The Problem with Password Masking
I agree with this:
It’s time to show most passwords in clear text as users type them. Providing feedback and visualizing the system’s status have always been among the most basic usability principles. Showing undifferentiated bullets while users enter complex codes definitely fails to comply.
Most websites (and many other applications) mask passwords as users type them, and thereby theoretically prevent miscreants from looking over users’ shoulders. Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed. So, password masking doesn’t even protect fully against snoopers.
More importantly, there’s usually nobody looking over your shoulder when you log in to a website. It’s just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue.
Shoulder surfing isn’t very common, and cleartext passwords greatly reduces errors. It has long annoyed me when I can’t see what I type: in Windows logins, in PGP, and so on.
EDITED TO ADD (6/26): To be clear, I’m not talking about PIN masking on public terminals like ATMs. I’m talking about password masking on personal computers.
Paul Coddington • June 26, 2009 6:37 AM
Lotus notes compounds the issue further by displaying multiple bullets for each keystroke, giving the impression that you have suffered contact bounce or accidentally pressed extra keys.
This reminds me of a similar useless convention – being asked to type your e-mail address in twice when it is displayed in plain text (and you end up cutting and pasting it from the first field anyway). A lot of web design seems to be copying what other do without thinking about what it all means.