Truth be known, I'm a little bit nervous about this article. I'm going to suggest something that a lot of people won't like.
And it's this: Passwords should not be masked by default.
Now, I know what you're going to say. It will be something like, "but someone will steal my password if they can see it! Won't somebody think of the children!"
Before you jump to the comments section, let's see whether we can get on the same page on this...
Masked passwords come from the age of mainframes. And when we're talking about mainframes, that makes sense -- they were secure, private systems, used by specialists.
My argument is that masking passwords does not make sense in the modern era, for two reasons.
Firstly, no one is going to see your password. I'll come onto that, but they just won't. Ever.
Secondly, if people could see their own passwords rather than just dot-dot-dot, etc they would choose better passwords, and be less likely to reuse the same passwords.
As humans we're very good at looking at something and taking a visual snapshot. If I actually see the Facebook login screen with my username and a long, passphrase like "correct horse battery staple", that's more likely to sink into my brain.
From a user experience (UX) point of view, masked passwords are bad. We all know this is true -- it's much harder to type a complex password correctly if you can't see what you're typing. (Usability guru Jakob Neilsen wrote about this back in 2009.) As an upshot of this, people will choose simpler passwords, and be more likely to reuse them as they are relying on muscle memory to key them in, as opposed to using visual memory to remember them.
Let's go back to the idea that no one is going to see your password.
Where exactly do you think someone is going to see you typing in your password? More to the point, do you not have a much, much bigger problem than someone snaffling your Facebook login if they do?
I'm writing this in my home office. There is no one around. Masking passwords in this scenario is one hundred percent inconvenient and zero percent increasing security. The only way that someone could see my password is if there was a covert camera in the room. Frankly, if that's the case, I have a much bigger problem than someone logging into my Facebook account.
Plus, if you want to get my password, there are much easier ways to do it. A keylogger would do it. Some other form of exploit would do it.
This is a key tenet in my argument. We're not in the mainframe era anymore and there are generally easier ways to steal credentials than relying on photons bouncing off of a screen and into someone's eye.
Say you're in Starbucks on your iPad. Password fields are about five millimetres tall in a standard rendering of a login form on an iPad mini. How is someone going to see that? Someone in the parking lot training a telephoto lens on your screen maybe? Again, if that's happening, you have bigger problems.
And, as before, there are easier ways to phish you. This write-up by Troy Hunt on a device called the Pineapple should scare you well enough.
There are virtually no situations I can think of where someone will be fast enough, clever enough, and have good enough eyesight to casually snaffle a pair of credentials. Frankly, only Sherlock could do it. It has to be an intentional attack, and there are always, always easier ways to phish someone.
Windows 8 offers a decent enough pragmatic solution to password masking in that their standard password field implementation shows a little button you can press to unmask the value so that you can read it.
That's a fabulous improvement, but Chrome and Firefox don't support it, which makes it useless for a great number of people. It's also not done on Android, or iOS, or OS X. On mobile devices, masking passwords is a particular pain because muscle memory doesn't work so well when typing on glass.
My proposition is that this needs to be flipped around with unmasking as default, but if you are somewhere where you want a little more privacy, you can click a button to mask the results. Or, if you want to be low-tech about it, you could always put your hand over the field.
People aren't stupid. People already know to protect their PIN when keying it into an ATM. (Personally, I'm fine with masking for PINs because they are short and non-complex.) Those same people will learn that on the rare occasions that they have to type in a password and they can be seen that they should give themselves a little extra cover. And, who doesn't look away when someone is typing in a password in front of them anyway. Most people do.
When I discussed this point on Twitter with a few friends, the feedback (pushback?) I got was that this approach usurps security for the sake of convenience.
For me, I don't buy that argument -- it's classic technologist-style thinking. We're babying users and going out of our way to protect them from a threat that is not there, whilst all the time damaging their experience -- particularly on mobile -- and actually pushing them into using poor passwords.
Masking passwords hurts people. It doesn't help people.
UPDATE: My Twitter friend Ross Dargan put together a Chrome extension that turns password fields into normal fields. I'm using it. It a bit strange, but I like it! Give it a go and see what you think...
What do you think? Post a comment, or talk to me on Twitter: @mbrit.
- Do you save passwords in Chrome? Maybe you should reconsider
- All your passwords belong to us
- iPhone 5S fingerprint reader: Doubling down on identity, a death knell to passwords?
- MaskMe helps you cover your tracks, avoid online annoyances