Jakob Nielsen, a widely known expert in the field of web usability, recently stirred up a shit storm of controversy after proclaiming that it is time to stop masking passwords because usability suffers. He claims hinges on the lack of true feedback when typing passwords. Making matters worse, world-renowned security expert Bruce Schneier agreed with Nielsen, hopping on the same idiotic train Nielsen is driving. Is password masking really such an important issue in need of immediate resolution?
Nielsen offers very little evidence to support his claim that it is time to stop masking passwords. He essentially boils this perceived usability problem down to the basic rules of usability whereby providing feedback is one of the fundamental tenets. He stipulates displaying undifferentiated bullets in place of complex user entered codes fails to comply with this decree.
Taken at face value, Nielsen is absolutely correct – usability suffers. Fortunately, rarely are security decisions made solely on the basis of such simplistic concerns.
Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn’t even increase security, but it does cost you business due to login failures.
Considering the explosive growth of the web, and e-commerce in particular, I find the aforementioned statement a stunningly ignorant hypothesis. Surely people forget their passwords or mistype them often enough to be annoyed with login security. However, the amount of business Amazon, eBay, Apple and other businesses do online tells me that losing business due to login failures is closer to fiction than fact.
While Nielsen may be a highly regarded web usability expert, he is definitely not an authority on information security.
Most websites (and many other applications) mask passwords as users type them, and thereby theoretically prevent miscreants from looking over users’ shoulders. Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed. So, password masking doesn’t even protect fully against snoopers.
More importantly, there’s usually nobody looking over your shoulder when you log in to a website. It’s just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue.
There is nothing theoretical about masking passwords so miscreants in close proximity are unable to see the password – this is fact. By masking the password, the scoundrel has to see every key on the keyboard and be able to determine which keys are pressed in which order.
If the password is not masked, the offender can be much further away to steal the password. All they need to do to capture the password is look at the screen, which can be done from a good distance away and without the users knowledge that they are being watched so closely.
I do not know what type of environment Nielsen is used to working in, but not all offices are designed with the personal cubicle in mind. Many businesses house a number of people sitting side-by-side with absolutely no barriers between desks to prevent this type of snooping, whether accidentally or purposely.
Skilled snooper or otherwise, the minimal amount of security added by masking passwords compared to the perceived lack of usability is a risk the majority of consumers are willing to take. In the grand scheme of security, is this issue really worth spending so much time on?
I see this train of thought every day at work. People want X, Y or Z because it is convenient, completely ignoring the many security policies implemented to protect the network from compromise. There is a tradeoff between security and convenience, with the best policy falling directly in the middle of both, allowing users to feel secure while not feeling overburdened with unnecessary and possibly arbitrary security policies.
Schneier recently posted an update to his thoughts on password masking, clarifying his thoughts on the issue. He hits the nail right on the head with the following statement.
I was certainly too glib. Like any security countermeasure, password masking has value. But like any countermeasure, password masking is not a panacea. And the costs of password masking need to be balanced with the benefits.
While usability in password entry forms is somewhat an issue, overall it is not really at a critical point where a solution is immediately necessary. Usability mostly suffers on mobile implementations such as the iPhone, where it is far more difficult to type complex passwords in to web forms. But unlike other implementations, Apple struck a good balance between usability and security.
The ultimate solution is to turn password masking in to an option with it set to mask by default. Then users who desire to see their passwords can be appeased while still affording businesses the option to implement masking on an enterprise level. Putting a complete end to masking is not the solution – alternative means of entering passwords is where we need to migrate, such as biometrics, smart-cards, etc.
What Nielsen ultimately demonstrates is that solutions to problems involving security are not cut and dry. Although his key issue is usability, the dilemma is founded in security.
While I love the discussion provoked by his call for an end to password masking, it unfortunately follows the same train of thought I deal with every single day – security vs. convenience. Which side do you err on?
Security, please. I understand where he is coming from. Still that is total WTF!?
July 6, 2009 @ 13:04
one trend I really abhor is the “enter your email a 2nd time to confirm” field
you know everyone is just copy-n-pasting from one field to the other, there is no-added value here, it's just a loss of time
July 6, 2009 @ 13:24
I've honestly never understood the whole email confirmation train of thought. Makes absolutely no sense to me for the very reasons you state.
July 6, 2009 @ 22:46
At least they ask you to enter an email address. My email address has been attached to more than 1 online bank account in America, and for some odd reason, they refuse to remove it even though I sent many emails to their customer service informing them that I was not Ms xxx xxxx or whoever.
July 6, 2009 @ 15:38
Yeah, Jakob Nielsen is a bit off here. He obviously has never worked in a coffee shop on a laptop, or a internet cafe, or a library or… Well the list could go on of places people use computers where it is quite easy for someone else to use your screen.
I do agree with him slightly though. I have often slipped, hit the wrong key and had to start all over again because I lost track. I think the problem comes down to the implementation though. Perhaps something more like the iPhone way of doing things (where all characters are starred out except for the last character you typed) is a better way to go. It gives you that feedback but it's that little bit trickier for someone watching your screen to see what you are typing in.
July 6, 2009 @ 17:36
These guys are obviously not in touch with the real world and have been shut up inside their offices with their monitors facing the wall for way too long. Are they really such terrible typers that they need constant feedback to know what they are typing? This is not the time to compromise security for lazy or incompetent people.
July 6, 2009 @ 17:53
First comment when I read his article ? “WTF!?!?” Sure there's a reason for it, but the reason is very, very stupid :|
July 6, 2009 @ 20:54
Oh totally convenience over security. Just like how I leave my door unlocked when I leave for work. No messing with silly keys for me!
On a serious note, the argument of looking at keys pressed on the keyboard is stretching it. Not everyone is an uber spy. Plus, a few of my passwords are sentences long.
Overall, using 1Password has combined security & convenience for me. Highly suggest it to Mac users.
July 7, 2009 @ 02:43
Still not convinced by what Nielsen says. I actually prefer not even having any character output on screen, ala Linux's terminal.
Maybe it's 'paranoid' to someone else's mind, but the less a person could glean from various information on the screen, the better, in my opinion.
July 8, 2009 @ 02:23
Nice post. The irony of this tempest in a teapot, is that they are attacking what is probably the least important of the usability aspects of passwords in masking. What about password complexity? Forced password changes?
I address the 5 key aspects of password usability in a post here:
http://irec.wordpress.com/2009/07/08/5-properti…
July 16, 2009 @ 15:02