24 June 2009

Password masking

Some dude has a post about how password masking in webforms (showing only asterisks or bullets in the password field, rather than what you're typing) is a relic of early browsers and should be discarded in favor of cleartext password boxes. The claim is that not being able to see what you're typing makes it hard to notice typos and contributes to a bad user experience.

I think the point is interesting, but the suggestion freaks me out. It's true that people frequently use bad design for no reason other than convention, and I agree that over-the-shoulder password stealing is a mostly imaginary threat. Nonetheless, I have a built-in reaction to seeing my password in cleartext that's similar to walking outside naked. This is a string that we've typed millions of times, but never actually seen appear onscreen! Whenever I accidentally see my password (typing in the wrong field, typing before an ssh connection has returned with the prompt, etc) I get the urge to cover up as quickly as possible, even if I'm sitting in my office by myself!


benoc said...

Over the shoulder password-stealing is NOT an imaginary threat. Especially in public areas. I've dealt with it on a few occasions. I think it may be fair to say that over the shoulder password-stealing isn't something to worry about in *most* cases though. However, that doesn't mean we should get rid of masking altogether. It really doesn't matter in the long run anyway, since we will soon be moving towards two-factor authentication for anything important (some banks are already verifying logins via password AND sms message code).

KERaven said...

I have that same "fear" when I see my password accidentally typed in the "open".

Did I really just comment after my husband?

MRhé said...

@KERaven: Why is that so shocking?