back to article Masked passwords must go

Websites should stop masking passwords as users type because it does not improve security and makes websites harder to use, according to two of the technology world's leading thinkers. Usability expert Jakob Nielsen and security expert Bruce Schneier both think websites should stop blanking out passwords as users type them in …


This topic is closed for new posts.


  1. b166er

    The point

    seems to be, that masking passwords discourages password complexity because if you mistype one letter, often you can't be sure that you didn't fudge 2 or 3 and have to go right back to the beginning so I can kind of see their point. We've all done it.

    If you could be sure that people would use long passphrases were the entry boxen unmasked, then there would be no problem unmasking them, as someone trying to shoulder surf a long passphrase would be quite obvious in their intent. Problem is, most people still wouldn't use a long passphrase unless it was mandatory. So unless there is a concerted effort to require mandatory long passphrases, then this won't work.

    Basically, it's time for the password to die, along with the VHS, FDD, Optical ROM/RAM, MiniDisc etc. It's old hat and too unreliable.

  2. Watashi

    Behind the mask

    I have a better idea - make all your passwords blank!

  3. Kanhef

    Idiots, for different reasons

    "Users make more errors when they can't see what they're typing while filling in a form. They therefore feel less confident. This double degradation of the user experience means that people are more likely to give up and never log in to your site at all, leading to lost business."

    Masking does slightly increase the rate of rejected passwords, since users can't see and correct any errors they make. However, after a failed login, most users will retype their password more carefully. The inconvenience is negligible; the security benefit is not. The rest of that quote makes me suspect that they've never actually asked anyone about their 'user experience' with masked passwords. As for lost business, if someone is entering a password, they're either creating an account or already have one, so the site has to be seriously broken to drive them away.

    "Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed. So, password masking doesn't even protect fully against snoopers. More importantly, there's usually nobody looking over your shoulder when you log in to a website."

    A skilled locksmith can pick the lock on your house or car, and there usually isn't anyone trying to break into it. Is that a good argument for not having any locks at all? No.

    Nielsen has another article/rant about following conventions, but doesn't seem to realize that because password masking is so universally used, people expect it and would be surprised by websites that *don't* do it.

    As AC 8:23 and Lex 2 have mentioned, the inconsistent requirements/restrictions of websites is a nuisance. I use a 16-character alphasymbolic password, uniquely modified by the name of the site. I also keep a list of sites for which I have to weaken it because they don't allow symbols, have a maximum length of 8 characters, and so on.

    @AC 17:14-

    My inner S&G Nazi has been invoked and must point out that it is Godwin's Law, not Goodwin's.

  4. Mark Wooldridge


    I just ask people for their password and they usually just tell me. Easy eh?

  5. Richard Scratcher
    Black Helicopters

    'Shoulder surfing is largely a phantom problem'

    Oh yeah? What about Google Earth?

  6. Fraggle

    Someone should forward this article...

    to the Cardspace folks or the Higgins folks. Maybe both. Then stick a cattle prod in them and tell them to hurry up because the lunatics are about to take over the asylum!

  7. This post has been deleted by its author

  8. Anonymous Coward

    Thank goodness for the new icons!

    I count almost fifty FAILs so far, and probably half that many WTFs again. Glad to know I wasn't the only one double-taking through the whole article...

  9. Jacob Reid

    Any site that stops hiding my password...

    Will be a site I stop using.

  10. Sarev

    I agree with Nielsen and Schneier

    I hate having my password pointlessly masked when I'm working at home, in a trusted environment (i.e. I don't care if my wife knows my passwords - or I can wait until she's not looking).

    On an unrelated note, most of the objectors here are from the "OMG!!1!", "n00b" and "definately" brigade. Anyone who can't spell definitely isn't worth listening to, IMHO.

    Oh, and shoulder surfing proliferation, or the lack thereof, isn't a function of password masking usage; it's a function of most people not being so fucking dumb as to type some private data when they know an undesirable character is standing behind them! I guess those who want to buy into the snake oil of masked passwords never learned that life lesson... so just for you Nielsen and Schneier propose making it optional.

  11. God
    Paris Hilton

    Fractards at large

    Both of these aclueistic twits need a little more real world experience.

    There's a reason I have a 12 digit pin for my ATM card (I know, I sacrifice my security by letting people know there's only 2^32 possiblities). and my passwords are always longer..

    They should try being IT for a school district sometime with that philosophy; my students would have worked them like pimps.

    Paris, because this is so detached from reality ,,, and I should be her pimp.

  12. Mark Roberjot

    No, really really No!

    Just how stupid is this suggestion,whilst web browsers by default cache form data, it is just a free for all as soon as anyone's back is turned.

    Really really stupid. I really cannot believe that this idea ever saw the light of day.

    Having thought some more, I still cannot believe how muppit like this idea is - has this guy never seen a real office?

    Logon to computer, go for coffee, whilst your co-workers browse through your history, and have a quick look at your history (& passwords), then when they go home, have a quick look at your bank accounts, and try the same passwords on your hotmail and yahoo accounts (probably successfully).

    It just doesn't even bear thinking about!

    The beer, because whoever thought this up had had far too many.....

  13. Anonymous Coward

    Bruce doesn't care...

