| apple-command |Jakob Nielsen, a widely known expert in the field of web usability, recently stirred up a shit storm of controversy after proclaiming that it is time to stop masking passwords because usability suffers. He claims hinges on the lack of true feedback when typing passwords. Making matters worse, world-renowned security expert Bruce Schneier agreed with Nielsen, hopping on the same idiotic train Nielsen is driving. Is password masking really such an important issue in need of immediate resolution?

Nielsen offers very little evidence to support his claim that it is time to stop masking passwords. He essentially boils this perceived usability problem down to the basic rules of usability whereby providing feedback is one of the fundamental tenets. He stipulates displaying undifferentiated bullets in place of complex user entered codes fails to comply with this decree.

Taken at face value, Nielsen is absolutely correct – usability suffers. Fortunately, rarely are security decisions made solely on the basis of such simplistic concerns.

Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn’t even increase security, but it does cost you business due to login failures.

Considering the explosive growth of the web, and e-commerce in particular, I find the aforementioned statement a stunningly ignorant hypothesis. Surely people forget their passwords or mistype them often enough to be annoyed with login security. However, the amount of business Amazon, eBay, Apple and other businesses do online tells me that losing business due to login failures is closer to fiction than fact.

While Nielsen may be a highly regarded web usability expert, he is definitely not an authority on information security.

Most websites (and many other applications) mask passwords as users type them, and thereby theoretically prevent miscreants from looking over users’ shoulders. Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed. So, password masking doesn’t even protect fully against snoopers.

More importantly, there’s usually nobody looking over your shoulder when you log in to a website. It’s just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue.

There is nothing theoretical about masking passwords so miscreants in close proximity are unable to see the password – this is fact. By masking the password, the scoundrel has to see every key on the keyboard and be able to determine which keys are pressed in which order.

If the password is not masked, the offender can be much further away to steal the password. All they need to do to capture the password is look at the screen, which can be done from a good distance away and without the users knowledge that they are being watched so closely.

I do not know what type of environment Nielsen is used to working in, but not all offices are designed with the personal cubicle in mind. Many businesses house a number of people sitting side-by-side with absolutely no barriers between desks to prevent this type of snooping, whether accidentally or purposely.

Skilled snooper or otherwise, the minimal amount of security added by masking passwords compared to the perceived lack of usability is a risk the majority of consumers are willing to take. In the grand scheme of security, is this issue really worth spending so much time on?

I see this train of thought every day at work. People want X, Y or Z because it is convenient, completely ignoring the many security policies implemented to protect the network from compromise. There is a tradeoff between security and convenience, with the best policy falling directly in the middle of both, allowing users to feel secure while not feeling overburdened with unnecessary and possibly arbitrary security policies.

Schneier recently posted an update to his thoughts on password masking, clarifying his thoughts on the issue. He hits the nail right on the head with the following statement.

I was certainly too glib. Like any security countermeasure, password masking has value. But like any countermeasure, password masking is not a panacea. And the costs of password masking need to be balanced with the benefits.

While usability in password entry forms is somewhat an issue, overall it is not really at a critical point where a solution is immediately necessary. Usability mostly suffers on mobile implementations such as the iPhone, where it is far more difficult to type complex passwords in to web forms. But unlike other implementations, Apple struck a good balance between usability and security.

The ultimate solution is to turn password masking in to an option with it set to mask by default. Then users who desire to see their passwords can be appeased while still affording businesses the option to implement masking on an enterprise level. Putting a complete end to masking is not the solution – alternative means of entering passwords is where we need to migrate, such as biometrics, smart-cards, etc.

What Nielsen ultimately demonstrates is that solutions to problems involving security are not cut and dry. Although his key issue is usability, the dilemma is founded in security.

While I love the discussion provoked by his call for an end to password masking, it unfortunately follows the same train of thought I deal with every single day – security vs. convenience. Which side do you err on?