Usually this guy's observations are spot on, but this is just wrong. For instance, every time I give a presentation I usually have to login to a secure site. I'm almost always plugged into an overhead projector while I'm logging in.
So, not only is this guy suggesting websites change their technology, he's also suggesting users modify their behavior to be more secure.
I liked the part where he neglected to mention any possible benefit of the current arrangement or the fact that many of us have no problem with actually being required to type well and remember stuff.
At least when setting or changing passwords, I would like an option to display them in clear text.
Slightly on-topic: I find it silly for a shopping website to display your complete credit card information in plain letters on screen, while masking your login password. The credit card info can be misused to empty your bank account, while the login password can be misused to ... what? Send obscene support requests and muck about with your digital shopping cart?
> Send obscene support requests and muck about with your digital shopping cart?
That, and if your credit card is stored on their servers, which your statement implies, it'd be easy for me to buy stuff on behalf of you. Right now, I'm buying you a new 72 inch Plasma screen which you can't afford. Have fun returning it!
Of course, I could send that plasma to myself, but it'd be stupid of me to do so, since I'd be giving away my where abouts.
This is very unconventional advise. But this is Jacob Nielsen talking on usability. What he says is generally backed by very extensive testing and way more usability experience than any of us on news.YC have.
You might not agree to unmask all passwords but why not this
> It's therefore worth offering them a checkbox to have their passwords masked; for high-risk applications, such as bank accounts, you might even check this box by default.
This is spot on as well.
> Password masking has proven to be a particularly nasty usability problem in our testing of mobile devices, where typing is difficult and typos are common
And on a mobile device, people snooping would be uncommon as well, so why mask passwords on mobile sites?
So please think hard on this, before you dissmiss this as stupid or untenable.
>So please think hard on this, before you dismiss this as stupid or untenable.
I have. This is stupid and untenable.
Problem one: Right now if I encountered a login form that didn't mask the password I would probably attribute this to incompetence, not usability. I don't think I'm the only one.
Problem two: Right now all login forms work the same. The top field is the username and under that is the password field. This would break that consistency by adding the "show (or hide) password" behavior. In his description he even suggests that some sites default to a different behavior based on some notion of degree of security. Now logging in with someone looking on becomes quite a bit more nerve-wracking because you need to figure out if the password field will disclose your password. This is less usable.
Now, where I think this may be useful is if it is added as part of the "invalid password" behavior. Offer to give the user help only if they need it. Provide them a button to show the password they entered, and allow them to try again underneath it to fix any typos or verify that they correctly entered the password they were thinking of. This helps the user without changing the way the login form operates in the default case where a correct password is entered (a password that's probably in the user's muscle memory because they use it for everything). I know I've actually seen this done somewhere, although I can't remember where.
Mobile is a bit different. I’m completely behind the times in using a mobile device to access the web, but I know that my terribly slow phone running its gimped browser (netfront, I think?) on its tiny screen quite a few years ago provided the option to display masked fields in the editor window it would switch to whenever filling out an input field. This seems like a better solution to this problem to me (and was almost a necessity on that device since it didn’t have a proper keyboard).
My God, do you even know who "this guy" is? Stop and give it a thought a bit.
He is right about the point, straight on. I've been thinking about implementing it on our web app at aleveo.com like that.
Let me elaborate.
We all know that having a simple and usable register/login form increases signups. Let that aside, I've kicking out everything of our forms until really only the necessary. Among those things is the repeat password/email field, username (enough with those) etc. However, what if caps is on, or the keyboard layout is other and so on, the person will signup for your service, but next time he wants to login, if he is having issues with the form, you're done. He'll blame you, as he think he knows what he types as a password.
It is essentially wrong not to see what you are typing.
If you noticed, Mr.Nielsen didn't go into implementation. He said that the concept is legacy. A good implementation would be having a checkbox next to the password field "[] show text" or similar, default unchecked.
