Experts say websites should no longer mask passwords

Inconveniences users and has no security benefits

View more images

30 June 2009 14:35 GMT / By Duncan Geere

Two leading security and UI experts have said that websites should stop the practice of masking passwords as users type them in, as it doesn't improve security, but does impede the user experience.

Jakob Nielsen and Bruce Schneier say that the masking process - which usually replaces characters with asterisks - solves a problem that doesn't really exist:

"Password masking has annoyed me for years", Schneier said. "Shoulder surfing is largely a phantom problem, and people know to be alert when others are nearby, but mistyping a long password happens all the time".

"It's time to show most passwords in clear text as users type them", said Nielsen in a blog post. "Providing feedback and visualising the system's status have always been among the most basic usability principles".

Nielsen singled out mobile devices for particular attention, saying that typos are common when using the smaller input devices - "Users make more errors when they can't see what they're typing while filling in a form".

In some environments, like internet cafes, Nielsen said that websites should offer a checkbox for users to have their passwords masked. "For high-risk applications, such as bank accounts, you might even check this box by default".

We think it's unlikely that websites will follow the recommendations - consumers have only recently gained the confidence to shop online, and having their passwords displayed as plain text isn't likely to help maintain that. On Pocket-lint, we'll be sticking with masked passwords for now.