Twitter’s all A-Flutter Over Nielsen’s Alertbox: Stop Password Masking
Jakob Nielsen, usability guru, doesn’t look to me like a big trouble maker. However, his latest Alertbox, “Stop Password Masking” proves he’s ready to come out punching.
He’s caused quite a stir amongst some Twitter users – who seem extremely polar, being either pro or con on the subject of password masking. But don’t take my word for it, here’s a few examples of pros and cons from Twitter:
Why All The Password Angst?
So why has Nielsen hit such an apparently tender topic with his recommendation to remove password masking? First, let’s see what he actually said the problem is, and why the solution is un-masking our hidden passwords:
“It’s time to show most passwords in clear text as users type them. Providing feedback and visualizing the system’s status have always been among the most basic usability principles. Showing undifferentiated bullets while users enter complex codes definitely fails to comply.Most websites (and many other applications) mask passwords as users type them, and thereby theoretically prevent miscreants from looking over users’ shoulders. Of course, a truly skilled criminal can simply look at the keyboard and note which keys are being pressed. So, password masking doesn’t even protect fully against snoopers.
More importantly, there’s usually nobody looking over your shoulder when you log in to a website. It’s just you, sitting all alone in your office, suffering reduced usability to protect against a non-issue.”
Seems harmless enough, right? If you’re trying to type your passwords in before your morning coffee has really got you going, or on your tiny Palm Pre, is having the results of your fumbling fingers being un-masked (so you can see if you entered the correct string or not) such a bad thing?
Ahh, but what about that whole issue when you’re at your favorite coffee place and those strangers who are always peering over at your computer from the next table behind you are watching [shivers] – what about then? Here’s what Nielsen says:
“Yes, users are sometimes truly at risk of having bystanders spy on their passwords, such as when they’re using an Internet cafe. It’s therefore worth offering them a checkbox to have their passwords masked; for high-risk applications, such as bank accounts, you might even check this box by default. In cases where there’s a tension between security and usability, sometimes security should win.”
So, assuming all our Tweeps actually read the entire article from Nielsen (and we already know that most people on average only read about 20% of the words on a web page) why is there so much angst about removing something that is causing frustration and slower productivity?
I think it can be summed up in 5 general reasons:
5 Reasons Why We Don’t Like Changing Password Masking
1. We are creatures of habit – You and me, us humans, we like getting into routines and sticking with them. We brush our teeth with the same toothpaste every day, we go to work along the same route, and for some odd reason we always end up picking the longest queue when offered shorter or longer ones.
It’s a habit to type a password into a small box and be presented with masked characters in return. It goes against our grain to want to change this habit.
2. Change is frightening – For most of us, change is a rather frightening thing. When things change, it causes us a mild sense of cognitive dissonance. What’s that? We know we should should be doing this usual and customary thing, our brains tell us so, but now we aren’t doing that, we’re doing something different. That causes us to feel ill at ease.
For many of us change means re-wiring our brains to accept and use something new, something different, which takes work. We don’t like work (this kind of work anyway – if my boss is reading this, I LOVE work! Really!).
3. Using password masking, we have a false sense of security – Here’s what we think when entering our passwords in and being presented with a series of round black dots.
“Well, nobody can see my password, including me, so that means it’s secure and I don’t have to worry about somebody stealing my password so I’m safe.”
But meanwhile anyone watching over your shoulder, or from the cube next to you (don’t look around!) can probably pretty easily see the characters you’re typing, and pretty much be able to figure out your password. Personally, I think it’s worse with bank ATMs, they only need to watch you enter 4 digits!
And your security breach may be far worse. You have probably written down every single password you own, including the URL and account name for each and every “secure” login, on a non-encrypted file somewhere in your computer. Or worse, you’ve got your password on a post-it note somewhere near your monitor! How secure is that!?
4. We don’t understand the actual lost productivity – I know what you’re thinking, which is what I was thinking, which was:
“So what’s the big deal? So I have to retype my password sometimes, or have to contact someone because I forgot it, no big loss, right?”
According to the United States Navy, whom I trust to do their homework regarding lost productivity due to forgotten passwords;
“studies have indicated that approximately 40% of all help desk calls are for forgotten passwords.”
If you don’t believe the United States Navy, go do a search on Twitter for “password” and read all the thousands of tweets from tweeps who forgot, then sometimes found, their passwords for various logins. All that “lost my password, but now found it” stuff is lost productivity.
5. Businesses have a false sense of Control – For a business, often there’s a sense of “protecting users against themselves” by trying to manage certain processes or procedures for them. You can almost hear those in control say,
“I can manage your password and make sure you only get it if you do things I want you to do.”
This is why there sometimes are extra hoops to try to get through when obtaining a password that you forgot. In the bad old days, many times if you forgot your password the only way you could get one was to get a new password. Which of course forced you to have to write down your new password because you just knew you were going to forget it.
The Option of Seeing a Password
So here’s my take on the whole uproar issue, the people that are in an uproar may not have necessarily read the entire message.
What Nielsen actually said,
“It’s therefore worth offering them a checkbox to have their passwords masked; for high-risk applications, such as bank accounts, you might even check this box by default.”
That doesn’t seem as bad as letting everyone know your passwords by sticking them to your monitor, or putting every password and account number and URL in an unsecure file on your computer, now does it?