An older person would definitively appreciate that, but it is not only for them, as it happens to me too (24 year old) to mistake until I figure out what I am really typing in (first keystroke swallowed, typing mistake, caps, wrong layout, etc)
He might well be an expert in UI but certainly is no expert in security - so I think he is broaching fields he is not qualified in :)
Regardless just because he is a well respected individual does not make all his ideas "the right way".
I think people are misreading what he said and making knee jerk reactions. But, for exampl...:
> password masking doesn't even protect fully against snoopers.
Seems an irrelevant point - he doesnt weigh the security tradeoff against the supposedly improved usability. I would argue that password masking is the #1 deterrent for casual password stealers. Plus reading fast typed keys is a skill needing to be acquired. A determined thief will always find a way to get your password. The masking is deter the casual criminals (or just your co-workers etc!!)
> It's just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue
For a UI designer/engineer I think this shows a whole lot of ignorance about how people use computers... does he really imagine most people use their computer this way? really?
One important point he misses is that password boxes leap out at you BY being masked. This is an important UI concept because the user knows they are logging into something "secure". It is also the expected behaviour (for better or for worse); not just a convention but an ingrained expectation! UI designers hardly ever break expectations like that in my experience ;)
In terms of not seeing what your typing: he should know a vast majority of people watch their fingers as they type. Knowing you made a mistake is a fairly natural process (yes, we have tested this).
He DOES have a very very good point about mobiles - this is a perfect example of where masking shouldnt be employed. And I suspect this is the main point he is making. But extending it to every format? No, that IS silly.
This guy must have been joking.
The fact that HE always types his passwords alone in his office does not mean that any sane person would like a possibility that anyone ever has a chance to see his password. Apparently, some people are not always alone...
I agree with this statement entirely, but wonder if in a mobile setting, like with an iPhone if this isn't a bad idea. There have been many times where I tried to look over at someones iPhone to see what they were doing and simply couldn't see. I'm talking as close as 2 feet away.
And since I know how annoying it can be to type passwords on my iPod Touch, I could see the value of this--but only on devices with very small screens, and WITHOUT any sort of auto-fill from the browser. Of course, it should be an opt-in sort of setting. No vendor should decide your fate when it comes to security decisions like this.
He is sure right about the reset button though. I can't be the only one who has entered a dozen or more fields only to lose it all with an inadvertent reset rather than submit.
Also, how about the iPhone compromise? It displays the last character you typed for only an instant.
"I can't be the only one who has entered a dozen or more fields only to lose it all with an inadvertent reset rather than submit."
The solution is obvious to me. If javascript is enabled, allow the user to undo a reset.
If javascript is disabled, don't show a reset button or make it harder to click accidentally somehow (make it smaller or a link or more out of the way).
I'm not willing to concede his point yet, but even if he's right, this should be implemented by the browser, not the website. And if you consider taking his advice, I suggest masking the password as soon as the input field loses focus.
Actually, no. This is the primary problem with this idea. Browsers use <input type="password"> as the tip-off to know there is a password to remember here. If the input field isn't a "password" type, the browser won't remember the password for you.
One of the most annoying offenders of this is the windows wireless configuration utility.
It refuses to let you see the WEP key that you are typing, but insists that you type it twice.
If it were something like "what is your favorite flavor of popsicls" and not "type this random 58 character sting of hex", then that might be acceptable, but it isn't. Really, who is going to be standing over your shoulder and memorize that?
I think it would be good if browsers came with an option to mask or don't mask passwords. But I don't know if it would work, since the users who would find and change that option would be the heavy users, that have almost no trouble with passwords.
If only that option could be easily showed and asked for simple users: a little icon within password boxes showing if it's masked or not, and a hotkey / click on the icon to toggle it on/off.
It's fairly easy to do actually, if you're willing to accept the cheat I've used in the past.
You can read the input value with Javascript, so if you add an 'unmask password' button, then that button should effectively replace the input type=password with an input type=password and populate it with the values previously stored in the password element.
There are a number of ways to do this, but switching out elements was the easiest for me -- of course, browsers have come a long way since that implementation. YMMV.
This is totally ridiculous. So whenever my colleagues or students are working with me on something and I have login to my email or whatever system I need to get to, it's not bad enough that I have to feel uncomfortable that they can see my keyboard while I type my password but they can just look at it on the screen. I guess this is what happens when you actually let "usability experts" design your systems.
As for this "checkbox," how many users will unwittingly have their online identity stolen because regular users aren't thinking about whether they need to select some checkbox before they type in their passsword. Also, that seems more annoying than more usable.
As someone else mentioend, this makes "remember password" totally unworkable; though personally I don't like that feature either.
There is a difficulty in mobile devices but that is because typing on such devices is not really great in terms of usability.
The other thing is that I don't think there is much evidence that this is really a problem. The only "barrier" problem that people have observed is having to create an account in the first place, but that is a separate issue.
I look forward to the day when an option other than passwords become viable. Have you ever looked at a typical users password? Run john the ripper over you're users passwords field and prepare to be frighted. If you don't store them hashed just take a look at them.
The fact is we need a better option both for security and usability.
Bad argument #1: Masking doesn't help since someone can just watch the keyboard or use some extremely complicated and expensive analysis to determine what you are typing.
Response: This is like saying locking your door doesn't help because someone can just get a bulldozer and push it in. Sure, it's true, but you aren't locking your door to make your home impenetratable. You're locking your door to prevent casual unauthorized entry. You don't want someone to just wander in while you're away and take things without having to do any work at all. And you don't want someone to just barge in without knocking (well you might, but it's a case for locking your door). Similarly, you aren't masking passwords to make it impossible for anyone to ever know your password. You're masking passwords so you can log in to your email in front of your friends without them getting tempted to use the information they gleaned.
Also, I can type faster than most people are probably able to read a keyboard (and my passwords are not words which makes them even harder to figure out), but there is likely no one on earth who can type faster than people can read.
---
Bad argument #2: It's ok to unmask some passwords because the information isn't critical.
Response: Take the example of looking at pictures of your cat. Where are these pictures? Let's suppose they're on Flickr. Actually, it doesn't matter much. Now, does Flickr (or this other website) just allow you to view pictures? No, it also allows you to post pictures (I wouldn't want someone posting their porn pics under my account), chat with friends (DEFINITELY don't want to be impersonated there), and even CHANGE YOUR PASSWORD thereby stealing your account. If you're just talking about password protecting a directory on your computer with cat pictures, sure show the password... but anything this trivial wouldn't be password protected anyway. Simply put, if it's important enough to have a password, it's important enough to have that password masked. Otherwise, why have it at all?
---
Excellent point: Since users DO use the same password for multiple things, you don't even know or control what credentials you are giving away. You may very well give away someone's bank PIN.
My concern is that not using a standard HTML password field will break the 'remember password' functionality built into browsers.
When you log in to a site, all the major browsers automatically ask you if you want to save your password. But if you display the password in plain text then the browser doesn't detect it as a password... and it doesn't offer to save it for you.
So what is that likely to result in?
• Users getting annoyed at your site, and thus lost business
• Users writing down their password somewhere else, resulting in a loss of security
These outcomes are exactly the opposite of what Jakob Nielsen is trying to achieve!
Yeah, that'd probably be a one-liner JavaScript. Something like:
onclick="getElementById('pwd').type='text';"
But you'd want a bit more to toggle it. Still, maybe a slightly better way -- and a way to address the security issue at the same time -- would be to show the password when you hover over the field with your mouse. Is there a way to do this easily with JS?
This will solve another issue related to passwords. Password confirmation. Displaying password in clear text removes the need for password confirmation field. This could be a worthwhile experiment.
That doesnt seem a sensible move to me. Clear text pass boxes with NO password confirmation removes the error checking from the machine to the user. We all know users are extremely error prone and bug ridden.
Summary: We have no data about this problem, nor our proposed solution.
