Security & Privacy

Usability expert Jakob Nielsen has published a post on his website stating that password masking – the way programs display bullets instead of the text you type when asking you to enter passwords – is counter-productive, and decreases usability of applications and websites.

You know how it is: you need to enter a password – for a web site, application or system feature – and as you type, you see nothing but bullets in the place of your password:

While there is a purpose to this strategy – preventing someone looking over your shoulder from seeing what you type – this protection is both illusory and inefficient.

Nielsen writes:

Most websites (and many other applications) mask passwords as users type them, and thereby theoretically prevent miscreants from looking over users’ shoulders. Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed. So, password masking doesn’t even protect fully against snoopers.

He points out that users make more mistakes when they can’t see what they type, reducing usability and productivity. And, Nielsen says that when users are “uncertain” about typing passwords, they tend to choose simpler, less secure passwords, which leads to a loss of security.

In most cases, […] users will appreciate getting clear-text feedback as they enter passwords. Your business will increase, and security will even improve a tiny bit as well.

Perhaps the solution is to do what Apple does on the iPhone. When you type a password, you see the last character you type, but previous characters are changed into bullets, so you can follow your typing, but never see the entire password.