Skip to content

I disagree with Jakob Nielsen’s STOP password masking article

While I refer to http://useit.com/ for usability related articles and I do recommend to many testers as well. However, I filter out which doesn’t make sense to me rather than following something blindly. Darren McMillan, a tester and my friend posted a tweet with the following URL http://www.useit.com/alertbox/passwords.html and after reading it, I felt most of the points did not make sense (At least to me). I responded to the tweets but, 140 characters were not enough to put my thoughts on Twitter which is why I thought of writing this blog post. Let the learning ride start now.

 

My comments for what Jakob Nielsen mentions in his article,

 

Jakob Nielsen says: “Typically, masking passwords doesn’t even increase security, but it does cost you business due to login failures.”

 

Santhosh Tuppad says: Security is not about making it fool-proof. It is about building layer by layer. Yes, it does increase security rather than not having masked password. It protects against shoulder surfing.

 

Jakob Nielsen says: “More importantly, there’s usually nobody looking over your shoulder when you log in to a website. It’s just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue.”

 

Santhosh Tuppad says: I have seen many people even in office feel uncomfortable when someone is sitting beside them and they need to enter their password. It is because they feel they might look into the keyboard if their typing is slow. When they feel uncomfortable for this instance, will they not feel unsecured for showing the password without masking? I have seen my colleagues coming to my desk and asking for something. There have been instances when they came to my desk for something where I had to login to application and show them something. Now, do I need to ask them to turn that side and keep looking at them if they are watching me and then type my password?

 

I would say contexts are different, if you are sitting alone in your office in a separate chamber it’s different. But, remember that here we are dealing with the whole Web End-Users and not just hand-picked people.

 

Jakob Nielsen says: “Most websites (and many other applications) mask passwords as users type them, and thereby theoretically prevent miscreants from looking over users’ shoulders. Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed. So, password masking doesn’t even protect fully against snoopers.”

 

Santhosh Tuppad says: Well, by unmasking them you are giving chance even to any snooper rather than skilled ones. You are degrading the security here. Let me give a typical example which you can relate to: You have doors for your home and windows. Even windows could be used to by thieves to get in the house by breaking them. Now, it doesn’t mean you should remove doors because they can get in from window as well. I repeat: Security is about adding layers rather than saying FOOL PROOF security.

 

Jakob Nielsen says: “Password masking has proven to be a particularly nasty usability problem in our testing of mobile devices, where typing is difficult and typos are common. But the problem exists for desktop users as well.”

 

Santhosh Tuppad says: I partially agree to usability problem in mobile devices where the keypad is cumbersome while I disagree with desktop users – Yes, there have been times when we have typed it wrongly but, I personally have not found it as a usability problem. It is as simple as this; by mistake from bunch of keys I inserted some other key in the lock which did not open it. So, it doesn’t make sense to say “Let me not lock the door itself”.

 

Jakob Nielsen says: Users make more errors when they can’t see what they’re typing while filling in a form. They therefore feel less confident. This double degradation of the user experience means that people are more likely to give up and never log in to your site at all, leading to lost business.

 

Santhosh Tuppad says: I personally see password not being asked as a security vulnerability rather than seeing it from usability perspective. I have not seen end-user saying I will not login to this site because they mask the password. Well, password is secret and it has to be secured. If there is a website which doesn’t mask its password, then I would say it is a security bug rather than seeing it as a usability element.

 

Jakob Nielsen says: The more uncertain users feel about typing passwords, the more likely they are to (a) employ overly simple passwords and/or (b) copy-paste passwords from a file on their computer. Both behaviors lead to a true loss of security.

 

Santhosh Tuppad says: How does it help when password is unmasked? Still people will continue to use simple password which they can remember. This doesn’t make any difference. People having random passwords who want to copy paste will still continue even when password is masked or unmasked. It is important to remember that, technology provides one layer of security and other layer should come from individual awareness. I cannot complain that system is not securing my account while I wrote my password on some piece of paper and hacker got that piece of paper.

 

Jakob Nielsen says: Yes, users are sometimes truly at risk of having bystanders spy on their passwords, such as when they’re using an Internet cafe. It’s therefore worth offering them a checkbox to have their passwords masked; for high-risk applications, such as bank accounts, you might even check this box by default. In cases where there’s a tension between security and usability, sometimes security should win.

 

Santhosh Tuppad says: The checkbox idea might be employed given that by default password is masked. However; I do not agree where Jakob Nielsen mentions only about “high risk applications”. Why is there discrimination? Any application that has login feature is made with the purpose to protect the data.

 

Banking application by default should have masking feature for password? Why not others? You are putting masking feature by default that no one else should see it and you should not feel uncomfortable to continue with your work while someone is sitting beside you. Right? Then why do it only for some applications and leave others. Just like “iPhone is iPhone”, “Security is Security” and “End-user is end-user” irrespective what kind of application he / she is using.

 

Summary

In my opinion, it doesn’t make sense to say, “I will remove the doors to add usability, so people can not open the door lock and put efforts in it”. People can still get in by breaking the window or door but, it is layer of security which is same as “masked” password rather than removing it. I agree to some extent to the checkbox idea where you give a checkbox to unmask the password and show it as plain text to end-user however; by default it has to be masked. It is just like you are not checking “Remember Me” in option by default because of Security. Considering this password unmasking, then “Remember Me” should be checked by default to add usability which is not correct.

 

It is not security versus usability. It is about thinking how we can build applications with better security and better usability and not compromises on both of them to at least a certain level even if we cannot match both of these and there are contexts where I have provided solution so that there is no degrade of usability or degrade of security. It is not security must win and usability should lose and vice-versa (They are not contenders). There are always better ideas, what it needs is brainstorming. Usability is more of analysis and psychology rather than just concluding in few minutes or concluding by thinking as individual. I would finally like to add one point here – “If you are not masking the password then you are spoiling User eXperience and may be you can make end-users not login to your application because they feel uncomfortable logging in with plain text while someone is beside them.”

 

I hope you had a good read and happy learning.

SanthoshTuppad

I have been as a software tester for over 5 years. I am a hands-on tester and I've been winning bug battles & testing competitions across the world. I am a testing enthusiast, who conducts free workshops on security testing across India (Covered locations: Bengaluru, Pune, Hyderabad & Chennai. Invite him to come to your location), and monthly meets for testers in Bengaluru. I am also an avid testing blogger.

My interests include traveling, driving my SUV, health & fitness and many others. I mentor budding entrepreneurs, testers, teams in any profession.

Latest posts by SanthoshTuppad (see all)

Share/Bookmark

8 Comments

  1. Rosie wrote:

    I guess another point for mobile users is that there is much more risk of people shoulder surfing as the user is more likely to be in public.

    I know I personally wouldn’t feel comfortable if any of my passwords were not masked.

    Friday, February 3, 2012 at 1:03 am | Permalink
  2. Hi ST,
    Good reasoning you have putted indeed.

    I do feel that for desktop applications, masking passwords is a must.

    And I think we all would agree that for mobile and tablet applications, removing of masking of password will increase usability, but then what if “Remember Me” option was checked ? Password wide open to other people who have access to that mobile/tablet device!

    But in the end I think security will win the race in this case, unless the whole password thingy goes away (SSO) :).

    Regards
    Ashik

    Friday, February 3, 2012 at 1:49 am | Permalink
  3. Sharath Byregowda wrote:

    Nice article Santosh. ‘Security is about adding layers’ – I wonder why most do not understand this :(

    Saying that do you recollect the Windows XP, Vista, 7 wifi password field. They have an option to select ‘show password’ which I have used a lot of time.

    ‘Show password’ is brilliant for a wifi password because we do not enter password each time but may need it when there is a connection issue. So its contextual :)

    Friday, February 3, 2012 at 3:32 am | Permalink
  4. Nice thoughts Santhosh, very well written.

    While most of what Nielsen says in the article can be taken with a pinch of salt I shared it on Twitter because I agree with the logic of password masking causing usability issues.

    Jared Spool wrote a fantastic article titled “The $300million button” (http://www.uie.com/articles/three_hund_million_button/) in which among many things he spoke about complexities in forms impacting a major clients sales. One of the things he mentioned in the article was how his clients customer base had 45% of site users with more than one account registered. That got me thinking when I was reading Nielsen’s thoughts on password masking, that perhaps it is an unneeded complexity that some might not want. Perhaps it even has an impact to these duplicate accounts. Nielsen suggests having a mask password checkbox to allow you to mask/unmask your password, which I think sounds perfectably reasonable and something I myself would prefer over a double masked password / password confirmation fields.

    At the end of the day though all of this is preferences and opinions until some proper research is done into what real users would actually prefer. That is why anything you read online should be taken with a touch of scepticism, to allow you to form your own opinions.

    Thanks for sharing,

    Darren.

    Sunday, February 5, 2012 at 8:10 am | Permalink
  5. Raj wrote:

    Nielson Vs Santhosh.. Valid discussion..

    I am disagree with nielson this idea about masking password..because usability is not plural thing.. it is a singular.Usability varies its definition to every individual users. we can not make all bike keys to same way(universal key)for that will help(usable) for who lose his bike keys..security is not independent.. it is dependent only

    Tuesday, February 7, 2012 at 1:31 am | Permalink
  6. tes@gmail.com wrote:

    this is my comment about this blog.. it is very interesting blog really.. this blog captured major terminologies…

    Friday, February 10, 2012 at 2:01 am | Permalink
  7. sunil wrote:

    Nice article.
    Thanks for sharing Santhosh.

    Friday, February 10, 2012 at 4:30 am | Permalink
  8. For pointing me the exact link.
    I have the same thoughts in mind when i read. one thing: i will agree that: there can be checkbox / now microsoft internet explorer,eyeopener feature to check whether we have typed correctly or not.

    Thanks for sharing,
    Srinivas Kadiyala
    @srinivasskc

    Tuesday, October 29, 2013 at 9:37 pm | Permalink

Post a Comment

Your email is never published nor shared. Required fields are marked *
*
*