"In most cases, however, users will appreciate getting clear-text feedback as they enter passwords."
If Nielsen had a mockup or something that we could all clearly see was a huge improvement, then sure, let's do it. A UI change this drastic should have an order of magnitude gain to it. Otherwise, move on to bigger fish.
Sadly, my employer is going the opposite direction and planning to implement "strong user names" and mask both fields. This is in response to users with access to sensitive information leaving passwords written down near their workstations.
[+] [-] wyday|16 years ago|reply
So, not only is this guy suggesting websites change their technology, he's also suggesting users modify their behavior to be more secure.
Not going to happen.
[+] [-] Deestan|16 years ago|reply
To be fair, he did suggest that password masking was toggled by a checkbox that was ON by default.
[+] [-] jsonscripter|16 years ago|reply
[+] [-] m104|16 years ago|reply
[+] [-] Deestan|16 years ago|reply
Slightly on-topic: I find it silly for a shopping website to display your complete credit card information in plain letters on screen, while masking your login password. The credit card info can be misused to empty your bank account, while the login password can be misused to ... what? Send obscene support requests and muck about with your digital shopping cart?
[+] [-] apgwoz|16 years ago|reply
That, and if your credit card is stored on their servers, which your statement implies, it'd be easy for me to buy stuff on behalf of you. Right now, I'm buying you a new 72 inch Plasma screen which you can't afford. Have fun returning it!
Of course, I could send that plasma to myself, but it'd be stupid of me to do so, since I'd be giving away my where abouts.
[+] [-] shabda|16 years ago|reply
You might not agree to unmask all passwords but why not this
> It's therefore worth offering them a checkbox to have their passwords masked; for high-risk applications, such as bank accounts, you might even check this box by default.
This is spot on as well.
> Password masking has proven to be a particularly nasty usability problem in our testing of mobile devices, where typing is difficult and typos are common
And on a mobile device, people snooping would be uncommon as well, so why mask passwords on mobile sites?
So please think hard on this, before you dissmiss this as stupid or untenable.
[+] [-] oddgodd|16 years ago|reply
I have. This is stupid and untenable.
Problem one: Right now if I encountered a login form that didn't mask the password I would probably attribute this to incompetence, not usability. I don't think I'm the only one.
Problem two: Right now all login forms work the same. The top field is the username and under that is the password field. This would break that consistency by adding the "show (or hide) password" behavior. In his description he even suggests that some sites default to a different behavior based on some notion of degree of security. Now logging in with someone looking on becomes quite a bit more nerve-wracking because you need to figure out if the password field will disclose your password. This is less usable.
Now, where I think this may be useful is if it is added as part of the "invalid password" behavior. Offer to give the user help only if they need it. Provide them a button to show the password they entered, and allow them to try again underneath it to fix any typos or verify that they correctly entered the password they were thinking of. This helps the user without changing the way the login form operates in the default case where a correct password is entered (a password that's probably in the user's muscle memory because they use it for everything). I know I've actually seen this done somewhere, although I can't remember where.
Mobile is a bit different. I’m completely behind the times in using a mobile device to access the web, but I know that my terribly slow phone running its gimped browser (netfront, I think?) on its tiny screen quite a few years ago provided the option to display masked fields in the editor window it would switch to whenever filling out an input field. This seems like a better solution to this problem to me (and was almost a necessity on that device since it didn’t have a proper keyboard).
[+] [-] unknown|16 years ago|reply
[deleted]
[+] [-] jdelsman|16 years ago|reply
[deleted]
[+] [-] dejan|16 years ago|reply
He is right about the point, straight on. I've been thinking about implementing it on our web app at aleveo.com like that. Let me elaborate.
We all know that having a simple and usable register/login form increases signups. Let that aside, I've kicking out everything of our forms until really only the necessary. Among those things is the repeat password/email field, username (enough with those) etc. However, what if caps is on, or the keyboard layout is other and so on, the person will signup for your service, but next time he wants to login, if he is having issues with the form, you're done. He'll blame you, as he think he knows what he types as a password.
