, investment accounts, and other avenues of identity theft.

While the argument could easily be made that even with obfuscated password fields Mark could still access Timmy’s e-mail account and read his mail/change his password in the same situation, he would still only have access to that one account after the password was changed.  Without seeing Timmy’s password, he wouldn’t know what password he was using or if he used it for all of his accounts.

In closing, for once I’ll have to go against what Jakob Nielsen says and firmly stand against the removal of password masking in web- and software-based forms.  It’s just not safe.  The potential for identity theft is higher without obfuscation.

For further reading on this topic, have a look at one of the best responses to Mr. Nielsen’s Alertbox post, which came from Kyle Weems at CSSquirrel.  He also posted a hilarious comic to go with his response.  Both are totally worth reading.