Usability and security gurus agree that masked passwords should go

Websites should stop masking passwords as users type because itdoes not improve security and makes websites harder to use,according to two of the technology world's leading thinkers.

Usability expert Jakob Nielsen and security expert BruceSchneier have both said that websites should stop blanking outpasswords as users type them in. They say that the practiceinconveniences users with no security benefit at all.

Most websites that require passwords allow a user to see thelogin name as it is typed in but replace the password as it is typewith dots or asterisks so that the password cannot be viewed eitherby another person looking at the screen or by the user.

"It's time to show most passwords in clear text as users typethem," said Nielsen in a post on his website. "Providing feedbackand visualizing the system's status have always been among the mostbasic usability principles. Showing undifferentiated bullets whileusers enter complex codes definitely fails to comply."

Nielsen is the web's most famous usability guru and campaignsfor content and websites to conform to technical standards in orderto be usable and accessible for all users, including disabled usersusing assistive technologies.

One of technology's most renowned security experts echoedNielsen's concerns, and backed up Nielsen's assertion that passwordmasking does nothing to improve security.

"Password masking has annoyed me for years," Schneier toldOUT-LAW.COM. "Shoulder surfing is largely a phantom problem, andpeople know to be alert when others are nearby, but mistyping along password happens all the time."

Nielsen said that research had shown that password maskingcauses problems for users. "Password masking has proven to be aparticularly nasty usability problem in our testing of mobiledevices, where typing is difficult and typos are common. But theproblem exists for desktop users as well," he said.

Nielsen said that preventing users from seeing the passwordsthey type in causes two problems. "Users make more errors when theycan't see what they're typing while filling in a form. Theytherefore feel less confident. This double degradation of the userexperience means that people are more likely to give up and neverlog in to your site at all, leading to lost business," he said.

"The more uncertain users feel about typing passwords, the morelikely they are to (a) employ overly simple passwords and/or (b)copy-paste passwords from a file on their computer. Both behaviorslead to a true loss of security," he said.

Schneier agreed that masking passwords was likely to result in aweakening of security. "I'm sure people choose shorter and easierto type password when their typing is masked, resulting in lesssecurity overall," he said.

Nielsen said that sites usually blank out type-in passwords outof force of habit rather than reason. "Password masking has becomecommon for no reasons other than (a) it's easy to do, and (b) itwas the default in the web's early days," he said.

Nielsen acknowledged that shoulder surfing is a risk in someenvironments, such as internet cafés. "It's therefore worthoffering them a checkbox to have their passwords masked; forhigh-risk applications, such as bank accounts, you might even checkthis box by default," he suggests. "In cases where there's atension between security and usability, sometimes security shouldwin."