Jakob Nielsen Argues for Abandoning Password Masking on Websites

Jakob Nielsen makes the case against password masking — the convention of displaying asterisks or some other symbol instead of the actual characters typed in password entry boxes. Nielsen notes that password masking was originally implemented as a security measure, but questions just how much security it adds under the conditions most of us use the web,

Most websites (and many other applications) mask passwords as users type them, and thereby theoretically prevent miscreants from looking over users’ shoulders. Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed. So, password masking doesn’t even protect fully against snoopers.

Nielsen suggests adding a  check box so users could decide whether or not to have their passwords masked so, for example, users in genuinely public situations such as at a public web terminal could still choose to have their passwords masked.

Nielsen argues this is one case where going against convention would be beneficial, but I wonder if he’s done any user-testing of this. My suspicion is that the overwhelming majority of users will assume there is something wrong with a website when the password isn’t masked and thereby likely cause even more confusion.

The standard on mobile devices of not masking the current character but masking previous characters is a good compromise and is becoming so widespread it may eventually break down that convention, but for now its hard to imagine a site abandoning password masking wouldn’t create more confusion and anxiety in its users than the problem it would allegedly solve.

Post Revisions:

Leave a Reply