It is essentially wrong not to see what you are typing. If you noticed, Mr.Nielsen didn't go into implementation. He said that the concept is legacy. A good implementation would be having a checkbox next to the password field "[] show text" or similar, default unchecked.
An older person would definitively appreciate that, but it is not only for them, as it happens to me too (24 year old) to mistake until I figure out what I am really typing in (first keystroke swallowed, typing mistake, caps, wrong layout, etc)
[+] [-] ErrantX|16 years ago|reply
Regardless just because he is a well respected individual does not make all his ideas "the right way".
I think people are misreading what he said and making knee jerk reactions. But, for exampl...:
> password masking doesn't even protect fully against snoopers.
Seems an irrelevant point - he doesnt weigh the security tradeoff against the supposedly improved usability. I would argue that password masking is the #1 deterrent for casual password stealers. Plus reading fast typed keys is a skill needing to be acquired. A determined thief will always find a way to get your password. The masking is deter the casual criminals (or just your co-workers etc!!)
> It's just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue
For a UI designer/engineer I think this shows a whole lot of ignorance about how people use computers... does he really imagine most people use their computer this way? really?
One important point he misses is that password boxes leap out at you BY being masked. This is an important UI concept because the user knows they are logging into something "secure". It is also the expected behaviour (for better or for worse); not just a convention but an ingrained expectation! UI designers hardly ever break expectations like that in my experience ;)
In terms of not seeing what your typing: he should know a vast majority of people watch their fingers as they type. Knowing you made a mistake is a fairly natural process (yes, we have tested this).
He DOES have a very very good point about mobiles - this is a perfect example of where masking shouldnt be employed. And I suspect this is the main point he is making. But extending it to every format? No, that IS silly.
:)
[+] [-] fb|16 years ago|reply
[+] [-] Edinburger|16 years ago|reply
[+] [-] apgwoz|16 years ago|reply
I agree with this statement entirely, but wonder if in a mobile setting, like with an iPhone if this isn't a bad idea. There have been many times where I tried to look over at someones iPhone to see what they were doing and simply couldn't see. I'm talking as close as 2 feet away.
And since I know how annoying it can be to type passwords on my iPod Touch, I could see the value of this--but only on devices with very small screens, and WITHOUT any sort of auto-fill from the browser. Of course, it should be an opt-in sort of setting. No vendor should decide your fate when it comes to security decisions like this.
[+] [-] cubix|16 years ago|reply
Also, how about the iPhone compromise? It displays the last character you typed for only an instant.
[+] [-] Hexstream|16 years ago|reply
The solution is obvious to me. If javascript is enabled, allow the user to undo a reset.
If javascript is disabled, don't show a reset button or make it harder to click accidentally somehow (make it smaller or a link or more out of the way).
[+] [-] fretje|16 years ago|reply
[+] [-] mark-t|16 years ago|reply
[+] [-] chaosmachine|16 years ago|reply
[+] [-] slig|16 years ago|reply
Firefox > Preferences > Secutiry > "Saved Passwords" -> "Show Password"
[+] [-] arantius|16 years ago|reply
[+] [-] blhack|16 years ago|reply
It refuses to let you see the WEP key that you are typing, but insists that you type it twice.
If it were something like "what is your favorite flavor of popsicls" and not "type this random 58 character sting of hex", then that might be acceptable, but it isn't. Really, who is going to be standing over your shoulder and memorize that?
/drives me insane
//iwconfig ath0 essid "blueberry struedel" key $foo ftw
[+] [-] jodrellblank|16 years ago|reply
Current Windows (Vista) allows you to tick a box and see the WPA key as you type it (once) (it's masked by default).
[+] [-] lucastx|16 years ago|reply
If only that option could be easily showed and asked for simple users: a little icon within password boxes showing if it's masked or not, and a hotkey / click on the icon to toggle it on/off.
