My new project: Tact, a simple chat app.

The case for/against password masking

June 29, 2009

I have great respect for both Jakob Nielsen and Bruce Schneier and I usually agree with both of them. But in this case, I think they’re wrong.

Recently, Nielsen posted a case against password masking that made me raise my eyebrows and go “hmmm… I’m puzzled”. Then Schneier agreed.

Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn’t even increase security, but it does cost you business due to login failures.

It’s a bad idea to propose password unmasking. Here are my reasons why.

I don’t know if they both work alone in a private office, but I have always worked in an open office setting where many people have access to my screen. I am uncomfortable with the idea of people being able to look at my screen to discover my passwords. Same for demos and presentations, customer support/screensharing etc. Computer use is more social than Bruce and Jakob seem to assume.

These days, browsers do a decent good job of remembering passwords, so ideally, you don’t need to enter them more than once or twice when beginning your relationship with a site.

Let’s think outside mobile and web for a second. I thought of a mechanical keypad securing a door, with or without an accompanying keycard or other tokens. It has no feedback about password/PIN entry, and yet people still manage.

I do exactly what Nielsen describes. I copypaste all my passwords, and only remember one “überpassword” to secure the secure partition where I keep the file. I don’t see how that is insecure. I just checked, the file manages hundreds and hundreds of my digital identities, all of them with a long unique generated secure password. There’s no way I would bother to remember all of them, or even some, besides the überpassword unlocking the vault.

There’s this trend that I believe in, where you can use another site (Google, Yahoo, Facebook etc), as your identity provider, and third-party sites can use them. OpenID technically started this a long time ago, but OpenID URL-s concept is boring and hard to understand. This has been democratized by wrapping the whole OpenID approach in an easily clickable button that you can use to log in with Google etc. This trend will continue and cut down your password amount and error rates.

Nielsen brings up a good point about mobile, where the public demo and shoulder surfing may not be that big of a deal. Maybe it’s OK to unmask passwords in mobiles. But let’s take a step back and ask: why do I need to identify myself in mobile apps to begin with? The mobile phone knows who I am because I have a billing relationship with my service provider. It’s a missing feature that this identity currently can’t “bubble through” to the apps, similarly to OpenID. But it’s something that will eventually show up, once the service providers and phone makes see the value of this. Or in a simpler form, mobile apps will work as described in the previous paragraph, reusing your identity from other providers, instead of you having to create and remember a new password for each new relationship.