Password masking, and the difference between usability and user experience

Recently Jakob Nielsen recommended removing the little black dots that come up when you type in a password, and having your password come up in clear text instead.  He had some pretty good reasons for recommending this including:

  • Increased password security
  • Mobile usability
  • Error prevention

However, Nielsen also recognises that there are some situations and some passwords (for example banking passwords) where the security outweighs usability. You can read more in his article about the matter here.

Responses to his idea ran the gamut from wholehearted agreement (by a security expert no less)  through tentative disagreement to pretty strong disagreement.

There has been some comment on the sociotechnical aspects of password masking, including using masking as a reminder to users that they ought to keep their passwords secure, and a discussion about the reasons why many people are uncomfortable with masking.

Other responses suggested solutions to the problem, including displaying only the most recently typed character (like on the iPhone), and giving the user the option to unmask (rather than mask) a password.

I completely understand the usability reasons for unmasking passwords, and I agree with what Jakob Nielsen is saying, up to a point.  My preferred option, out of all the ones suggested though, is the last option, where a user can choose to unmask a password, and my reasons for this are a common context of password use, which I will illustrate with an example:

I’ve just finished a large group project to launch a new library catalogue; we did a lot of collaborative work, and spent a lot of time using computers that projected onto a large screen.  We frequently read email to remember discussions we’d had about the system, manage links, manage to-do lists and generally remind us what was going on (this is a really common way–PDF of storing “stuff” in one’s headspace), and the system had components we had to log into.  We were logging into and out of systems left and right, and always on a big screen. I work at an institution with a single sign-on–this means your password for the HR system where you manage your payroll and salary, your library password, your email password–they’re all the same thing (bear in mind, single sign-on is good for security, users are less likely to use bad passwords if they only have to remember a few of them). Even more frequently than we had these meetings, two or more of us would be clustered around a desk testing some aspect of the new library system that required a log in or out.

I can’t imagne that either of these scenarios is uncommon in the workplace, meaning that in Nielsen’s world users would all share their passwords.  Similarly, I imgaine it is fairly common in social contexts, particularly with shared hosues and computers. Sharing passwords is undesirable at best, and I don’t need to describe how much damage one bad apple in a workplace could do under such circumstances–and it would be extremely difficult to track down who that person was, and what they had done when a large group of individuals all knew each others’ passwords.  Not only that, with single sign on passwords provide access to confeidential and sensitive information, including (at my institition) email, leave details, salary details and library details.

Just like with Nielsen’s solution, having characters disappear one character at a time essentially clear-texts your password to anyone who happens to be present, leaving the only options to balance security and usability as the check-box options.  Nielsen suggests that the checkbox be “hide”, but I disagree.  The social implications of a “hide” box are that you have to make the decision to hide your password from your colleagues or loved ones or friends in front of them, which sets up the potential for interesting dynamics around trust in professional and personal social interactions.  My preference would be an “unhide” box that implies it is simply natural to keep one’s password hidden–thereby avoiding any issues of trust in situations where otherwhise passwords might be shared.

The problem with Nielsen’s approach is that it is a purist usability approach.  If all we cared about was making systems more usable, absolutely it would be right to expose everyone’s pasword, and have the option to hide it occassionally as necessary.  This could lead to extremely uncomfortable social situations in both the work and personal spheres, though and as such is poor design of user experience, which takes the context of use into account–and I can’t recommend something that would so frequently lead to bad user experience.

So, what do you think?  Should we all show each other our passwords?


2 Responses to “Password masking, and the difference between usability and user experience”

  1. 1 Graham C Morley Saturday, January 23, 2010 at 7:03 pm

    I like the mask update pattern where characters only get masked when a new character is entered. There’s a nice JQuery plugin that does it well.

    Another nice solution I’ve seen is a checkbox next to the password which allows you to toggle the masking.

  1. 1 Formulardesign als Lückentexte – Trend oder Ausnahmeerscheinung? | Trackback on Saturday, February 27, 2010 at 8:04 am

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s



Some rights reserved.

Comment moderation

If it is your first time posting, your comment will automatically be held for my moderation -- I try get to these as soon as possible. After that, your comments will appear automatically. If your comment is on-topic and isn't abusing me or anyone else who comments, chances are I'll leave it alone. That said, I reserve the right to delete (or infinitely moderate) any comments that are abusive, spammy or otherwise irelevant.

%d bloggers like this: