Nielsen Recommends Not Masking Passwords

Mark writes "Usability expert and columnist Jakob Nielsen wants to abolish password masking: 'Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn't even increase security, but it does cost you business due to login failures.' I've never been impressed by the argument that 'I can't think why we need this (standard) security measure, so let's drop it.' It usually indicates a lack of imagination of the speaker. But in this case, does usability outweigh security?"

Two words

[RollingThunder]

Shoulder surfing.

Seriously, is this guy is supposed to be an expert?

This is like having a fuel efficiency expert tell you to turn the motor off on your car, stick it in neutral, and push it, since it'll get infinite MPG. Passwords are supposed to be secret. Usernames aren't as critical.

How about a compromise?

[Verteiron]

Personally, I rather like the way many cellphones handle this: show the letter that was typed for a moment and THEN mask it. This allows you to spot typos and correct them without having to blank the field and start over.

Re:Um, here's a thought.

[Yetihehe]

It's possible, the only problem is with browsers. Almost all of them remember what you put in normal text fields. Next time on page - just press down arrow and voila!

Ever looked at your password?

[fandingo]

Does anyone ever think it's weird to actually look at your password? I never write them down, and I remember them mostly by the location of the keys on the keyboard, not by the actual text. To me, it's quite unnatural to look at a password.

Easy solution

[wjousts]

Change your password to **********

One word for Nielsen: Projector

[tcsh(1)]

Ever logged in to a computer connected to an LCD projector?

Re:Two words

[tomhudson]

I'd rather have to retype the occasional password than have it visible to anyone shoulder surfing.

Think about your bank card, your PIN, etc.

FTFA:

It's therefore worth offering them a checkbox to have their passwords masked; for high-risk applications, such as bank accounts, you might even check this box by default. In cases where there's a tension between security and usability, sometimes security should win.

Retarded doesn't begin to cover this. Offering a default to turn OFF password masking for bank accounts? I'm sure the banks will just LOVE this one. We have enough problems with identity theft already.

Security

[ucblockhead]

One of the most irritating things is the way many websites, especially financial websites, are designed with no thought to the difference between use in a public setting and use in a private setting. For instance, I only ever use my banking website from one place, my den, which is physically secure, yet I have to suffer through all sorts of crap designed to make sure my account doesn't get compromised in a public setting. (The most annoying being automatic log outs for non-use.)

Masking passwords, logging off the user on non-use after ten minutes, and other such security methods do not actually decrease the chance of compromise significantly when the user has physical security. Websites should allow for this.

Indeed lack of imagination

[guruevi]

1) If I look outside my office window, I can see about 48 office windows (without standing up) and all of them have the lights on and it's dusk outside. Give me a dSLR and a decent set of long distance lenses and I'll prove you wrong.

2) How many times have you typed in your password while somebody was looking at your screen eg. to show somebody something on a protected website. This happens a lot to tech people as we have to authenticate to solve an issue while somebody is standing next to me waiting for me to fix it.

3) How many times have you given a presentation where your screen view (but not your keyboard input) goes worldwide (eg. teleconference) or over a set of wires that you know haven't been tampered with (conference room) - again, logging in to your webmail or so to find a copy of your presentation.

4) How difficult is it to create a script that takes screenshots - how difficult is it to create a script that captures keyboard entry as well. Answer: the first can be done in userspace (and in the hands of an experienced script kiddie would be unnoticed), the latter usually has to go as a request to a driver, kernel or other layer that requires admin rights. This is true for Windows, Mac and (depending on your GUI) Linux

Re:Two words

[dkleinsc]

expert(n): Someone who will charge you a large amount of money to state the obvious (possibly to someone else who needs to be convinced of something).

The real geniuses of the world don't go around calling themselves "experts", they just do nifty things and solve interesting and difficult problems.

Ever typed a long WPA key into an iPhone?

[Anonymous Coward]

The cellphone method works great and has never bothered me until I had to enter a 63-character WPA key into an iPhone. This is something you can't do from memory, so you're moving your eyes back and forth between a plaintext copy, and trying to remember just where you left off. Agony.

Basically, in a few situations like this, it would be really handy to turn off masking one-time-only.

Re:Only when registering

[i'm lost]

This means we no longer need to confirm passwords twice when registering.

Yeah, just like we don't have to confirm email addresses right now.

Another two words

[El Gigante de Justic]

Saved Passwords.

I typically have my web browser save my passwords for things I consider lower risk, but if masking is removed and the browser automatically loads the password into the form, then it's available to anyone. Considering that many users use the same or similar passwords for almost every application, and having it unmasked on one site could give up your info on any number of other sites.

Two more words for Nielsen: Security Cameras

[hoosbane]

Just because you don't think someone is watching over your shoulder, doesn't mean someone isn't watching over your shoulder.

Re:Two words

[amicusNYCL]

Oh, c'mon.

So, password masking doesn't even protect fully against snoopers.

No, it doesn't protect fully, but it does protect from everyone who can't see the keyboard when you type. In other words, it protects against every shoulder-surfing scenario except when the person is looking directly at the keyboard when you type. And even then, if you're typing fast enough or the keys are close enough together you won't be able to guess the password by watching the keyboard. Hell, I'm sitting right in front of the keyboard and I still can't look through my hands to see which keys my fingertips are actually pressing. So, password masking does protect from shoulder-surfing. It might not protect against people looking directly at your keyboard, but that might be because it's designed specifically to protect against people looking at the goddamn monitor.

More importantly, there's usually nobody looking over your shoulder when you log in to a website. It's just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue.

OK, so this is a great usability solution for websites that only get accessed by people sitting alone in their offices without the possibility of a co-worker standing there as they log in. For all other sites that people might access in an internet cafe, or at the airport, or in a coffee shop, or wherever else, I guess it doesn't apply at all.

Why not a compromise?

[Slipped_Disk]

What TFA is suggesting is probably one of the dumbest ideas I've heard since... EVER. That said, the dots are a usability issue -- I've got plenty of otherwise very smart users who screw up passwords constantly.

As a compromise measure I propose stealing something from Apple's playbook: The iPhone password entry interface. The last character typed is visible for 2-3 seconds, everything else is masked (and backspacing doesn't reveal characters, just makes the dots go away). The design doesn't suck, and the security compromise isn't as bad as "leave the password on-screen for everyone to see" like the article is suggesting.

Add smarts to browsers, not pages!

[jonaskoelker]

[browsers] remember what you put in normal text fields.

Well, here's an easy fix: browsers add a checkbox-ish context menu item to password fields saying "don't hide text behind dots". Pages don't have to do anything, and browsers don't need to change caching behavior.

On the other hand, we only post passwords over HTTPS which browsers don't cache anyways. Right, slashdot? Right? Harumph :(

Re:Not to fanboi all over the place...

[Duradin]

I think you confused an example of something with the attribution of something.

He said "the iPhone has this feature".

He didn't say "the iPhone innovated this feature".

Do you feel better now after your minute of Apple-hate?

Re:hunter2

[Darkness404]

About the only thing that requires a complex password for most people is work. At work, most everyone is too scared of being fired to really mess with people's accounts. Really the only point of passwords there is to keep out network attacks or so people can work at home. If someone can't remember 6-8 characters with a number thrown in there for good measure, perhaps they should not be on the internet.

Runaway security

[johannesg]

About 999 times out of 1000, I'm sitting in an environment (either at home or in the office) where I really don't care if anyone sees my password. For that one time where I do care, maybe we can have a checkbox for making the password invisible while we type.

The problem with security is really that once you start down that path, nothing is ever enough - at least not to the security gestapo (motto: "our work ain't done until you can't do yours"). Stellar example: the FTP at work is configured to have a ~10s delay after logging in, "to stop the evil h4x0rz". It's driving me nuts, so I suggested accepting the first connection without any delay, and then introducing a delay for each following connection if it occurs within 10s. That way hardly anyone will be bothered by the delay, but the h4x0rz will still be unable to flood the server with their evil password-attempting ways. But nooo, that was completely unacceptable! Because it would be INSECURE! Only a long delay guarantees security!

Re:Making my point with humor

[doti]

That's because knowing the number of characters in a password greatly eases the password guessing.

The masking is indeed a bad idea. Your unix login prompt does the right thing.

Re:Two words

[radtea]

Retarded doesn't begin to cover this.

The best thing about the article, typical of an unfortunately large amount of usability literature, is the complete absence of empirical data. He simply asserts, for example, "users will not be confused by this" without offering a shred of empirical evidence for the claim. I'm not a typical user, but I'd sure as hell be confused if plaintext started to appear in the UI where a decade or two of experience has taught me to expect a line of bullets. I sure as hell wouldn't want to be on a helpdesk for a system that has just made this change.

Usability is an important area of software design, but it is still in its infancy, and the lack of usability experts chiming in to call this guy a blithering idiot is depressing. All claims about usability of any feature should be considered nonsense until someone comes to you with empirical data from real users that tell you what they find usable. Otherwise you're arguing mythological hypotheticals--how many users can dance on a pinhead.

Re:hunter2

[vidarh]

If Stephen Hawking says something about physics, do you require a citation from him? Nielson is recognized as one of the leading experts in his field.

No, but if Stephen Hawking made a claim that flew in the face of established conventions in - say - psychology, I would expect a citation. Nielsen is a usability expert, not a security expert, and GP questioned his claim about the security aspect.

Re:hunter2

[Crazy Man on Fire]

You might want to RTFA before typing out such a long post. If you did, you'd notice a few things.

1) He's specifically advocating this for login forms on the web
2) He specifically says that security trumps usability in some instances
3) He gives a very clear example of a way to enable/disable this feature

With the proliferation of mobile devices with tiny, sometimes virtual, keyboards, typos are very common. When you can't even see that you've made a typo because it is obscured by dots, then you have no chance of correcting it.

Wouldn't it be nice if you could uncheck a little box that says "Obsure my password"? If you're paranoid, you could just check the box before entering your password or leave it checked, depending on the default.

Re:hunter2

[adamstew]

If Stephen Hawking says something about physics, do you require a citation from him? Nielson is recognized as one of the leading experts in his field.

Yes! I would! I would want to see the research that lead him to his conclusion in physics. Or, more specifically, I would want another physicist to look at his research and give his validation to say that it's sound.

Re:hunter2

[plague3106]

If Stephen Hawking says something about physics, do you require a citation from him? Nielson is recognized as one of the leading experts in his field.

Not at all. But I wouldn't listen to his ideas on beating the Taliban in Afganistan.

You could always let the user choose

[marcus]

In a secure environment, with no one looking over my shoulder why not leave the chars in the clear?

Give 'em a checkbox: "Echo password []" which defaults to "unchecked" of course.

Re:hunter2

[Anonymous Coward]

If Stephen Hawking says something about biology, do you require a citation from him? Nielson is recognized as one of the leading experts in his field.

Fixed.

Re:Two words

[Znork]

Offering a default to turn OFF password masking for bank accounts?

As many banks use one time passwords, that might actually be one of the few places where unmasked passwords are acceptable.

Otherwise, no way. For those with very bad keyboard skills there are workarounds like using keyboard patterns and with cellphones you can use longer passwords but without multiple-click use of buttons.

Slightly easier input simply isn't worth it; not only don't I want to reveal my passwords to any furtive glance, I don't want to be exposed to everyone elses passwords either.

Re:hunter2

[Knuckles]

Same thing with email addresses in online forms, why do I always have to type those in twice?

That's to reduce the chances you have a typo. Some even explain that.
I have no idea about the MS thing, it's probably because their WLAN taskbar applet sucks hard.

Microsoft wep key

[blueskies]

The microsoft wireless access passwords are done like that because they are complete idiots. Why do you have to type it in twice?? If it works on the first try, why use the second field at all?

Re:hunter2

[Grishnakh]

Exactly. This Nielsen guy (I've never heard of him) is a complete moron. I read the summary and instantly thought of the over-the-shoulder attack. Here at work, I unfortunately am cursed with sitting in an "open seating" arrangement so it's pretty easy for people walking by to see what I'm doing on my computer. I don't trust everyone here with my passwords (otherwise, why would we even have them, since we need security badges to get in the door?), so I certainly don't want to see my password as I type it out. This completely defeats the security offered by a password.

If you're going to eliminate masking passwords, you might as well just go whole-hog and eliminate passwords altogether. How many are in favor of this? Hands?

Re:Runaway security

[jwietelmann]

Don't direct your ire toward information security just because your particular sysadmin happens to be an idiot.

Re:You could always let the user choose

[Hurricane78]

Do you really expect users, to know if their environment is secure?

On the other hand, it's a great idea. More cracked accounts, more retards hurt, less retards being successful, less retards reproducing, and the global IQ rises.

Seriously, I miss the intelligence boost that harsh times give humanity. :/

Re:hunter2

[Trecares]

Stephen Hawking would generally be expected to have something to back up his statements. People don't just come up with stuff out of thin air. They do research, experiment, formulate hypotheses and test them. That becomes the body of evidence on which Hawking would base his statements. What kind of evidence does Nielsen have to back his remarks? Polls? Focus groups?

Nielsen is essentially recommending that usability should trump security which is not necessarily the right answer. Now if he wants to recommend redesigning the authenication system, then I suggest that he collaborate with security experts and come up with a new authenication method then that is both user friendly, and secure.

I wonder if Nielsen's research considered instances where people forgot or entered the incorrect password. Cases in which, seeing the password in cleartext would not help. The easy answer is to look at the keyboard and see what you're pressing if you cant tell what you're pressing.

Re:Indeed lack of imagination

[BitZtream]

I can do it for linux and Windows pretty quickly, not sure about OS X, but I can do it on FreeBSD or any X server really.

All I need is to get you running a process that does my dirty work in Windows, certainly not difficult. With an X server involved all I need to do is get an app that can connect to your X server and sniffing becomes easy. Failing that, in both Windows and most unix flavors I can always just futz with your user profile and use LD_PRELOAD to make sure I see all your stdio. Don't think its possible? Have you used screen? It doesn't preload or anything because its not trying to go unnoticed.

Its only slightly more difficult to get keyboard characters than it is to get screenshots after you've got to the point where you can do the screeenshots. Once you get the screenshots, the machine is already compromised to the point that it doesn't matter.

And on that note, once you compromise the machine to take screenshots, there are far more effective malware packages out there to install than just a screenshot snagger.

Re:Making my point with humor

[mellon]

Dude, I want *your* computer. Or your glasses. Or something.

You have illustrated the point nicely. However, the fact is that there is a problem here. The average naive user thinks that when they type a password in, and it's hidden, that means that it's secure. They equate the dots with end-to-end security. And of course there is no end-to-end security. So actually the dots are a usability problem - just not the one Mr. Nielsen suggests.

Fundamentally, the problem is that there is no security in the way passwords are done on the net. By this I mean that even though we do have security protocols like SSL, and we do have mechanisms for signing certs, the current security model assumes that the user will discriminate between situations where there is security, and situations where there is not. And nearly every single user of web services is incapable of discriminating in that way. There are maybe one or two thousand people in the world who really understand the security model well enough and are anal enough to actually validate the security of what they are doing when they enter passwords into web forms.

