I’m not going to write another 1,000 word dissertation like I did from last week, but here’s a few great quotes from the article, which was titled, “Building Respect for Usability Expertise.”

The first malady here is that content owners are relying on their own opinions and preferences. The primary cure is to point out that these subject-matter experts are completely unrepresentative of the target audience on almost every possible dimension

If I had a dollar for every time I’ve heard “Well, you’re not a subject-matter expert so you don’t understand how this data should be displayed…” I’d be able to buy everyone on my team lunch at McDonalds for two days.  I can recall an incident just a few months ago where that exact phrase was spouted at me, in front of my boss, by a client on site.  I was taken aback by the comment at the time but decide to simply let it slide and let the client do their own thing instead of rocking the boat.  Just gotta do that sometimes when contracting for the Fed.  Here’s another great quote from the article:

It’s true that “there’s always evidence to support any opinion,” but that doesn’t mean you should ignore data. After all, some data is clearly better than others.The main facts about how people read on the Web are extremely well established, and literally hundreds of studies have reproduced our original findings over the past 12 years.

The same is true for all of our usability guidelines: most have been confirmed by other independent studies. Anyone who bothers to run a study will discover the same thing, because there are no usability secrets — it’s simply a matter of looking.

Still, while most usability evidence strongly aligns, there are deviant results to be found. People who don’t know any better will stumble across such findings in a Web search and proclaim that “the experts disagree.” However true, this is not a license to ignore usability data and follow any random path.

Instead, you should weigh the evidence. On one scale, you have hundreds of studies from experts across industries and countries; they all agree on the big picture, and often document their findings with substantial reports. On the other scale, you have a few deviant postings (plus many guesses, but as previously discussed, you should disregard pundits who don’t test their theories with real people). This simple weighing exercise usually tips the scales in favor of the consensus.

I tell you, when Jakob Nielsen gets it right, he hits the nail right on the head.  This is the kind of stuff I wait on baited breaths to read more of from him.

Anyhow, enough of my babbling.  Head on over to UseIt.com now and read the article for yourself.  And hey, by the way, do you use Twitter?  If you do, you can follow me @mexijew!

1. Password masking causes users to make more errors during entry, thus making users less confident which then leads to lost business, and,
2. If users are uncertain as to whether or not they’ll be able to properly enter passwords into masked input boxes they will either resort to keeping their passwords in a text file to copy & paste or “employ overly simple passwords.”

While I can see where he’s coming from here, I don’t know if I’ve ever heard of any website losing customers/business in my 12 years of being a website designer/IT professional because its users were lacking in confidence because their passwords were masked.  For him to validly make that claim I’d like to see him back that up with some real world metrics from companies who have masked login systems.   On the other hand, I will give limited credence to his second argument – that people may use overly simple passwords or keep their passwords in a text file.

However… masked passwords aren’t the only (or primary in my opinion) reason why people use overly simplistic passwords or store passwords in text files on their computers.  In fact, I can give you an example of the latter that I know happens frequently.  Some of my World of Warcraft friends are very concerned about keyloggers (which are somewhat pervasive in fake WoW addons) – specifically those who haven’t bothered to buy the Blizzard Authenticator’s or use the Blizzard Authenticator iPhone app.  So, as a surrogate for that higher level of security, they instead store their passwords in a text file on their desktop and copy/paste their password into the password prompt each time they login to that.

While that method does avoid getting their password caught by a keylogger, it opens them up to accidentally pasting their password into in-game chat or private messages.  Obviously not a very smart, or secure, method anyway.

To illustrate the other part of Mr. Nielsen’s second point I can give you a real world example of people who have overly simplistic passwords: our parents generation.  While I’m not saying my parents have overly simplistic passwords (thankfully my parents have been smart enough to not share them with me when I’m doing tech support for them), I know of many people who are my father’s age – in their 60′s and 70′s – whose passwords are the name of their cats or their kids or their spouses simply because it’s easy to remember.  Also, because they don’t worry about security as much as younger, erm, more aware folks do.

A great example of why removing password masking is a bad idea stems from one of the great features of web browsers that we sometimes take for granted these days: local login info storage.  A quick example: Timmy is at his office and walks away from his computer to get a cup of coffee.  Timmy forgets to lock his workstation.  Mark is on his way to a meeting and forgets exactly which conference room his meeting is in.  As Mark is walking through the office, he walks by Timmy’s desk and notices that his workstation is unlocked.  Mark figures since no one is around and the workstation is unlocked he can use the computer briefly to check his e-mail and find out which conference room his meeting is in.

When Mark opens up the web browser on Timmy’s workstation, it takes him directly to Timmy’s homepage – Gmail.com.  Timmy stores his username and password for Gmail.com on his web browser.  Because the password box for Gmail.com is now unmasked (in Mr.Nielsen’s world), Mark has now inadvertently seen Timmy’s username AND password.  Immediately, Timmy has now opened himself up for all kind of potential harm and privacy issues.  If Mark is a malicious guy and Timmy doesn’t use different passwords for other services, Mark may potentially have access to Timmy’s online banking, credit cards, investment accounts, and other avenues of identity theft.

While the argument could easily be made that even with obfuscated password fields Mark could still access Timmy’s e-mail account and read his mail/change his password in the same situation, he would still only have access to that one account after the password was changed.  Without seeing Timmy’s password, he wouldn’t know what password he was using or if he used it for all of his accounts.

In closing, for once I’ll have to go against what Jakob Nielsen says and firmly stand against the removal of password masking in web- and software-based forms.  It’s just not safe.  The potential for identity theft is higher without obfuscation.

For further reading on this topic, have a look at one of the best responses to Mr. Nielsen’s Alertbox post, which came from Kyle Weems at CSSquirrel.  He also posted a hilarious comic to go with his response.  Both are totally worth reading.