venomous porridge
I’m Dan Wineman and sometimes I post things here.
You should follow @dwineman on Twitter, if you feel up to it.
You can even if that's what you're into.

Archive

Jun
30th
Tue
permalink

Password Masking: a good idea

This is the second in a series of two posts I’m calling “Dan Reacts to Nerdy Stuff John Gruber Links To.” Bear with me.

Web usability guy Jakob Nielsen thinks we should stop masking passwords (i.e., echoing • or * when characters are typed into password fields):

Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn’t even increase security, but it does cost you business due to login failures.

I’m not sure to whom Nielsen is addressing this call to action, but there isn’t much that web developers can do. Password masking happens in the browser: it’s required by the HTML 4.01 specification (and HTML 5 as well) that browsers obscure the contents of INPUT elements of type PASSWORD. So the best option open to web developers would be to use non-PASSWORD input fields for passwords; however, this practice would have far worse consequences.

For instance, when browsers see a PASSWORD field, they treat it differently from a plain old TEXT field: in addition to masking the characters, they also don’t include it in autofill, the feature that fills in common form fields for you. So if websites stopped using the PASSWORD input type in the name of usability, you might notice your password from one site being helpfully filled in for you on other sites. Worse, it would be ridiculously easy for a malicious site to grab your passwords, just by fooling your browser into autofilling a form or part of a form that you don’t know is there.

So the only way we could reasonably end password masking on the web would be for browsers to change. Either they’d have to ignore that part of the HTML spec or the spec would have to change too. But even if the entire web agreed to make this adjustment, it would still be a bad idea.

Security is constantly at odds with usability. Many if not most usability improvements have security implications, because making something easier for the legitimate user of a system usually also makes it easier for attackers. You probably don’t enjoy having to hit CTRL-ALT-DEL to log into Windows, for example, but that key combo is required because it’s impossible for software to intercept it (at least in theory), so you don’t have to worry about some malicious program or website faking a login screen and learning your system password. Similarly, ATM cards would be easier to use if they didn’t have PINs, but who wants an ATM card that anyone can use to steal your money? (I mean, other than all the idiots who let their banks issue these.*)

So finally, to bring this home, we mask passwords not because it’s a strong security measure, or because we’re worried about friends looking over our shoulder. It’s because we’re worried about the security camera behind the bank teller’s back, or the stranger walking past the window while we’re logging in, or a jealous coworker hitting our Back button when we’re away from our desk and copying down our webmail password, or a million other casual invasions that can’t be individually protected against.

Having to look at your hands instead of the screen while you type six to eight characters is a tiny sacrifice with huge advantages. And being able to type passwords correctly has always been a part of basic online literacy. So rather than changing everything to help the least-able users be negligibly less frustrated, let’s do this: nothing. Let’s have faith that users will get smarter. It’s been happening all along, ever since that first email you got from your grandmother.

*If you happen to have one of those incredibly foolish and insecure Visa debit cards, please don’t be offended. I’m not talking about you. Idiot.

Comments (View)
blog comments powered by Disqus