Google PlusFacebook iconTwitter icon+44 113 260 4010 contact@branded3.com

B3Labs »

Should Passwords Be Masked in Online Forms?

DVLA’s phone number: 0300 790 6801

Jakob Nielsen’s latest Alertbox raises and interesting and controversial question – should passwords be masked in online forms?

Nielsen argues that usability suffers when passwords are just a series of bullets and that it causes sites to lose business due to customers struggling to log in.

When you make it hard for users to enter passwords you create two problems — one of which actually lowers security:

Users make more errors when they can’t see what they’re typing while filling in a form. They therefore feel less confident. This double degradation of the user experience means that people are more likely to give up and never log in to your site at all, leading to lost business. (Or, in the case of intranets, increased support calls.)

The more uncertain users feel about typing passwords, the more likely they are to (a) employ overly simple passwords and/or (b) copy-paste passwords from a file on their computer. Both behaviors lead to a true loss of security.

Personally I’m quite happy with the idea that passwords are visible in plain text although I agree with the requirement to have a checkbox for when I’m in public place. The big issue for me is that a large proportion of web users don’t really understand things and are likely to assume that passwords visible in plain text are somehow less secure than passwords that are converted to bullets.

There are huge numbers of people who don’t understand Internet, ranging from the dozens of people every month who search for www.direct.gov.uk/taxdisc and then email me thinking I’m the DVLA to the people who complain to our clients that their ecommerce forms are publicly displaying their credit card number when it’s just their browser auto-complete function.

What do you think?

BY Patrick Altoft AT 10:03am ON Friday, 26 June 2009

Patrick Altoft is Director of Search at Branded3 and has worked in the SEO industry for over 10 years. With experience across some of the worlds largest brands as well as startup businesses Patrick is well known in the industry and speaks regularly at the major SEO conferences and events. Follow Patrick on Twitter or Google+

Comments

  • http://www.itsafamilything.co.uk Carps

    When I first read that story I totally agreed – especially on mobile interfaces where typing is so damn awkward, but now I’m not so sure on reflection.

    Fundamentally, 90% of people use one password for *everything* – from their email to their online bank account. While there’s a definite usability lag in not being able to see what you’re typing, I think the dangers of someone getting their hands on your entire digital life probably trumps that in terms of importance.

  • http://blog.jofftastic.co.uk Joff

    In my experience, users associate a masked password with a sense of security. Regardless of what (if any) encryption is going on behind the scenes, if a password is plainly visible then I believe more users would feel uneasy about using the form than those that are less confident about entering in a password that is masked.

    An alternative technique could be to do something similar to password entry when using mobile web browsers: display the character as it’s typed, but just for a second or two and then mask it. Enough time for the user to register that they’ve entered the correct/incorrect character and amend, if necessary.

  • Rick

    Im not sure where I sit with this one. In the middle I think, as I do feel that if users were to see the password etc. that they may find it easier to log in, but on the other hand, through personal experience, I find that showing the user what their password is while they are typing it makes them feel unsecure and feel that it may be less legit.

  • http://www.blogstorm.co.uk Patrick Altoft

    @Joff my iPhone does that – just displays it for long enough so you can see if you hit the wrong key.

  • http://www.pamidstate.com/ pamidstate

    At first my thought is “Argh” – yes, the only one to be worried about is the guy looking over my shoulder… all data still goes through the pipes, whether we can see what we are typing or not.

    Then as I am reading through the comments, I remember watching a keynote (but sorry, I can’t remember where or when ) as the presenter showed a one hour long, non-technical way of ‘hacking’ people and accounts. He showed a whole bunch of images and some video, basically just paying attention to what was on the targets conference badge, parking hang tag, and snooping over a shoulder to see what programs were running in the desktop tray (lower right corner of Windows). Amazing how much you could tell, just by observing.

    So, will someone be able to snoop your easily readable password over your shoulder? You bet!

  • Michael

    I usually go with Nielsen’s suggestions, but this time I’d say it heavily depends on your audience and the device they’re using. Your point with users feeling that a plain-text password is somehow less secure is a good one – I think most users just don’t get if there is an (additional) checkbox saying “mask my password”. Users are just used to the password masking – but I think it’ll be worth changing to plaintext passwords on new devices such as smart phones – cause there’s isn’t a standard yet. But then each website would have to detect the browser first and deliver different password fields … which can be quite a pain in the neck.

Feedburner Users

Tags

.Net AJAX Android apps Bing Branded3 C# CMS competwition conversion CSS development e-commerce email F# Facebook features Gmail Google HTML HTML5 IE9 interactive internet Internet World JavaScript Leeds Digital Festival Microsoft mobile web PHP rankings SEO smartphones social media Twitition Twitter URL user experience web design web usability Windows Windows 8 WordPress YouTube Zend Framework

© 2013 Branded3 Search Limited Company reg. no. 06479012, All rights reserved.
Part of

St Ives Group Logo