So essentially Mr. Nielsen is right - you might as well not bother with the dots. Because they just give you a false sense of security.

Re:Making my point with humor

[MaskedSlacker]

Why did you bother explaining? Don't you see what a missed opportunity that was? If they don't log in, they can't fuck anything up!

Re:Security

[PitaBred]

See, now you're asking people to make critical decisions affecting their own security, with the vast majority of them having no way to realistically evaluate the actual security. You're intentionally calling forth the demons of being Unskilled and Unaware of It [damninteresting.com]. People will overestimate their security on their shitware ridden Windows machines, or check their bank accounts from home and work and the library... if the preferences are per-user, that's horribly insecure. If it's per user+IP, it will confuse normal users and anger them. It's better to leave it as secure as possible from any possible login point. You shouldn't ever underestimate the stupidity of the average person, especially when it's a subject they don't care about.

Re:Runaway security

[bwcbwc]

That FTP IS stupid. They should switch to SFTP and require digital certificates to connect, so they can authenticate connections without compromising login credentials.

Re:Making my point with humor

[lindseyp]

What's even better than that is when the password input window *does* have focus, and the IM window steals it just as you start to type it in.

focus-stealing windows should be banned.

Re:You could always let the user choose

[Narcocide]

Your sig should be "Don't shoulder surf my password bro!" This is a situation where compromise is not appropriate. The unix login prompt has proper behavior. The story post is correct; obscured characters are dumb. The assumption that therefore they should be shown in plain text is incorrect. Your password should not be shown at all as you are typing it or at any time in any representation.

Re:hunter2

[grahamd0]

He's not a security expert, but he IS a useability expert (even though I, a non-expert, often disagree with some of the things he writes).

He's the seventh grade English teacher of usability experts. Everything he says is useful the first time you hear it, but most of it is wrong.

Re:Making my point with humor

[bkpark]

focus-stealing windows should be banned.

And you can ban it. At least in XFCE, it's a standard option whether to give newly created windows focus or not (I leave it on because I find that behavior more intuitive than a window popping up and me having to move my mouse over it to start typing in it).

If you can't configure this basic option in your window manager, well, maybe it's time to change your WM?

Re:hunter2

[six11]

If Stephen Hawking says something about physics, do you require a citation from him? Nielson is recognized as one of the leading experts in his field.

Nielsen is not universally revered in HCI (/usability) circles, and we don't really have a Steven Hawking-like figure. He has done some pretty solid work in the past, but that only goes so far. A lot of UI/UX/ practitioners I know don't think highly of his recent stuff. So, [citation needed] is right, but [open mind needed] is as well.

I love my field, but it is really fluffy---most of what we accept as "true" is really just "things we generally accept or don't want to argue about any more". Like most pundits, Jakob is taking an extreme position to get practitioners to think about alternative methods of designing user interactions.

Re:Making my point with humor

[beav007]

Or, programs should be able to lock focus when they are actively being typed into.

Nielsen is being an idiot

[TheLink]

The developer can usually rely on the users being in an environment that's not secure enough for password to be displayed in the clear, though secure enough to assume nobody is video recording keypresses.

With unmasked passwords, you'd have to change important passwords whenever someone walks past you just as you're typing them in. This scenario can be so common - office, starbucks, etc.

Nielsen talks about usability, so how usable is that?

In contrast if someone was _standing_ close by and you suspect him of trying to see what keys you were pressing, you can usually turn to him and say "Hey, do you mind?" or take appropriate countermeasures.

Most people aren't allowed to kill random strangers who just happened to see unmasked passwords. So if someone just walks past, it's password change time. Whoopee for usability.

So I recommend not relying on Nielsen for advice on security at all. And if this is typical of the level of thinking he does, I recommend that people not waste time reading his stuff.

After all if users are in such secure environments as he claims, why bother having passwords at all? Why not just let the website recognize their cookie and log them in right away?