[+] [-] bmelton|16 years ago|reply
You can read the input value with Javascript, so if you add an 'unmask password' button, then that button should effectively replace the input type=password with an input type=password and populate it with the values previously stored in the password element.
There are a number of ways to do this, but switching out elements was the easiest for me -- of course, browsers have come a long way since that implementation. YMMV.
[+] [-] dinkumthinkum|16 years ago|reply
[+] [-] dinkumthinkum|16 years ago|reply
As for this "checkbox," how many users will unwittingly have their online identity stolen because regular users aren't thinking about whether they need to select some checkbox before they type in their passsword. Also, that seems more annoying than more usable.
As someone else mentioend, this makes "remember password" totally unworkable; though personally I don't like that feature either.
There is a difficulty in mobile devices but that is because typing on such devices is not really great in terms of usability.
The other thing is that I don't think there is much evidence that this is really a problem. The only "barrier" problem that people have observed is having to create an account in the first place, but that is a separate issue.
[+] [-] mooism2|16 years ago|reply
[+] [-] abrahamvegh|16 years ago|reply
And although I'll probably be shot down for this:
The iPhone OS's method of displaying the last masked character briefly before masking it is probably the best way to handle masking.
[+] [-] matthardcastle|16 years ago|reply
The fact is we need a better option both for security and usability.
[+] [-] DanielStraight|16 years ago|reply
Response: This is like saying locking your door doesn't help because someone can just get a bulldozer and push it in. Sure, it's true, but you aren't locking your door to make your home impenetratable. You're locking your door to prevent casual unauthorized entry. You don't want someone to just wander in while you're away and take things without having to do any work at all. And you don't want someone to just barge in without knocking (well you might, but it's a case for locking your door). Similarly, you aren't masking passwords to make it impossible for anyone to ever know your password. You're masking passwords so you can log in to your email in front of your friends without them getting tempted to use the information they gleaned.
Also, I can type faster than most people are probably able to read a keyboard (and my passwords are not words which makes them even harder to figure out), but there is likely no one on earth who can type faster than people can read.
---
Bad argument #2: It's ok to unmask some passwords because the information isn't critical.
Response: Take the example of looking at pictures of your cat. Where are these pictures? Let's suppose they're on Flickr. Actually, it doesn't matter much. Now, does Flickr (or this other website) just allow you to view pictures? No, it also allows you to post pictures (I wouldn't want someone posting their porn pics under my account), chat with friends (DEFINITELY don't want to be impersonated there), and even CHANGE YOUR PASSWORD thereby stealing your account. If you're just talking about password protecting a directory on your computer with cat pictures, sure show the password... but anything this trivial wouldn't be password protected anyway. Simply put, if it's important enough to have a password, it's important enough to have that password masked. Otherwise, why have it at all?
---
Excellent point: Since users DO use the same password for multiple things, you don't even know or control what credentials you are giving away. You may very well give away someone's bank PIN.
[+] [-] gutch|16 years ago|reply
When you log in to a site, all the major browsers automatically ask you if you want to save your password. But if you display the password in plain text then the browser doesn't detect it as a password... and it doesn't offer to save it for you.
So what is that likely to result in? • Users getting annoyed at your site, and thus lost business • Users writing down their password somewhere else, resulting in a loss of security
These outcomes are exactly the opposite of what Jakob Nielsen is trying to achieve!
[+] [-] dugmartin|16 years ago|reply
[+] [-] benhoyt|16 years ago|reply
[+] [-] unknown|16 years ago|reply
[deleted]
[+] [-] subbu|16 years ago|reply
[+] [-] ErrantX|16 years ago|reply
Why take the risk? :)
[+] [-] falldowngoboom|16 years ago|reply
"In most cases, however, users will appreciate getting clear-text feedback as they enter passwords."
If Nielsen had a mockup or something that we could all clearly see was a huge improvement, then sure, let's do it. A UI change this drastic should have an order of magnitude gain to it. Otherwise, move on to bigger fish.
[+] [-] callahad|16 years ago|reply
Clearly the answer is another password.