    ...he already knows your password :)

    Now, coming from a person who will (albeit anonymously) admit to having shoulder hovered a password or two, from friends through to college lecturers I would say, shoulder hovering is a real issue, especially in public places.

  14. Tim Bates

    I assume this has been mentioned....

    I work for a school doing random tech work. When it comes to password resets, I often see kids trying to peek at the keyboard when their friend types a new password.

    Now imagine the fun and games if kids could read their friends email passwords off the screen next to them... Or worse... Read the teachers passwords on the big screen!

  15. b166er

    Tim Bates, that reminds me

    I managed to get the network password for our school (1986) by watching what the teacher pressed as she entered it. It was 'clowne' by the way ;-p reason being, that the modules she was teaching used a fictitious company called Clowne Industries. Ah what fun I had doing call!-4 across the network (BBC-B). I got suspended from school for it too. The disk-based storage unit they had at the school became corrupted and I got the blame because some second-year twerp told 'teach' that I had the admin password! All I had done was shutdown a few workstations remotely and broadcast a message saying "Miss Low is a top heavy fraction" (our Computer Studies teacher had frankly enormous baps). That's why I said before, it's high time to get rid of passwords altogether. If she'd had a token round her neck (and presumably between said humongous hooters), I'd have never got access. If we insist on having passwords, combine them with tokens.

  16. Cullen Newsom

    Someone got paid for this?

    Look, it isn't THAT hard. And it does offer a little security, especially if you store some passwords in your browser (only for things that don't matter, calm yourselves).

    The thing that really frustrates me is all of these sites with differing password rules, that somehow think I have read their programmer's mind, and that somehow I know that I must make it more than 8 characters in length, but not more than 16! must include a number, but the number mustn't come first!, and must also include a special character, but some characters aren't allowed! only one of our six favorites, oh, and at least one of the letters must be capitalized, but not all of them! Must I also stand on one foot and pat my head while typing it in?

    I guess it's good money when you can get it.

  17. steve hayes

    The Obvious

    Mask the password but allow the user by a check box to see what they are typing via a simple click. Not so hard!!!!

  18. Inachu


    I say keep them masked!


    Ok lets see you log in durring a busy day at the library and you just want to quickly read your email but many people are behind you.

    So yes Shoulder surfers are everywhere!

    By unmasking passwords will just invite more crime.

  19. Anonymous Coward
    Anonymous Coward


    It'd be great for when you need to log onto something at a meeting, wouldn't it?!


  20. Alan Donaly
    Thumb Up

    As if

    Bruce knows what he's talking about and anyway any shoulder surfer worth their salt watches the fingers not the screen. It doesn't stop a thing.

  21. Wortel


    Malware taking covert screenshots of input areas on windows that have focus and are receiving keyboard attention and then send off the results. Can already be done with AutoHotkey by the way, it's not rocket science you know, to cook up something ridiculously simple to pwn such idiotic 'guru' ideas.

  22. Anonymous Coward
    Thumb Down


    Ok so mobile users can't see what they are typing on the terrible iphone keyboards......

    Have these "researchers" never heard of an internet cafe?

    Do they cover their hand when typing their debit cards pin number into an ATM?

    The hashes are there for very good reason, it allows you to type a password without an observer getting an easy to remember snapshot via their eyes.

    Yes there are issues but they are greatly outweighed by on-screen privacy.

    Hashes = good = must for security in open environments.

    These guys have an agenda.

  23. Ransico
    Thumb Up

    Per-browser setting as compromise

    It should perhaps be a browser specific setting more than a per-site decision, since there are plenty of valid use cases where masking of passwords is desirable.

    For example, what about lecturers and people giving presentations? It is a common that a room full of people observe said presenter either logging in to the computer, or browsing the web.

  24. Phillip Bicknell
    Big Brother

    What about the new style PIN

    Uh, I've just remembered about that new style ATM PIN whereby one remembers a sequence of locations on a 5 x 5 grid. That's more secure than any masked password, so don't websites use that? (Probably because of some expensive patent.)

  25. Jeff 11

    Usability vs. security

    I'm glad the concensus here is comfortingly negative towards this idea. The dubious usability benefits of what Nielsen proposes are vastly outweighed by the damage someone casually observing the screen could do. Even when used as a passphrase in tandem with another means of authentication (such as a hardware key) makes things much easier for a would-be hacker.

  26. Anonymous Coward
    Paris Hilton


    Possibly because that sounds a lot harder than a DECENT (8+digit that isn't something obvious like 12345678, birthday or a phone number) PIN, with no identifiable benfit.

  27. corvus2606


    OK, im gonna stick with everyone else and say this is a bad idea.


    anyone entering a password in any major organisation will have plenty of people to read off their screen, and office politics can mean that even friends can get malicious. then there is the fact that most IT security departments are more than capable of ghosting someones screen and reading their passwords.

    on top of that, just using something like dameware you can remotely view someones screen over the internet(potentially) and there are plenty of viruses around that incorporate a screencap into their bag of tricks.

    so yes, due to masked passwords, shoulder surfing may be *something* of a non issue, but you cant always tell when someone is watching your screen in any other way.


This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2018