Why masking passwords isn't a good idea

The article "Stop Password Masking", was written by Jakob Nielsen, a well-regarded expert on Web and user interfaces.

His profile states that he founded the "discount usability engineering" movement for fast and cheap improvements of user interfaces and has invented several usability methods, including heuristic evaluation. Nielsen holds 79 U.S. patents, mainly on ways of making the Internet easier to use.

As you can see by Nielsen's accreditation, his mentioning that using password masking is a bad idea isn't something to be taken lightly.

Why mask passwords?
Until I read the article, I considered masking passwords to be a no-brainer for the following reasons:

• Masking passwords were the logical outcome of being concerned about people stealing passwords by visually observing the password being entered.
• Auto-complete is a bad idea period, but masking helps prevent someone from seeing previous passwords that have the same first few characters. This is of special concern when the computer has multiple users.
• Masking passwords is required by some regulatory bodies in order to gain their approval. Also a company's security policy may require masking any time a password is entered.

Why password masking is bad
Nielsen summarizes his stance by pointing out:

"Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn't even increase security, but it does cost you business due to log in failures."

Through his research, Nielsen has come to the conclusion that using nondescript bullets to cover up password characters violates an important usability principle, that of providing sensory feedback. To back up his claim, Nielsen provides some additional detail:

• Users make more errors when they can't see what they're typing while filling in a form. They therefore feel less confident. This double degradation of the user experience means that people are more likely to give up and never log in to your site at all, leading to lost business.
• The more uncertain users feel about typing passwords, the more likely they are to (a) employ overly simple passwords and/or (b) copy-paste passwords from a file on their computer. Both behaviors lead to a true loss of security.

I didn't see any reference to studies verifying either of the above theories, still both appear to have merit.

Using portable devices
I do agree with Nielsen about how masking passwords on mobile devices is a real pain. As proof, I know associates that do exactly as Nielsen mentioned above. They dumb-down the password just so it's easy to enter. Not a smart thing to do when visiting important Web sites such as a banking portal.

Another viewpoint
Jason Montgomery, a security expert with SANS presented a different viewpoint in this blog post. As a security aficionado, I was interested in his reply to something Nielsen had written.

I quoted it earlier, so here's a recap of the part being referred to:

"Typically, masking passwords doesn't even increase security, but it does cost you business due to log in failures."

Montgomery responded:

"Nielsen's probably right: It might be costing you business. The question is how much business? Security shouldn't be the be-all, end-all goal. It's there to serve the organization first and foremost. Viewing the cost of security controls with respect to the function it's protecting is the correct perspective.

I concur with Montgomery's approach and I'm sure Nielsen does as well. It's called compromise and I think that Nielsen may have already found a solution:

"Yes, users are sometimes truly at risk of having bystanders spy on their passwords, such as when they're using an Internet cafe. It's therefore worth offering them a checkbox to have their passwords masked; for high-risk applications, such as bank accounts, you might even check this box by default. In cases where there's a tension between security and usability, sometimes security should win."

Sounds like it might work, what do you think? Does it cover all possibilities? When do we know if we're safe enough to lower security standards for increased usability?

Final thoughts
Until I read Nielsen's blog post, I felt that masking passwords was just a necessary part of the process. Now I'm not so sure. It's cumbersome and businesses could be losing customers.

Yet on the flip side, not masking passwords is a potential security risk.

Disputes surrounding password usage continue to impress upon me the need for mainstream multifactor authentication. But wishful thinking doesn't help us right now. What's your take on yet another usability versus security conflict?

Michael Kassner has been involved with IT for over 30 years, and is currently a systems administrator for an international corporation and security consultant with MKassner Net.