This month’s breakfast topic was password masking, which is the practice of having passwords starred out ****** .
This month’s Radar Hill breakfast was held on a Thursday, because it is Dan’s birthday. Over a delicious meal, prepared by our own master BBQer Roger, of BBQ steak, mushrooms, shrimp, fries, poached egg and lots of grilled bacon (we love bacon), we discussed an article entitled Stop Password Masking by usability guru Jakob Nielsen. He writes:
Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn’t even increase security, but it does cost you business due to login failures.
In our discussion, some of the points raised included:
- Though Jakob claims that ‘skilled’ criminals can just look at the keyboard, it isn’t just skilled criminals we need to guard against. There are also the amateur and curious hackers who will look over one’s shoulder at the library, or classroom, or office, and won’t hesitate to hack for a bit of laughs if they can see the password. Having unmasked passwords would make it much easier for someone to casually get into an account without much effort. Plus, it is much more obvious if the hacker is staring at one’s hands while typing, as opposed to just glancing at the monitor while walking by.
- While some people might have trouble typing passwords when they can’t see them, they are probably the same people who would question the security if they could start seeing their passwords while they typed. They’re used to seeing them blacked out, even if it’s inconvenient, and they may question the site security and Radar Hill’s web development abilities if we started to have the passwords plainly visible, because we would be going against convention.
- While it is true that people should not have trouble inputting their passwords, especially since most are short and easy to remember, it is recommended that passwords be at least 15 characters long, and that a different password be used for each account.
- Our sales force is often logging into websites right in front of clients, so they prefer a “hide characters” checkbox.
- Would auto-complete, if turned on, display a password as plain text or starred out? This may be irrelevant because some browsers have settings that allow people to view passwords.
- It is a good idea not to mask on mobile devices. We tend not to do this with our Homeport wireless product, but that setting is often overridden by the particular end user device.
Other than with Homeport, password masking has not come up as an issue, and we have had no complaints. We decided to wait and see what the trend in the industry becomes. If it does become a trend, we will probably opt for a ‘Hide my password’ check box that will be on by default.